JP6464849B2 - Moving path data anonymization apparatus and method - Google Patents

Description

  The present invention relates to a technique for anonymizing travel route data.

  Various services can be provided by transmitting data from a large number of vehicles to a server and processing the data in the server. For example, Patent Document 1 discloses that an evacuation route map that can be traveled at that time is created by collecting a travel history of a vehicle at the time of a disaster. As described above, the moving route data of the vehicle is effective data and can be used for various services.

  However, since it is possible to identify an individual from the travel route data, the travel route data falls under the personal information stipulated by the Personal Protection Law, and as it is, it cannot be provided to a third party without the consent of the information provider. Can not. Therefore, it is desired to anonymize the travel route data so that an individual cannot be specified.

  In Patent Document 2, each position included in the trajectory data in the user's movement history is converted into an existence probability, and the personal identification is prevented by erasing the data if a predetermined time has elapsed. However, since the locus is blurred in the abstracted area, there is a problem that it becomes difficult to apply to a service such as route guidance.

  Patent Literature 3 sets areas where user position information may be acquired and personal area areas that should not be acquired. When acquiring user movement route information, the movement history of the personal area area is deleted. The user's privacy is considered by prohibiting the use. However, even if the movement route of the personal area area is deleted, there is a problem that an individual can be specified from the route if the other route is unique compared to other users.

  Patent document 4 discloses protecting a user's privacy using the technique of k-anonymization. However, if the accuracy of the position information is lowered in order to ensure k-anonymity, the movement route will be blurred. Further, if k-anonymity is to be secured without reducing the accuracy of the position information, only the route through which many users pass can be used.

  Patent Document 5 considers user privacy by collecting information that can identify an individual and information that cannot identify an individual in different sessions when collecting vehicle information. However, since the travel route itself is information that can identify an individual, this method cannot make the travel route anonymous.

JP 2011-95850 A JP 2013-222305 A JP 2010-34784 A JP 2012-128859 A JP 2014-102680 A

  In view of the above problems, an object of the present invention is to provide a technique capable of anonymizing travel route data in a format that can be effectively used while avoiding individual identification.

  In order to achieve the above object, a movement path data anonymization device according to the present invention comprises the following arrangement. That is, the movement route data anonymization device according to the present invention includes route data acquisition means for acquiring movement route data including a movement route and a time zone during which the movement has been performed, and the plurality of movement route data. Same as route anonymization means that classifies so that the number of movement route data in the same class is equal to or more than the first threshold based on the similarity, and unifies the movement route of the movement route data in the same class to the representative movement route Time anonymization means for abstracting a time zone in which movement in the movement route data is performed so that movement performed in the same time zone for the movement route data in the class is equal to or greater than a second threshold; and route anonymization means And output means for outputting movement route data after processing by the time anonymization means.

  According to such a configuration, the movement route and the movement time (time zone) are abstracted, and the number of users who took the movement route in a certain time zone in the movement route data included in the output result is equal to or greater than the threshold value. It is difficult to specify an individual from the output travel route. Further, since the output travel route data is not data with a blurred location range, it can be effectively used for various services.

  The travel route data can be represented, for example, as a set of passed links or as a set of passed nodes. The time zone in which the movement is performed can be expressed as a time when the user enters or leaves the link or node.

The classification of route data by the route anonymization means is not particularly limited as long as it is processing based on the similarity of moving routes. The similarity of travel paths can be measured, for example, using a scale such as a Levenshtein distance or a Jaccard distance. In this specification, a case where they are similar is expressed as a high degree of similarity, and a case where they are not similar is expressed as a low degree of similarity. You can assign it. For example, when the distance is adopted as the similarity, the similarity is higher as the value is smaller.

  In the present invention, the route anonymization means can perform a clustering process on the travel route data, and delete the travel route data in the cluster whose number of data in the cluster is smaller than the first threshold. In this way, the number of travel route data in the same class (cluster) can be set to the first threshold value or more, and it becomes difficult to specify an individual from the travel route data.

  In the present invention, the route anonymization means sequentially performs the clustering process on the travel route data, and calculates the similarity between the travel route data to be processed and the representative travel route data of the processed cluster. If any of the similarities is equal to or greater than the predetermined value, it is determined that the travel route data to be processed belongs to a cluster of representative travel route data having the highest similarity, and any of the similarities is the predetermined value. If it is lower than the value, it can be determined that the movement path data to be processed is representative movement path data of a new cluster. According to such a configuration, clustering is possible with relatively few operations.

When clustering is performed by the above method, the route anonymization means sets, for each cluster, the travel route data having the highest similarity to the other travel route data in the cluster as the representative travel route data. In addition, it is also preferable. Note that the degree of similarity with other travel route data in the cluster can be evaluated by the sum of squares of distances to other data in the same cluster, the sum of absolute values, or the like. When the movement route data is sequentially processed and clustered as described above, the movement route data input later may be more suitable as the representative movement route. By resetting the representative movement route data, a more appropriate route can be set as the representative movement route.

  Further, the route anonymization means can perform a hierarchical clustering process on the travel route data. The hierarchical clustering may be anything concretely, and any of a branching type and an aggregation type can be adopted. Further, as the distance between the clusters, standards such as the shortest distance, the longest distance, the group average distance, and the ward distance can be adopted. In the case of employing hierarchical clustering processing, the path anonymization means determines classification so that the intra-cluster similarity is equal to or greater than a predetermined value and the number of data in the class is equal to or greater than the first threshold. It is also preferable to delete travel route data that cannot be classified so that the intraclass similarity is equal to or greater than the predetermined value and the number of data in the class is equal to or greater than the first threshold. Even in this case, it is possible to make the number of data in the same class equal to or more than the first threshold while ensuring the similarity of the movement routes in the same class.

  Moreover, it is preferable that the said route anonymization means performs said classification and unification of a movement route for every movement route data with the same starting point and destination pair. The starting point and the destination may be represented as an area having a certain range as will be described later. In this case, the pair of the starting point area and the destination area is processed for each movement route data. It will be. As described above, in the process of classifying and unifying moving routes, it is easier to process and the results obtained can be more effectively used when the pair of the starting point and the destination match. .

  In addition, the time anonymization means in the present invention, for movement route data in the same class, if the movement made in the same time zone is less than the second threshold, the movement route data in the time zone is Can be deleted. Alternatively, the time anonymization means can perform a process of widening the time zone if movement made in the same time zone is less than the second threshold for the travel route data in the same class. If it does in this way, it can be guaranteed that the number of movements performed in a certain time zone will become more than the 2nd threshold, and it will become difficult to specify an individual from the time zone in which movement was performed.

  The present invention preferably further comprises point abstracting means for replacing the starting point and destination in the travel route data with the abstracted area. Since identification of an individual becomes easy depending on the starting point and the destination, identification of the individual can be made difficult by replacing these points with areas having a certain range. Note that it is not always necessary to abstract all starting points and destinations, and it is determined whether the starting point and the destination correspond to a personal area that is a point for identifying an individual, and the starting point corresponding to the personal area is determined. And the destination may be replaced with an abstracted area. Whether or not it corresponds to a personal area may be explicitly instructed by the provider of the movement route data, or may be determined by statistical processing from the movement history of the same user.

  The departure point and destination abstraction processing may be performed before or after the route and time abstraction processing. That is, the route anonymization means and the time anonymization means may perform processing on the movement route data after the processing by the point abstraction means, or the point abstraction means includes the route anonymization means. And you may process for the movement route data after the processing by the time anonymization means.

In the present invention, the movement route data anonymization device may obtain the movement route data in any way. For example, input of movement route data itself may be accepted. Alternatively, the movement route data anonymization device further includes movement history acquisition means for acquiring a plurality of movement history data including a plurality of position information and time information, and the movement route acquisition means obtains the movement route data from the movement history data. It can also be generated.

  In addition, this invention can be grasped | ascertained as a movement path | route data anonymization apparatus provided with at least one part of the said means. Moreover, this invention can also be grasped | ascertained as the movement path | route data anonymization method which performs at least one part of the process which the said means performs. The present invention can also be understood as a computer program for causing a computer to execute this method, or a computer-readable storage medium in which this computer program is stored non-temporarily. Each of the above means and processes can be combined with each other as much as possible to constitute the present invention.

  According to the present invention, travel route data can be anonymized in a format that can be effectively used while avoiding individual identification.

It is (a) composition of a movement course data collection system concerning a 1st embodiment, (b) a functional block diagram of an in-vehicle terminal, and (c) a functional block diagram of course data processing device 20. It is a flowchart showing the acquisition / transmission process of the movement history data performed by the vehicle-mounted terminal in the first embodiment. It is a flowchart which shows the whole flow of the movement path | route anonymization process performed by the path | route data processing apparatus in 1st Embodiment. It is a figure which shows the data format example of the movement path | route data in 1st Embodiment. It is a flowchart which shows the detail of the origin / destination anonymization process in the movement path | route anonymization process of 1st Embodiment. It is a figure explaining the origin / destination anonymization process in 1st Embodiment. It is a flowchart which shows the detail of the path | route anonymization process in the movement path | route anonymization process of 1st Embodiment. It is a figure explaining the path | route anonymization process in 1st Embodiment. It is a flowchart which shows the detail of the time anonymization process in the movement path | route anonymization process of 1st Embodiment. It is a flowchart which shows the modification of the time anonymization process in the movement path | route anonymization process of 1st Embodiment. It is a figure explaining the time anonymization process in 1st Embodiment. It is a flowchart which shows the detail of the path | route anonymization process in 2nd Embodiment. It is a figure explaining the path | route anonymization process in 2nd Embodiment. It is a flowchart which shows the whole flow of the movement path | route anonymization process in 3rd Embodiment.

(First embodiment)
<System configuration>
FIG. 1A is a diagram illustrating a configuration of a movement route data collection system according to the present embodiment. The movement route data collection system includes an in-vehicle terminal 10 mounted on the vehicle 1 and a route data processing device 20 connected to the in-vehicle terminal 10 via a network 30. Although only one vehicle is shown in the figure, the movement route data collection system actually includes a plurality of vehicles. The in-vehicle terminal 10 periodically acquires a time signal and position information and transmits them to the route data processing device 20. The route data processing device 20 generates travel route data from position history information collected from the in-vehicle terminal 10 and performs anonymization processing on the travel route data so that an individual cannot be identified from the travel route data.

  The in-vehicle terminal 10 includes an arithmetic device such as a CPU and an MPU, a storage device such as a main storage device and an auxiliary storage device, an input / output device, a communication interface, and the like. The in-vehicle terminal 10 realizes each function illustrated in FIG. 1B by executing a program stored in the storage device by the arithmetic device. That is, the in-vehicle terminal 10 functions as the position information acquisition unit 11, the time information acquisition unit 12, and the history information transmission unit 13. Note that some or all of these functional units may be realized by dedicated hardware circuits.

The position information acquisition unit 11 acquires information on the current position from a position information acquisition device mounted on the vehicle 1. The position information acquisition device is typically a global navigation satellite system (GNSS).
A device that calculates position information based on a satellite signal of a navigation satellite system (GPS), such as GPS (Global Positioning System), Galileo, GLONASS, Hokuto, and the like. However, acquisition of position information may be performed by base station positioning based on radio waves from the radio base station.

  The time information acquisition unit 12 acquires current time information. Since the position information acquisition device can acquire time information, the position information acquisition device and the time information acquisition device may be the same device. Further, the time information acquisition unit 12 may acquire time information from an internal clock mounted on the vehicle 1.

  The history information transmission unit 13 is a functional unit that transmits the position information acquired by the position information acquisition unit 11 and the time information acquired by the time information acquisition unit 12 to the route data processing device 20. The history information transmitting unit 13 may transmit the position information and time information to the route data processing device 20 every time it acquires the position information and time information, or after temporarily storing the position information and time information, the route data processing device 20 May be sent to. The history information transmission unit 13 generates transmission data including position information and time information, and transmits the transmission data to the route data processing device 20 via the network 3 by wireless communication.

  The path data processing device 20 is a computer having an arithmetic device such as a CPU and MPU, a storage device such as a main storage device and a holding storage device, an input / output device, a communication interface, and the like. The route data processing device 20 is not necessarily configured by a single computer, and may be configured by a plurality of computers that can communicate via a network. The route data processing device 20 implements each function shown in FIG. 1C by the arithmetic device executing a program. That is, the route data processing device 20 includes a history information receiving unit 21, an ID converting unit 22, a moving route data generating unit 23, a route anonymizing unit 24, a time anonymizing unit 25, a departure / destination anonymizing unit 26, and a movement. It functions as the route data output unit 27. The route data processing device 20 corresponds to the moving route data anonymization device in the present invention. The processing performed by each of these functional units will be described in detail below along with the flowcharts. Note that some or all of these functions may be realized by a dedicated hardware circuit.

<Processing>
Hereinafter, processing performed in the route data collection system in the present embodiment will be described in detail.

[1. Movement history data transmission processing]
First, the movement history data transmission process performed by the in-vehicle terminal 10 will be described with reference to FIG. When the engine of the vehicle 1 is started (S201), the history information transmission unit 13 sends the position information acquired by the position information acquisition unit 11 and the time information acquired by the time information acquisition unit 12 to the route data processing device 20. Transmit (S202). At this time, it is preferable to transmit these pieces of information with a flag (starting place flag) indicating that the current position is the starting place of the trip.

  An example of the data format of the movement history data transmitted by the history information transmitting unit 13 is shown in FIG. As shown in FIG. 2B, the movement history data includes a vehicle ID 201, position information 202, position information attributes 203, and time information 204. The vehicle ID 201 is an ID that identifies the vehicle. In addition, you may employ | adopt ID which identifies a driver | operator instead of vehicle ID. The position information 202 is position information acquired by the position information acquisition unit 11. The position information 202 may be expressed by latitude / longitude, or may be expressed in a format such as area ID. The position information attribute 203 is information indicating the attribute of the position information 202. Examples of attributes include information that the position represented by the position information 202 is a departure point, a destination, or a personal area. The time information 204 is position information acquired by the time information acquisition unit 12.

  After the engine is started, the in-vehicle terminal 10 periodically transmits movement history data. That is, it is determined whether the acquisition timing of position information and time information has arrived (S203). If the acquisition timing has arrived (S203—YES), the position information and time information are acquired and transmitted to the route data processing apparatus 20. (S204). The data acquisition timing may be a timing at which a predetermined time has elapsed from the previous acquisition timing, or may be a timing at which a predetermined distance has been moved from the previous acquisition timing. The transmission of the movement history data is continued while the engine is started (S205—NO).

  When the engine of the vehicle 1 stops (S205—YES), the history information transmission unit 13 sends the position information acquired by the position information acquisition unit 11 and the time information acquired by the time information acquisition unit 12 to the route data processing device 20. Transmit (S206). At this time, it is preferable to transmit these pieces of information with a flag (destination flag) indicating that the current position is the destination of the trip.

  In this description, every time the in-vehicle terminal 10 acquires position information and time information, it transmits to the route data processing device 20, but these information is accumulated and transmitted to the route data processing device 20 together. Also good. Alternatively, the accumulated movement history data may be processed and transmitted to the route data processing device 20. For example, the movement history data may be converted into movement route data representing a movement route and then transmitted to the route data processing device 20.

  In the description here, the starting position of the engine is the starting place of the trip, and the stopping position is the position where the engine is stopped. This is an example of processing. If the engine is restarted immediately after the engine is stopped, it may not be determined that the destination is the destination. Even if the engine does not stop, when the vehicle is stopped for a long time or after returning to the departure place, the point may be set as the destination.

[2. Travel route anonymization process]
Next, the overall flow of the movement route anonymization process performed by the route data processing apparatus 20 will be described with reference to FIG. The history information receiving unit 21 of the route data processing device 20 receives the movement history data transmitted from the in-vehicle terminal 10 and temporarily accumulates it. When a series of movement history data from the departure point to the destination is acquired, the movement route data generation unit 23 generates movement route data from the movement history data (S301). FIG. 4 is a diagram illustrating an example of a data format of movement route data. The travel route data includes a vehicle ID, a departure place, a departure time, a passed link and a link entry time, a destination, and an arrival time. In addition, although the example which represents a movement route as a set of links is given here, a movement route may be represented as a set of nodes (intersections) or may be represented as a set of links and nodes.

  In step S302, the ID conversion unit 22 converts the vehicle ID in the travel route data into a virtual ID. The ID conversion unit 22 converts the ID so that the vehicle ID before conversion cannot be determined from the converted virtual ID (difficult to determine) while maintaining the uniqueness of the vehicle ID. Specifically, the ID conversion unit 22 uses a hash function using a random number or the like as a seed, a common key encryption using a specific password, a unique ID (UUID) that can be generated by a standard function of a database, or the like as a virtual ID. .

  In step S303, the departure point / destination anonymization unit 26 performs processing for anonymizing the departure point and the destination in the travel route data. Details of the departure point / destination anonymization process in step S303 are shown in FIG. The processing shown in FIG. 5 is executed for the starting point and destination of each moving route data. Hereinafter, a case where the starting point is a processing target will be described as an example. The departure place / destination anonymization unit 26 determines whether or not the departure place is a personal area (S501). The personal area is a place where there is a high possibility of identifying an individual, and includes, for example, a home, a workplace, a school, and the like. Whether or not the departure place is a personal area can be determined, for example, by whether or not a flag (attribute) indicating that the departure place is a personal area is attached to the movement history data transmitted from the in-vehicle terminal 10. Alternatively, when it is understood from the past movement history data stored for the vehicle ID that a lot of movements are performed with the same place as the starting point or destination, the place is a personal area. Can be judged. If the departure place is a personal area, the process proceeds to step S502; otherwise, the process ends. Note that the departure point / destination anonymization unit 26 may perform the processing from step S502 on all route data, assuming that all departure points and destinations are personal areas.

  In step S502, the departure place / destination anonymization unit 26 expands the position (range) indicated by the departure place to an area (region) having a predetermined radius with the departure place as the center. In step S503, it is determined whether or not the number of travel route data starting from the expanded area is greater than or equal to the threshold value k1. When this condition is satisfied (S503-YES), the abstraction process for the departure place ends here. At that time, all the departure points included in this area are changed to represent this area. When this condition is not satisfied (S503-NO), it is determined whether or not the area range is the expansion upper limit (S504). Although the upper limit of an area radius should just be determined suitably according to the intended purpose of the data after anonymization, it can be set to 1 km, 2 km, 5 km, etc., for example. If the area range has not reached the upper limit of expansion (S504-NO), the process returns to step S502 to increase the area radius. The area radius may be increased by a predetermined method.

  If the number of travel route data starting from the area does not reach the threshold value k1 even when the area is expanded to the upper limit (S503-NO and S504-YES), the travel route data to be processed is deleted (S505). ).

A processing example of the departure point / destination anonymization process will be described with reference to FIGS. FIG. 6A is a diagram illustrating a departure place included in the travel route data. Here, eight starting points are included, but the following description will be given focusing on three starting points N1 to N3. By the first area expansion, as shown in FIG. 6B, areas A1 to A3 having a predetermined radius centering on the departure points N1 to N3 are set. Here, it is assumed that the threshold value k1 is “3”. Since area A1 includes four departure points, the condition for anonymization is satisfied. The position information of the four departure points included in the area A1 is unified into information representing the area A1. Areas A2 and A3 are further expanded to areas B2 and B3 as shown in FIG. 6C because the number of departure points included in the areas is smaller than the threshold value k1. Since the number of departure points included in area B2 is three and is equal to or greater than threshold value k1, the condition for anonymization is satisfied. Therefore, the position information of the three departure points included in area B2 is unified to information representing area B2. Since the number of departure points included in the area B3 is less than the threshold value k1, the area B3 is further expanded to the area C3 as shown in FIG. It is assumed that the size (radius) of the area C3 is the upper limit of area expansion. Even if the size of the area is expanded to the expansion upper limit, the number of departure points included in the area does not exceed the threshold value k1, so the travel route data including the departure point N3 is discarded.

  In the above description, the departure place is described as an example, but the same processing is performed for the destination. When the above processing is performed for the departure point and destination of all travel route data, the departure point / destination anonymization process ends.

  Next, in step S304, the route anonymization unit 24 performs route anonymization processing. The route anonymization process performs clustering (classification) of travel route data, and discards the data in the cluster if the number of data in the same cluster is less than the threshold (k2), and the number of data in the same cluster exceeds the threshold If so, the process is to unify the data in this cluster into one representative route. As a result, the number of data having the same route becomes equal to or greater than the threshold value, and it becomes difficult to identify an individual from the route. The route anonymization unit 24 performs route anonymization processing for each travel route data having the same starting point and destination pair. FIG. 7 is a flowchart showing details of route anonymization processing for a travel route data group having one departure / destination pair. Hereinafter, the route anonymization process S304 will be described with reference to FIG.

  The route anonymization unit 24 executes the process of the loop L1 sequentially (in order) for each of the stored movement route data. First, the similarity between the movement route data to be processed and the movement route determined to be representative data of the cluster by the processing so far is calculated (S701). In the following description, the similarity is expressed as the similarity is higher. However, in the implementation, the numerical value of the similarity may be expressed as a smaller value as the similarity is higher. The similarity of the movement route data may be calculated according to an arbitrary criterion, but when the movement route data is expressed as a set of links, the Levenshtein distance can be used. The Levenshtein distance is a distance measure that is determined based on the number of replacements, insertions, and deletions of elements (links) necessary to match one travel route data with another travel route data. In addition to this, the similarity of the movement route data can be calculated using the Jacquard distance or the like.

  The route anonymization unit 24 determines whether there is representative data whose similarity calculated in step S701 is equal to or greater than the threshold value R (S702). If such representative data exists (S702-YES), it is determined that the movement path data to be processed belongs to the most similar cluster of representative data (S703). On the other hand, if there is no representative data whose similarity is equal to or higher than the threshold value R (S702-NO), it is determined that the movement path data to be processed does not belong to any existing cluster, and this movement path data is A new cluster as representative data is generated (S704).

  The above processing will be described by way of example with reference to FIG. FIG. 8A is a diagram schematically showing data processed at a certain processing point. Data N1 and N2 indicated by black circles are representative data of clusters, and white circles connected to the representative data are shown. Is the data in the cluster. Here, when new data is processed as shown in FIG. 8B and the similarity with the most similar existing representative data (here, data N2) is equal to or greater than the threshold value R, the new data is processed. It is determined that the movement route data belongs to the same cluster as the representative data N2. On the other hand, as shown in FIG. 8C, if the new data is lower in the similarity with any of the representative data N1 and N2 than the threshold value R, a new cluster having the new data as representative data is generated. Is done.

Here, the travel route data once determined to be the representative data of the cluster is always the representative data, but a process of changing the representative data as the data increases may be performed. For example, representative data change processing can be performed after steps S703 and S704. In this process, (1) re-clustering of each travel route data based on the similarity to the representative data and (2) redetermination of the representative data in each cluster are performed until the representative data does not change. In the representative data determination process of (2) above, the movement route data having the highest similarity with other data in the same cluster can be used as the representative data. Similarity with other data in the same cluster can be evaluated by a sum of squares of distances to other data or an absolute value sum. By adding such processing, the amount of processing increases, but more appropriate clustering becomes possible.

  When the clustering of the movement route data is finished, the route anonymization unit 24 executes the process of the loop L2 for each cluster. The route anonymization unit 24 determines whether or not the number of data in the cluster is equal to or greater than the threshold value k2 (S705). If the number of data in the cluster is equal to or greater than the threshold value k2, the route data in this cluster is replaced with the route of the representative data ( S706). The representative data may be determined by the processing of the loop L1, and data having the highest degree of similarity with other data in the cluster may be selected again as representative data at this stage. . On the other hand, if the number of data in the cluster is less than the threshold value k2 (S705-NO), the route anonymization unit 24 discards the movement route data in this cluster (S707).

  The route anonymization unit 24 executes the above-described processing for the movement route data of all departure / destination pairs.

  When the route anonymization process S304 ends, in step S305, the time anonymization unit 25 performs anonymization processing of time information. The time information anonymization process is performed for each cluster in the above path anonymization process, and is a process of abstracting the time information so that the number of data of movement performed in the same time zone is equal to or greater than a threshold value. FIG. 9 is a flowchart showing details of the time information anonymization process S305. Hereinafter, the time information anonymization process S305 will be described with reference to FIG.

  The time anonymization unit 25 executes the process of the loop L3 for each class of the movement route data. First, from the departure time of the departure point and the arrival time at the destination in the movement route data, the time when the movement represented by the movement route data is performed is expressed in a time zone (S901). For example, consider a case where there are three travel route data 1101 to 1103 as shown in FIG. Here, assuming that the departure time and the arrival time are expressed in a time zone of one hour unit, the movement route data 1101 and 1102 are travels performed at 7 o'clock (departing at 7 o'clock and arriving at 7 o'clock). It is expressed as On the other hand, the movement route data 1103 is expressed as a movement performed between 7 o'clock and 8 o'clock (departing at 7 o'clock and arriving at 8 o'clock).

  Next, the time anonymization unit 25 executes the process of the loop L4 for each movement route data having the same time zone. The time anonymization unit 25 determines whether or not the number of travel route data having the same time zone is equal to or greater than the threshold value k3 (S902). If the number of data is greater than or equal to the threshold value k3 (S902-YES), the departure time and time information of the travel route data are replaced with the above time zone (S903). On the other hand, if the number of data is less than the threshold value k3 (S902-NO), these movement route data are deleted. An example in which the threshold value k3 is “2” will be described with reference to FIG. Here, since the number of travel route data performed at 7 o'clock is “2” and is equal to or greater than the threshold value k3 (2), the departure time and arrival time of these travel route data are replaced with the above time zones. To do. On the other hand, since the number of movement route data performed between 7 o'clock and 8 o'clock is “1”, which is smaller than the threshold value k3 (2), this movement route data is deleted.

When the number of travel route data included in the same time zone is smaller than the threshold k3, the data is not simply deleted, but the time zone width is increased to increase the number of data included in the same time zone. It is also preferable to carry out the treatment. In this modification, the process of step S904 in FIG. 9 is changed to the process shown in the flowchart of FIG. The time anonymization unit 25 determines whether or not the time zone is the maximum time width (S1001). When the time zone is narrower than the maximum time width (S1001-NO), that is, when the time width can be expanded, the time width in the movement route data is expanded (S1002). Then, it is determined whether or not the number of travel route data within the expanded time width is equal to or greater than a threshold value k3 (S1003). On the other hand, if the number of data is less than the threshold value k3 even after the expansion of the time zone, the process returns to step S1001 to attempt to re-expand the time width.

  An example in which the threshold value k3 is “3” and the maximum time width is 3 hours will be described with reference to FIG. Here, the numbers of movement route data performed at 7 o'clock and 7 o'clock to 8 o'clock are “2” and “1”, respectively, which are smaller than the threshold value k3. Since each time width is 1 hour and 2 hours, the time width can be expanded. Here, by expanding the movement route data at 7 o'clock to 7 o'clock to 8 o'clock, the number of movement route data performed from 7 o'clock to 8 o'clock can be made the threshold value k3 or more.

  In the example shown in FIG. 11C, when the threshold value k3 is “2”, the data 1133 may be deleted, and only the data 1121 and 1122 may be output as movement at 7 o'clock. 1122 may be output as a movement from 7 o'clock to 8 o'clock. As a selection criterion, the time width may be increased so as not to delete data as much as possible, or the minimum time width may be set in a range where the number of data is equal to or greater than the threshold value k3 so as to maintain the accuracy of the data. Alternatively, it may be determined whether to extend the time width based on the evaluation result by evaluating the number of deleted data in the case where the time width is not expanded and the degree of deterioration of time accuracy due to the time width expansion. .

  When the time information anonymization process S305 is completed, in step S306, the movement route data output unit 27 outputs the movement route data after the above anonymization processing. The travel route data to be output includes a departure point, a destination, a travel route (link string), a departure time, and an arrival time. Here, the departure place and the destination are information indicating the area expanded by the departure place / destination anonymization process S303. The travel route is a travel route unified by the route anonymization process S304. The departure time and arrival time represent the time zone expanded by the time anonymization process S305.

  The output destination of the anonymized movement route data is not particularly limited. For example, it may be transmitted to an external device via a network, stored in a database device, or used as an input for other processing. The anonymized travel route data can be used for various services including, for example, generation of a disaster-time traffic map indicating routes that can be traveled based on actual measurement data in the event of a disaster.

<Operation and effect of this embodiment>
With the above processing, the movement data performed in the same time zone between the same starting point / destination pair becomes the threshold value k3 or more. Therefore, it is difficult to anonymize individuals from the output travel route data. Since the travel route is a representative route of a plurality of similar travel routes, it can be output as route data instead of ambiguous information such as the existence probability, and the decrease in data accuracy due to anonymization can be minimized. . In addition, since the route can be output while leaving only the common part of the plurality of routes, the information of the departure place and the destination is left, anonymized data can be used more effectively.

(Second Embodiment)
A travel route data collection system according to the second embodiment will be described. The configuration of this embodiment is basically the same as that of the first embodiment, and the processing content of the route anonymization processing S304 in the route data processing device 20 is different. Since other configurations and processing contents are the same as those in the first embodiment, a description thereof will be omitted, and the route anonymization processing S304 in this embodiment will be described below with reference to FIG.

  In the present embodiment, the route anonymization unit 24 performs hierarchical clustering processing on the travel route data to cluster the travel route data (S1201). The specific algorithm of the hierarchical clustering process is not particularly limited, and may be a branching algorithm or an aggregation algorithm. Further, as the distance between the clusters, standards such as the shortest distance, the longest distance, the group average distance, and the ward distance can be adopted. The Levenshtein distance or the like can be used for the similarity between the movement route data as in the first embodiment. By the hierarchical clustering process, as shown in FIG. 13A, the movement route data is clustered so as to be expressed by a binary tree (a tree diagram).

  Next, the path anonymization unit 24 determines the number of clusters so that the similarity in the cluster is equal to or greater than the threshold value R, and the number of data in the cluster is equal to or greater than the threshold value k2. Specifically, the route anonymization unit 24 performs the processing of the loop L5 in order from the lower cluster. The route anonymization unit 24 first determines whether or not the number of data in the cluster is equal to or greater than the threshold value k2 (S1202). If the number of data is greater than or equal to the threshold value k2 (S1202-YES), the cluster is treated as one cluster, and the movement route data in the cluster is replaced with representative route data (S1203). As in the first embodiment, a method for determining a representative movement route in a cluster can select a route having the highest degree of similarity with other movement routes in the cluster.

  On the other hand, when the number of data in the cluster is smaller than the threshold value k2 (S1202-NO), the route anonymization unit 24 tries to unify the movement route data in the higher cluster. For this purpose, first, the intra-cluster similarity of all travel route data in the upper cluster is calculated (S1204). The intra-cluster similarity can be evaluated by, for example, the minimum value (maximum distance) and the average value (average distance) of the similarity of the movement route data in the cluster. If the intra-cluster similarity is equal to or greater than the threshold value R (S1205-YES), it can be determined that the accuracy of the route is maintained even if the movement route data included in the upper cluster is unified. Therefore, the route anonymization unit 24 again applies the processing from step S1202 to the upper cluster. On the other hand, if the intra-cluster similarity is lower than the threshold value R (S1205-NO), the movement paths in the cluster are not very similar, so the unification to the upper cluster is stopped, and the movement paths included in the cluster The data is discarded (S1206).

  An example of the result of hierarchical clustering shown in FIG. Here, the threshold value k2 is assumed to be “3”. First, focusing on the cluster X1 including data A and B, the number of data in the cluster X1 is “2”, which is less than the threshold value k2. Therefore, the route anonymization unit 24 tries to unify these data by the upper cluster. The upper cluster X2 of the cluster X1 includes data A, B, C, and D. Here, it is assumed that the intra-cluster similarity is greater than or equal to the threshold value R. Since the intra-cluster similarity of the cluster X2 is equal to or greater than the threshold value R and the number of data is equal to or greater than the threshold value k2, the route anonymization unit 24 replaces the data A, B, C, and D with the representative movement route X in the cluster X2. To do. Focusing on the cluster Y1 including the data E and F, the number of data in the cluster Y1 is “2”, which is less than the threshold value k2. Therefore, the path anonymization unit 24 tries to unify these data by the upper cluster. The upper cluster Y2 of the cluster Y1 includes data E, F, and G, but the intra-cluster similarity is assumed to be lower than the threshold value R. Then, the route anonymization unit 24 deletes the data E, F, and G. Finally, as shown in FIG. 13 (d), only the four movement route data unified in the cluster X2 are output.

  Also according to this embodiment, the same effect as that of the first embodiment can be obtained. By adopting hierarchical clustering, it is possible to classify moving routes by setting conditions for similarity and the number of data in the cluster.

(Third embodiment)
A travel route data collection system according to the third embodiment will be described. The configuration of this embodiment is basically the same as that of the first embodiment, and the order of processing in the movement route anonymization processing in the route data processing device 20 is different. A flowchart of the movement route anonymization process in this embodiment is shown in FIG. In the first embodiment, after the departure point / destination anonymization process S303 is performed, the movement route anonymization process S304 and the time anonymization process S305 are performed. In the present embodiment, the movement route anonymization process S304 is performed. The difference is that the departure point / destination anonymization process S303 is performed after the time anonymization process S305 is performed. Note that the content of each process shown in the flowchart of FIG. 14 is the same as that of the first embodiment, and thus detailed description thereof is omitted. Also according to this embodiment, the same effect as that of the first embodiment can be obtained.

1: Vehicle 10: In-vehicle terminal 20: Route data processing device 11: Location information acquisition unit 12: Time information acquisition unit 13: History information transmission unit 21: History information reception unit 22: ID conversion unit 23: Movement route data generation unit 24 : Route anonymization unit 25: time anonymization unit 26: departure point / destination anonymization unit 27: travel route data output unit

Claims (15)

Route data acquisition means for acquiring movement route data including a movement route and a time zone during which the movement is performed;
Said movement path data for multiple, classifies as movement path number of data within the same class is the first threshold value or more based on the similarity of the movement path, representative of the movement path of the moving path data in the same class A route anonymization means to unify the travel route;
For moving path data in the same class, as the number of mobile that Oite completed in the same time zone having a predetermined time width is smaller than the second threshold value, the time period during which movement is performed in the moving path data Abstracting time anonymization means,
An output means for outputting travel route data after processing by the route anonymization means and the time anonymization means;
A travel route data anonymization device comprising: The route anonymization means performs a clustering process on the travel route data, and deletes travel route data in a cluster whose number of data in the cluster is smaller than the first threshold.
The travel route data anonymization device according to claim 1. The route anonymization means sequentially performs a clustering process on movement route data,
Calculate the similarity between the travel route data to be processed and the representative travel route data of the processed cluster,
If any of the similarities is equal to or greater than a predetermined value, it is determined that the travel route data to be processed belongs to a cluster of representative travel route data having the highest similarity,
If any of the similarities is lower than the predetermined value, it is determined that the movement path data to be processed is representative movement path data of a new cluster.
The travel route data anonymization device according to claim 2. The route anonymization means resets the travel route data having the highest similarity to the other travel route data in the cluster for each cluster, as the representative travel route data.
The travel route data anonymization device according to claim 3. The route anonymization means performs a hierarchical clustering process on the travel route data,
The classification is determined so that the intraclass similarity is equal to or greater than a predetermined value and the number of data in the class is equal to or greater than the first threshold, and the intraclass similarity is equal to or greater than the predetermined value and within the class The travel route data that cannot be classified so that the number of data is equal to or greater than the first threshold is deleted.
The travel route data anonymization device according to claim 1. The route anonymization means performs the classification and movement route unification for each movement route data in which the pair of the starting point and the destination is the same.
The movement route data anonymization device according to any one of claims 1 to 5. The time anonymization means deletes the movement route data performed in the time zone if the movement performed in the same class is less than the second threshold for the movement route data in the same class,
The movement route data anonymization device according to any one of claims 1 to 6. The time anonymization means performs a process of expanding the time zone if the movement made in the same time zone is less than the second threshold for the movement route data in the same class,
The movement route data anonymization device according to any one of claims 1 to 6. It further comprises point abstraction means for replacing the starting point and destination in the travel route data with the abstracted area.
The movement path data anonymization device according to any one of claims 1 to 8. The point abstraction means determines whether the starting point and the destination correspond to a personal area that is a point for identifying an individual, and replaces the starting point and the destination corresponding to the personal area with an abstracted region.
The travel route data anonymization device according to claim 9. The route anonymization means and the time anonymization means perform processing on the movement route data after processing by the point abstraction means,
The movement route data anonymization device according to claim 9 or 10. The point abstraction means performs processing on the movement route data after processing by the route anonymization means and the time anonymization means,
The movement route data anonymization device according to claim 9 or 10. It further comprises movement history acquisition means for acquiring a plurality of movement history data including a plurality of position information and time information,
The route data acquisition means generates the travel route data from the travel history data.
The travel route data anonymization device according to any one of claims 1 to 12. A method of anonymizing travel route data performed by a computer,
A route data acquisition step for acquiring travel route data including a travel route and a time zone during which the travel was performed;
Said movement path data for multiple, classifies as movement path number of data within the same class is the first threshold value or more based on the similarity of the movement path, representative of the movement path of the moving path data in the same class A route anonymization step that unifies the travel route;
For moving path data in the same class, as the number of mobile that Oite completed in the same time zone having a predetermined time width is smaller than the second threshold value, the time period during which movement is performed in the moving path data An abstract time anonymization step;
An output step for outputting travel route data after processing by the route anonymization step and the time anonymization step;
A method for anonymizing travel route data, including:   The program for making a computer perform each step of the method of Claim 14.

Images