JP2004334433A - Anonymization method, user identifier management method, anonymization device, anonymization program and program storage medium, for online service - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To protect information on and protect privacy of a user who is provided with or provided by mediation with a service via a network. <P>SOLUTION: In an online service using a member terminal UT of a member U who is provided with the service, a client company server 100 of a company 1 for which the member U works, and a counseling office server 200 of a counseling office 2 which provides the member U with the service, all connected via a network, information on the member U is anonymized with an initial ID for anonymizing personal information in the company 1, a login ID for anonymizing personal information about counseling, and an ID managing office server 300 of an ID managing office 3. The identifiers can anonymize the user information to make it difficult to track the user's behavior when the service is provided online, so that the user information and privacy is strictly protected. The user terminal can be a general terminal. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention provides an anonymous online service using an identifier management technology that protects personal information and privacy of a user who receives a service by logging in to an information system that provides an online service to a user belonging to a certain organization. The present invention relates to a method, a management method of a user identifier, an anonymization device, an anonymization program, and a program storage medium.
[0002]
[Prior art]
A user who receives a service of an information system (a user who uses the service) is generally managed and identified by an identifier unique to the user. The services include telnet, FTP (File Transfer Protocol) connection and acquisition of Web pages, use of CGI (Common Gateway Interface), use of chat, transmission and reception of e-mail, and other services that users can use completely anonymously. ISP (Internet Service Provider) and services that register and use the user's personal information in advance, such as a service under a contract with the ISP (Internet Service Provider). Among the latter services, there is a service in which the use status of the service should be kept secret from the information system administrator from the viewpoint of respecting the user's personal information and privacy. That is, even if the user's personal information has been registered in the information system in advance (or even if it has been registered with the information system administrator / management entity), when using the service, the information system administrator There are services for which it is desired that services can be used anonymously.
[0003]
As an example of such services, a company (first organization) can partner with an external counseling company (second organization) to provide counseling and mental health care to their employees (users) online as part of benefits. (Patent Document 1 and Non-Patent Document 1) will be described. In this case, the company notifies the company employee of the identifier (hereinafter referred to as “ID”) and password obtained from the counseling company of the partner, and the employee logs in to the system of the counseling company using this ID and password and uses the service. In general, a service utilization form such as performing is performed.
[0004]
At this time, (1) an employee obtains an individual ID and password and logs in to the counseling company system, and (2) a plurality of employees obtains a common ID and password and logs in to the counseling system. There are cases. The services include consultation with employees about their career vision, examination of stress levels in the workplace, and counseling on mental health through dialogue with counselors by e-mail and chat.
[0005]
Since such counseling results are information that is deeply related to the personal information and privacy of employees, conventional systems for realizing online counseling limit the viewers of the counseling results, encrypt information about the counseling results, In some cases, such a measure is taken (Patent Document 2). Also, in terms of operation, a counseling company usually keeps information about which employee has performed what kind of counseling and what kind of counseling result has been kept confidential to a company (Non-Patent Document 2). At present, compliance with these confidentiality obligations is left to the voluntary code of ethics of the company and the counseling company, and employees who use the service must unilaterally trust that such code of ethics is observed. Have been forced.
[0006]
As described above, conventionally, in a service in which personal information is registered in advance and a user is managed by an ID (identifier), simple ID management that conceals the association between the service usage status and the user's personal information is concealed. No method has been proposed, and the only way to do this is to manage the system according to the voluntary regulation of the information system manager or the operating rules.
[0007]
[Patent Document 1]
JP-A-2002-32602 ([0006], [0036]-)
[Patent Document 2]
JP-A-2002-197196 ([0024], [0058], etc.)
[Non-patent document 1]
Kunihiro Ogiwara, "Web Management of Online Counseling", "Modern Esprit", May 2002, PP. 137 PP. 149
[Non-patent document 2]
"Is EAP a Mental Health Medicine?" Weekly Toyo Keizai 2002.7.27, PP. 38 · PP. 39
[0008]
[Problems to be solved by the invention]
However, the voluntary regulation of the information system administrator and the establishment of the operation rules alone are likely to violate the user's personal information and privacy as described above due to malice and mistakes. For example, in an existing service usage form in which employees log in to a counseling company system using individual IDs and passwords as exemplified in [Prior Art], a company and a counseling company collaborate, and which employee There is a high possibility that the information as to whether or not the result of the counseling is easily grasped by the company.
[0009]
Another issue to be solved is that if the user is completely anonymous when using the service, there will be no way to identify the user in an emergency, leading to social confusion such as suicide or crime. It may not be possible to prevent unintentional user behavior. For example, in an existing service usage form in which multiple employees log in to a counseling company's system with a common ID and password, for example, when an employee has an emergency such as suicide or crime in counseling, the employee is identified. Can not do it.
[0010]
The present invention has been made to solve such a problem, and an object of the present invention is to provide an information system administrator (for example, an operator) with an information system user (user) who provides an online service. An object of the present invention is to provide a method of anonymizing an online service, a method of managing a user identifier, and the like that can secure personal information and privacy of a user by making it difficult to associate a login situation with a service usage situation. It is another object of the present invention to provide a technology that can track and identify a user in an emergency in the anonymization method or the method of managing a user identifier in the online service.
[0011]
[Means for Solving the Problems]
(How to anonymize online services)
The invention according to claim 1, which has solved the above-mentioned problem, comprises a user terminal of a user who receives a service provided via a network, a first computer of a first organization to which the user belongs, and the user And a second computer of a second organization that provides or mediates the provision of the service to the user. The information of the user in the online service provided includes: (1) the first organization and the second organization A third computer of an independent third party; and (2) the first computer is associated with the information of the user in the first party and is required when logging in to the third computer. And (3) the second computer associates the first identifier with information of the user in the second group, and the second computer Anonymous method in online services anonymously by using a second identifier to be necessary for login.
Then, in the anonymization method, the third computer stores (1) a first identifier list in which the first identifiers are obtained, obtained from the first organization, and (2) Authenticating, based on the first identifier list, access specifying the first identifier from the user terminal of the user notified of the first identifier by the first organization; (3) the authentication Is successful, the second identifier is issued to notify the user.
As a result, the user can log in to the second computer from the user terminal using the second identifier notified in this way, and can receive the provision of the service or the mediation of the provision. I did it.
[0012]
Generally, an identifier has a role of anonymizing information and protecting personal information. In the present invention, however, a first identifier (initial ID) is used to transfer information of a user in a first organization to a third party (for example, a third party). The second identifier (login ID) has a role of anonymizing the second entity (login ID), and the second identifier (login ID) is used to transfer user information (user information related to the service) in the second entity to a third party (for example, the first Has the role of anonymizing it. The two identifiers are separated by a third party.
Therefore, (1) a third party (for example, a first organization) who knows the first identifier but does not know the second identifier, or (2) knows the second identifier However, a third party (for example, a second organization) who does not know the first identifier may obtain information anonymized by the first identifier (information of a user in the first organization). The information anonymized by the second identifier (information of the user in the second organization) cannot be linked. Taking the embodiment described below as an example, a company cannot know the information of employees in counseling, even if the company knows the information of employees in the company. On the other hand, the counseling company cannot know the information of the employees in the company, even if they know the information of the employees in the counseling. Further, according to this configuration, the first organization cannot know when the user belonging to the first organization accesses or logs in to the computer of the second organization. Thereby, protection of user information (personal information) and privacy is performed firmly.
[0013]
According to another aspect of the present invention, there is provided a user terminal of a user who receives a service, which is connected by a network, a first computer of a first organization to which the user belongs, A user of an online service that includes a second computer of a second organization that provides or mediates the provision of a service to a third party and a third computer of a third organization that anonymizes the user information (1) a first identifier which is associated with the information of the user in the first group by the first computer and is required when logging in to the third computer; ) When the second computer is associated with the information of the user in the second group and logs in to the second computer, Anonymous method in online services anonymously by using a second identifier to be essential.
Then, in this anonymization method, (1) inputting the first identifier notified from the first organization to the user terminal of the user notified of the first identifier, and inputting the first identifier to the third computer; Displaying a screen for logging in; and (2) displaying a screen for logging in to the second computer by inputting the second identifier notified from the third organization are performed in this order.
[0014]
Also in this configuration, the first identifier (initial ID) has a role of anonymizing user information in the first organization to a third party (for example, the second organization), and the second identifier (log-in). ID) has a role of anonymizing user information (user information related to the service) in the second group with respect to a third party (for example, the first group). The correspondence between the two identifiers is divided by a third organization (ID management company). The user operates the user terminal via a screen displayed on the user terminal (the operation of the user terminal is prompted).
[0015]
According to a third aspect of the present invention, there is provided an online service anonymization method according to the first or second aspect, wherein the third group is configured to store the first identifier and the second identifier. By storing the correspondence with the identifier of the user, the information of the user stored in association with the first identifier in the first organization and the second identifier in the second organization It is characterized in that it is possible to connect the information on the service of the user, which is attached and stored.
[0016]
By storing (storing) the correspondence between the first identifier and the second identifier in this manner, the user information is anonymized by the connectable anonymization. Therefore, when something happens, the information of the user in the first organization and the information of the user in the second organization can be associated with each other, and for example, suicide prevention of the user can be achieved.
By the way, if the third organization does not store the correspondence between the first identifier and the second identifier, the connection is not possible and the anonymization is performed, and the information and privacy of the user are more securely protected.
[0017]
According to a fourth aspect of the present invention, there is provided a method for anonymizing an online service according to any one of the first to third aspects, wherein the method comprises the steps of: logging in to the second computer; The user is notified of a password required when logging in to the second computer, or the setting of the password is enabled, and when the provision or intermediation of the provision of the service is notified or set, By specifying a password and the second identifier, the user is authenticated (logged in) by the second computer.
[0018]
According to a fifth aspect of the present invention, in the anonymization method for an online service according to any one of the first to fourth aspects, the first computer generates the first identifier. A first period for notifying the user is set.
According to a sixth aspect of the present invention, in the anonymization method for an online service according to any one of the first to fifth aspects, the third computer generates the second identifier. A second period for notifying the user is set.
[0019]
(Management method of user identifier in online service)
According to a seventh aspect of the present invention, there is provided a client company server, at least one user terminal, and a service providing server for providing or mediating a service to the client company server or the user terminal. A method for managing a user identifier in an online service for securing the privacy of the user in a network connecting the ID management company server that manages the identifier of the user who operates the user terminal.
In the method for managing a user identifier in the online service, (1) the client company server issues a first identifier as the user identifier to the user terminal during a set first period; After the end of the first period, means for transmitting the list of the first identifiers to the ID management server, and means for managing the first identifiers.
(2) The ID management agent server, after receiving the list of the first identifier, means for transmitting a log-in notice to the client company server; Means for authenticating the user with an identifier, means for issuing the second identifier to the user terminal, and means for transmitting the list of the second identifier to the service providing server after the end of the second period And means for managing the first identifier and the second identifier in association with each other.
(3) the service providing server, after receiving the list of the second identifier, transmitting a log-in notice to the client company server; a means for authenticating the user with the second identifier; A means for managing the second identifier; and a means for providing or mediating the provision of the service.
(4) Under this configuration, the user is caused to log in to the client company server through the user terminal during the first period and obtain the first identifier, and then, During the period, the user logs in to the ID management agent server to obtain the second identifier, and the user can log in to the service providing server and log in to the service providing server using the second identifier obtained in this manner. It is characterized in that it can be provided or provided.
[0020]
In this configuration, the user is caused to acquire the first identifier (the user's action is to acquire the first identifier). Next, the user is caused to acquire a second identifier (a second identifier is acquired as a user action). Then, provision of a service or the like can be received by the second identifier (the service is received / use of the service is performed by the user).
The service providing server provides or mediates the provision of various services to the user operating the user terminal. In addition, "securing the privacy of the user" described here means that, for example, the administrator (super user or operator in UNIX (R)) managing the service providing server is provided with a correspondence between the login status of the user and the service usage status. It means a state in which the attachment is kept secret. Further, the client company server includes a server that directly manages user information (personal information) such as a user's name, age, and address in association with a unique identifier, or includes information or means capable of acquiring user information. Server. For example, a server managed by the corporate organization to which the user belongs, a server managed by a local government such as a city hall or a ward office in the residence area of the user, or a server managed by an ISP to which the user has contracted as a member It is assumed that In other words, companies include not only private companies but also local governments. In addition, companies include NPOs (Non Profit Organizations) and the like.
According to this configuration, information and privacy of the user are strongly protected.
[0021]
(Anonymization device for online services)
According to another aspect of the present invention, there is provided a user receiving a service, a first computer of a first organization to which the user belongs, and providing or mediating a service to the user. A second computer of a second group that performs anonymization of user information in an online service performed by the third group, and an anonymization device of a third group that performs anonymization of the information of the user; A first identifier required to log in to the server and receive a notification of the second identifier; and a first identifier required for the user to log in to the second computer and receive the mediation of the provision or provision of the service. The user is anonymized using the second identifier, and the user who has received the notification of the second identifier logs in to the second computer using the second identifier. In Rukoto an anonymizing apparatus in an online service to be able to receive the intermediary provide or offer the service.
Then, the anonymizing device authenticates the user with the first identifier issued by the first organization, and generates a second identifier to notify the user and the second organization. And characterized in that:
[0022]
According to this configuration, similarly to the first aspect, the information of the user in the first organization and the information of the user in the second organization can be anonymized. Further, according to this configuration, the first organization cannot know when a user belonging to the first organization accesses or logs in to the computer of the second organization.
Thereby, protection of user information and privacy is performed firmly.
[0023]
According to a ninth aspect of the present invention, there is provided an anonymization apparatus for an online service according to the eighth aspect, wherein the anonymization apparatus stores a correspondence between the first identifier and the second identifier. The apparatus is characterized by comprising means for storing in the device.
According to this configuration, linkable anonymization can be performed.
[0024]
(Anonymization program for online services)
According to a tenth aspect of the present invention that solves the above-mentioned problem, the computer is an anonymizing device in the online service according to the seventh aspect. An anonymization program in an online service, wherein the program functions as means for authenticating the user with an identifier, and means for generating the second identifier for notifying the user and the second organization.
[0025]
According to an eleventh aspect of the present invention, in the configuration of the tenth aspect, the computer is caused to function as a unit that stores a correspondence between the first identifier and the second identifier in a storage device. I do.
[0026]
(Program storage medium)
According to a twelfth aspect of the present invention, there is provided a program storage medium storing an anonymization program for an online service according to the tenth or eleventh aspect.
[0027]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The following describes an embodiment in which an anonymization method in an online service, an anonymization device in an online service, an anonymization program and a program storage medium in an online service are applied to an online service system. FIG. 1 is a block diagram showing the overall configuration of the online service system of the present embodiment.
[0028]
The online service system shown in FIG. 1 includes a client company (hereinafter, referred to as “company”) 1, an employee belonging to the company 1 (refers to a person who enters into an employment contract with the company 1, hereinafter referred to as “employee”) U, and an employee U Counseling company 2, which provides online counseling service to the company, and an external ID management company (hereinafter referred to as "ID management company") that manages IDs for employees U to use the service independently of company 1 and counseling company 2. 3) Assume a total of 4 entities. Then, regarding the act of each subject, the employee U keeps the contents of the service received from the counseling company 2 so as not to be known to the company 1 and the like, and the personal information of the employee U known by the company 1 is counseled. It should not be known to the second trader. That is, the information (personal information) of the employee U in the online service performed by the four entities is anonymized, and the personal information of the employee U (“user information in the first organization”, “user information in the second organization” Information)) and the privacy of individuals.
[0029]
Here, the employee U is the “user” in the claim, the company 1 is the “first organization” in the claim, the counseling company 2 is the “second organization”, and the ID management company 3 is the “third organization” in the claim. Organizations. " The initial ID, which appears below, corresponds to the “first identifier” in the claims, and the login ID corresponds to the “second identifier”. Similarly, the client company server 100 is a “computer of a first organization” in the claims, the counseling company server 200 is a “computer of a second organization” and a “service providing server”, and an ID management company server 300 is the same. It corresponds to a “computer of a third organization” and an “anonymization device”.
[0030]
The “anonymization” means, for example, that personal information of a certain person (a certain employee U) is not leaked to the outside against a certain law or a certain rule (an explicit rule or an implied rule). Means to remove all or part of the information that identifies an individual from a person, and attach a code or number (ie, an identifier) that is not related to the person instead. Anonymization in the present embodiment is mainly achieved by an initial ID (first identifier) and a login ID (second identifier). “Personal information” is, for example, information about an individual that can identify a specific individual by the name, date of birth, or other description included in the information (easily distinguished from other information). Including those that can be matched and thereby identify a particular individual). “Privacy” refers to the freedom to be able to spend, for example, personal daily life and social behavior with peace of mind without being seen or interfered with by others.
[0031]
[Overall system configuration]
Hereinafter, the overall configuration of the online service system will be described with reference to FIG.
As shown in FIG. 1, the overall configuration of the online service system described in the present embodiment is based on a network connecting a client company server 100, a counseling company server 200, and an ID management company server 300. In the present embodiment, the client company server 100 is operated by the company 1 serving as a client of the counseling company 2, the counseling company server 200 is operated by the counseling company 2, and the ID management company server 300 is operated by the ID management company 3. I do. In the present embodiment, it is assumed that there are a plurality of companies 1 and counseling companies 2. On the other hand, in the present embodiment, the ID management company 3 is assumed to be an agency or a company independent of the company 1 or the counseling company 2 that has a public nature in its business.
Hereinafter, each configuration will be described.
[0032]
[Company / Client company server]
The company 1 has contracted with a counseling company 2 for the welfare of the employee U of the company 1 so that the employee U of the company 1 can be counseled by the counselor C. Further, it is assumed that the company 1 has also contracted with the ID management company 3 to prevent leakage of personal information of the employee U (for protection of personal information and privacy).
[0033]
The client company server 100 of the company 1 shown in the lower left of FIG. 1 has a function of authenticating the employee U in response to the employee U accessing the client company server 100 using the employee terminal UT or the like. Further, it has a function of generating an initial ID for the employee U to log in to the ID management company server 300, which is a computer of the ID management company 3, and issuing (notifying) it to the employee U (employee terminal UT). Further, it has a function of associating an initial ID with an ID (employee ID) for uniquely identifying an employee U in a company, such as an employee number. In addition, the client company server 100 has a function of notifying the ID management company 3 (ID management company server 300) of a list (first identifier list) of initial IDs paid out (notified) to the employee U. Further, a function is provided for setting a first period (initial ID issuance period) in which the initial ID is issued to the employee U and issuing (notifying) the initial ID to the employee U during this period. The client company server 100 has a function of issuing (notifying) a company ID unique to each company 1 notified from the counseling company 2 to the employee U.
[0034]
Therefore, the client company server 100 has an authentication unit 110 for uniquely authenticating the employee U who logs in with an employee ID and a password (not shown). Further, the client company server 100 issues (notifies) an initial ID to the authenticated employee U during the initial ID issuance period, and manages (stores / retrieves) at least the “employee ID” and the “initial ID” in association with each other. The ID management unit 120 for reading out the data is provided. The ID management unit 120 notifies the employee U of the company ID before the initial ID issuance period. Further, the client company server 100 has a storage device (not shown) (not shown) for storing a company management table 130 in which at least “employee ID” and “initial ID” are associated with each other. The password may be previously distributed by the company 1 to the employee U, or may be changed based on the password distributed by the employee U.
Incidentally, the company 1 (client company server 100) can refer to the personal information (name, department, position, etc.) of the employee U from the initial ID (initial ID → employee ID → user's personal information).
[0035]
[Counseling service / Counseling service server (service providing server)]
The counseling company 2 has contracted with the company 1 and the ID management company 3. Then, a counselor (including an occupational physician) who has contracted with the counseling company 2 for the employee U of the company 1 via the communication network performs counseling, and aims at mental health care of the employee U of the company 1.
[0036]
The counseling company server 200 of the counseling company 2 shown in the center of FIG. 1 issues (notifies) an ID (company ID) for the counseling company 2 to uniquely identify the company 1 to the company 1 and the ID management company 3. Has functions. In addition, for example, there is a function (login function) for authenticating the employee U who is a user accessing from the employee terminal UT by using the company ID and an ID (login ID) for identifying the employee U. Further, it has a function of managing the “company ID” and the “login ID” in association with each other. In addition, it has a function of issuing a password (“password” in the claims) required when logging in to the counseling agent server 200 to the employee U.
[0037]
Therefore, as shown in FIG. 1, the counseling company server 200 authenticates the employee U with the login ID and the company ID, and after issuing a password described later, authenticates the employee U with the login ID and the password. 210. Further, the counseling company server 200 issues a company ID to the company 1 and the ID management company 3 and a password to the employee U, and at least “company ID”, “login ID”, “password”, and “pointer to the counseling result”. It has an ID management unit 220 for managing the four elements in association with each other. The counseling company server 200 stores a counseling company ID management table 230 that associates at least four elements of “company ID”, “login ID”, “password”, and “pointer to counseling result”. Not having storage. The counseling company server 200 corresponds to a service providing server that provides a service to the client company server 100 or the employee terminal UT.
[0038]
Incidentally, the counseling company 2 (counseling company server 200) indicates what counseling was performed by the employee U corresponding to the login ID (contents of the counseling), and “the pointer to the counseling result” in the counseling company ID management table 230. It can be referred to based on Here, the login performed by the employee U using the login ID and the company ID is positioned as a temporary login for issuing a password.
[0039]
The counseling company 200 contracts with a plurality of counselors C and provides an environment and tools for performing online counseling to the employee U, such as e-mail and video chat, to the counselor C. The video chat function and the like may be provided in a computer other than the counseling company server 200. Further, the counseling company may further cooperate with a plurality of other counseling companies 2 (counselor C) to execute the counselor 2 intermediary business for the company 1. Company 1 contracts with counseling company 2 to provide employee U with online counseling and mental health care as part of benefits. This counseling or the like corresponds to “providing a service” in the claims. The term “mediation of provision” in the claims corresponds to, for example, the counseling company server 200 introducing the counselor C.
[0040]
[ID management company / ID management company server (anonymization device)]
The ID management company 3 contracts with the company 1 and the counseling company 2 and manages the ID related to the employee U. This ID management company 3 (ID management company server 300) is characteristic of the present embodiment.
[0041]
The ID management company server 300 shown in the center of FIG. 1 is necessary when the employee U logs in to the computer of the counseling company 2 (counseling company server 200) after authenticating the employee U with the initial ID and the company ID. It has a function of generating an identifier (login ID) and issuing (notifying) it to the employee U. In addition, it has a function of associating and managing “company ID”, “initial ID”, and “login ID”. In addition, it has a function of notifying the counseling company 2 (counseling company server 200) of a list of login IDs issued to the employee U. Further, a function is provided for setting a period during which the login ID is issued to the employee U (login ID issuance period) and issuing (notifying) the login ID to the employee U during this period.
[0042]
For this reason, the ID management company server 300 has an authentication unit 310 for uniquely authenticating employees based on the initial ID and the company ID. Also, the ID management company server 300 issues a login ID to the authenticated employee U during the login ID issuance period, and manages the three elements of the company ID, the initial ID, and the login ID in association with each other. It has a unit 320. In addition, the ID management company server 300 has a storage device (not shown) that stores an ID management company table 330 that stores three of the company ID, the initial ID, and the login ID in association with each other.
[0043]
[Description of operation]
Next, the operation until the employee U is provided with the counseling service by the above-described online service system will be described with reference to FIGS. 2 to 4 (see FIG. 1 as appropriate). FIG. 2 is a sequence diagram cited for explaining operations up to the start of service provision. FIGS. 3A and 3B are diagrams showing a notification sent to an employee terminal, wherein FIG. 3A shows a notification of a company ID and others, FIG. 3B shows a notification that a login to the ID management company server is possible, and FIG. 3C shows a counseling company. Indicates a notice that the server can log in. FIG. 4 is a diagram showing a password notification made to the employee terminal.
[0044]
The counseling company 2 contracted with the company 1 and the ID management company 3 generates a company ID unique to the company 1 (S11), and notifies the company 1 and the ID management company 3 of this (S12, S13). This company ID is assumed to be notified by e-mail. For example, by giving the counseling company server 200 a WWW (World Wide Web) server function, the company ID is disclosed on the Web, and the company 1 Alternatively, a notification may be made to the person in charge of the ID management company 3 by browsing the information using a personal computer or the like. The company ID may be notified by mail or the like, or may be notified by facsimile or the like. Note that the company ID is required together with the initial ID when the employee U logs in to the ID management company server 300, and is required together with the login ID when the employee U logs in to the counseling company server 200 (temporary login).
[0045]
Incidentally, the employee U has (1) that the company 1 has a contract with the counseling company 2 so that the employee U can receive counseling by the counselor C, and (2) the anonymity of the information of the employee U. The company 1 has contracted with the ID management company 3 for security and privacy protection of the employee U, and before the employee U receives counseling, the login ID for logging in from the ID management company 3 to the counseling company server 200 is provided. It is assumed that it is necessary to receive notification (issuance) in advance.
[0046]
The company 1 notifies (notifies) the notified (acquired) company ID to the employee U by e-mail or the like (S14), but, for example, makes the client company server 100 have a WWW server function and publishes it on the Web. Alternatively, the company ID may be notified by causing the employee U to browse.
[0047]
The company 1 that has notified the employee U of the company ID determines a predetermined period (first period = initial ID issuance period) T1 for the employee U to acquire the initial ID, and sets this in the client company server 100 ( First period setting, S15).
The initial ID issuance period T1 and the URL (Uniform Resource Locator) of the client company server 100 are notified to the employee U from the company 1 together with the company ID at the time of notification of the company ID in step S14. (See FIG. 3A). The notification of the company ID in FIG. 3A is displayed on the screen of the employee terminal UT, thereby prompting access to the client company server 100 (logging in). Incidentally, it is assumed that when the URL shown in FIG. 3A is clicked, a screen (not shown) for logging in to the client company server 100 is displayed on the employee terminal UT.
[0048]
The employee U notified of the company ID accesses the client company server 100 from the employee terminal UT within the initial ID issuance period T1, and after the authentication by the authentication unit 110 is completed (authentication with the employee ID), is generated by the ID management unit 120. The obtained initial ID is obtained (S16, S17).
Here, as shown in FIG. 1, the initial ID is not notified to the counseling company 2. Therefore, even if the company 1 and the counseling company 2 collude, it is not possible to specify who the employee U uses the service (receives counseling). That is, the counseling company 2 cannot associate the information of the employee U in the company 1 with the information of the employee U in the counseling. If the initial ID issuance period T1 is set, the application will be dispersed if the period is not set, and it will be relatively easy to identify individuals. However, if the period is set, the applications will be concentrated, so that the application will be concentrated. Is difficult to identify.
[0049]
After the end of the initial ID issuance period T1, the company 1 (the client company server 100) transmits the initial ID list in which the initial IDs are listed to the ID management company server 300 (the ID management company 3) in a lump (S18). Note that, in order to more surely anonymize the information of the employee U, the information of the employee ID corresponding to the initial ID is not transmitted. The transmission of the initial ID list may be performed by e-mail, mail, or the like. Further, it may be performed by facsimile or the like. Note that the initial ID list is stored in a storage unit (not shown) of the ID management agent server 300 (corresponding to “a step of storing a first identifier”).
[0050]
Next, the ID management company 3 determines a predetermined period (second period = login ID issuance period) T2 for the employee to acquire the login ID, and sets this in the ID management company server 300 (second period). Setting of period, S19). The ID management company 3 (ID management company server 300) notifies the company 1 (client company server 100) that the login to the ID management company server 300 is possible (login enabled notification) (S20). The reason why the login ID issuance period T2 is set is, for example, to make it difficult to identify an individual, similarly to the reason for setting the initial ID issuance period T1.
[0051]
In step S20, the company 1 (the client company server 100) that has received the log-in notice notifies the employee U of a log-in notice (see FIG. 4B) indicating that the log-in is possible to the ID management agent server 300. (S21). The log-in notification to the ID management company server 300 can be performed by e-mail or the like in the same manner as the notification of the company ID. 3B is displayed on the screen of the employee terminal UT, thereby prompting the employee U to access (log in to) the ID management company server 300. It is. Incidentally, when the URL described in FIG. 3B is clicked, a screen (not shown) for inputting the initial ID and the company ID and logging in to the ID management server 300 is displayed on the employee terminal UT. (Corresponding to "a step of displaying a screen for logging in to the third computer by inputting the first identifier").
[0052]
The employee U who has received the login enable notification logs in to the ID management company server 300 from the employee terminal UT within the login ID issuance period T2, and after the authentication by the authentication unit 310 is completed, is generated by the ID management unit 320 (S22). A login ID is obtained (S23). In this embodiment, the employee terminal UT used by the employee U to obtain the login ID does not need to be equipped with a dedicated application. Therefore, the employee terminal UT may not be a business terminal, but may be a PC at home, a PC installed in an Internet cafe, or a mobile device. After the elapse of the login ID obtainable period T2, the ID management company server 300 that has generated and issued the login ID sends the login ID list (combined for each company ID unit) to the counseling company server 200 (counseling company 2). They are transmitted collectively (S24).
[0053]
Note that the login ID is not notified to the company 1 as shown in FIG. Further, as described above, the initial ID is not notified to the counseling company 2. Therefore, even if the company 1 and the counseling company 2 collude, the company 1 cannot know which employee U has received any counseling. Further, the company 1 cannot know which employee U has logged in to the counseling company server 200.
[0054]
The counseling company 2 (counseling company server 200), which has received the login ID list from the ID management company 3 (ID management company server 300), stores this in a storage unit (not shown) of the counseling company server 200 and notifies the user of the log-in (see FIG. 4 (c)) is performed for the company 1 (client company server 100) (S25). The company 1 (client company server 100) sends a log-in notice to the employee U, which is a notice that the log-in to the counseling company server 200 is possible (S26). The log-in notice to the counseling company server 200 can be made by e-mail or the like. 4C is displayed on the screen of the employee terminal UT, thereby prompting the employee U to access (log in) the counseling company server 200. By the way, if the URL described in FIG. 3C is clicked, a screen (not shown) for logging in to the counseling agent server 200 by inputting a login ID and a company ID or a login ID and a password is input. Is displayed on the employee terminal UT (corresponding to "inputting a second identifier and displaying a screen for logging in to the second computer").
[0055]
The employee U, which has received the notice of being able to log in to the counseling company server 200 in step S26, operates the employee terminal UT such as a personal computer, and obtains the login ID notified (acquired) in step S23 and the company notified in step S14. The user logs in to the counseling company server 200 using the ID (S27). Note that this login is positioned as a temporary login for issuing a password. In the counseling agent server 200, after the authentication by the authentication unit 210 is completed (after login), a password is generated by the ID management unit 220 (S28). Then, the password is notified from the counseling company server 200 to the employee terminal UT (S29). FIG. 4 is an example of a password notification displayed on the employee terminal UT. As shown in FIG. 4, the password is notified to the employee U. The employee U may be allowed to set his or her favorite password.
[0056]
If the employee U who has been notified of the password wants to receive counseling, he or she can log on to the counseling company server 200 using the login ID and the password to receive counseling (online service) by counselor C (service start, S30). ). Thereafter, as shown in parentheses in FIGS. 1 and 2, the employee U can log in to the counseling company server 200 using the login ID and the password, and can receive an online service.
[0057]
In this configuration, information (personal information) of employee U in company 1 is anonymized by the initial ID (and employee ID), and information (personal information) of employee U in counseling is anonymized by the login ID (FIG. 1). (See the counseling company management table 230). The correspondence between the initial ID and the login ID is managed by an ID management company 3 independent of the company 1 and the counseling company 2. Therefore, the company 1 (and the third party) cannot associate the personal information of the employee U in the company 1 with the personal information of the employee U in the counseling. This is the same for the counseling company 2.
[0058]
That is, even if the employee U receives counseling, the company 1 does not know the login ID for logging in to the counseling agent server 200, and therefore cannot know which employee U has received what kind of counseling. On the other hand, the counseling company 2 does not know the employee ID of the employee U who has received the counseling, and therefore cannot specify the employee U who has received the counseling. Further, since the ID management company 3 of the present embodiment is an entity that only manages IDs (company ID, initial ID, login ID), independent of the company 1 and the counseling company 2, the individual of the employee U Neither information nor counseling content is known. That is, according to the online service system of the present embodiment, the information (personal information) and the privacy of the employee U are strongly protected.
[0059]
Further, since the employee U is managed by the identifier, it is not necessary to install a dedicated application on the employee terminal UT. Therefore, unlike the technology using the electronic certificate, the employee U can use the service from any terminal. Of course, it is also possible to use an electronic signature and an encryption technique together.
[0060]
It should be noted that no matter which two of the company 1, the counseling company 2 and the ID management company 3 collude, the employee U who has received the counseling cannot be specified unless the remaining one entity leaks information. Incidentally, in the present embodiment, the company ID is used, but this company ID is generated for each company 1 by the counseling company 2. For this reason, the counseling company 2 knows which employee 1 of which login ID belongs to which company 1 (this is used for connectable anonymization described below).
[0061]
[Consolidation anonymization]
By the way, in an emergency or the like, if it is necessary to identify the employee U who has received counseling from a legal and social point of view, the company 1, the counseling company 2 and the ID management company 3 can all cooperate with each other. Relationship between counseling contents and login ID (relationship between login ID and company ID) → “Relationship between login ID and initial ID” → “Relationship between initial ID and employee ID” → “Employee ID and individual of employee U” By sequentially tracking "relation with information", the employee U can be specified.
[0062]
An example of the flow of determining the employee U by the anonymization of connection possibility will be described with reference to the sequence diagram of FIG. At this time, information in the tables 130, 230, and 330 stored in the servers 100, 200, and 300 is used.
[0063]
First, the counseling company 2 (counselor C) who has provided counseling determines whether or not the content of the counseling of the employee U is related to human life (S41). If it is determined that it does not affect human life or the like (No), the process of specifying the employee U is stopped (S42). When it is determined that the contents of the counseling are related to human life or the like (Yes), the following processing is performed. That is, since the login ID, the counseling result, and the company ID are associated with each other in the counseling company management table 230, the login ID is specified based on the contents (data) of the counseling, and the company ID is further determined based on the login ID. To identify. Then, the contact information of the company 1 is determined based on the company ID (S43). As described above, since the company ID is generated by the counseling company 2 for each company 1, the counseling company 2 immediately determines which company 1 to contact based on the correspondence between the company 1 and the company ID. I understand.
[0064]
After determining the contact information of the company 1, the counseling company 2 notifies the ID management company 3 (ID management company server 300) of the fact (S44). At the time of this notification, it is assumed that the login ID of the employee U determined to be related to human life and the like and the contents of the counseling are also notified. On the other hand, the company 1 is also notified of this (S45), and requests the company 1 to consent to link the anonymized information. At the time of this notification, the contents of the counseling of the employee U who is determined to be related to human life and the like shall also be notified.
[0065]
The company 1 examines the contents of the counseling and determines whether or not it involves human life (S46). If it determines that it does not involve human life (No), it stops the processing (S47). At this time, the counseling company 2 and the ID management company 3 are notified (notified) to that effect, and the process of specifying the employee U is stopped. On the other hand, if it is determined that the request is related to human life or the like (Yes), the ID management company 3 is notified of the agreement (S48).
[0066]
The ID management company 3 notified in step S48 searches the ID management company management table 330 based on the login ID notified from the counseling company 2 in step S44, and specifies the initial ID corresponding to the login ID ( S49). Then, the initial ID is notified to the company 1 (S50).
[0067]
In the company 1, the initial ID and the employee ID are associated with each other by the enterprise management table 130 of the client company server 100. Therefore, the employee ID is specified based on the initial ID, and the employee U is identified based on the employee ID. Identify contacts. It is assumed that the company 1 has a contact list of the employee U associated with the employee ID.
[0068]
When the contact information of the employee U is determined in this manner, for example, the company 1 can contact an appropriate place such as the police, fire department, health center, and administration according to the contents of the counseling. Of course, the employee U can also be contacted. Therefore, the company 1 can take measures to prevent the suicide of the employee U, for example.
[0069]
[Contract Relationship]
FIG. 6 is a diagram illustrating an example of the contract relationship of each entity in the present embodiment.
Employee U has an employment contract with company 1 and counselor C has an employment contract with counseling company 2. The company 1 concludes a service use contract with the counseling company 2 and pays the service fee to the counseling company 2. Further, the company 1 terminates the service use contract with the ID management company 3 and pays the service fee to the ID management company 3. Thereby, the ID management company 3 can make a profit. As shown in FIG. 6, it is also possible for the counseling company 2 to contract with the company 1 as a base (contact point) for the other counseling companies 2A, 2B, 2C.
[0070]
The present invention described above is not limited to the above-described embodiment, and can be widely modified and implemented without departing from the gist of the present invention.
For example, the employee ID may also serve as the initial ID. In the above-described embodiment, in order to perform linkable anonymization, in particular, the table for the ID management company that stores the correspondence between the initial ID and the login ID is used, but the table for the ID management company is not used. As a matter of fact (that the correspondence between the initial ID and the login ID is not stored), unlinkable anonymization may be performed. It is also possible to anonymize employee information without using a company ID. Incidentally, when calculating the service charge, the company ID is useful. In addition, although the final determination of the contact information of the employee in an emergency or the like is performed by the company as a result, the information may be collected by an ID management company, and the ID management company may finally determine the information.
[0071]
Also, counseling has been described as an example, but other services, especially services that can be provided online or services that can mediate the provision of online services, such as sales and brokerage of electronic contents, goods and financial products, etc. The present invention can also be applied to mediation of sales and sales, mediation of provision and provision of services, mediation of sales and sales of real estate, and the like.
[0072]
Each server and employee terminal can be realized by a computer and a program. Further, the program can be stored in a storage medium readable by a computer. In addition, the program can be provided through a network. In addition, each computer (server) may be configured not by a single computer but by a plurality of computers and peripheral devices. Further, although the employee terminal U directly accesses and logs in to the counseling company server and receives the service from the counseling company server, the service may be provided via the client company server. Further, the first period and the second period may not be set. Also, the transmission of the IDs may not be performed collectively in the form of a list, but may be performed, for example, every time an ID is issued (generated).
[0073]
【The invention's effect】
According to the present invention described above, the following excellent effects can be obtained.
According to the first, second, seventh and eighth aspects of the present invention, the user information is anonymized by the identifier, so that it is possible to make it difficult to track the behavior of the user when providing the online service, Thereby, protection of user information and privacy is performed firmly. Further, a general terminal can be a user terminal. Further, according to the third and ninth aspects of the invention, the anonymization of the linkable connection can be reliably performed. According to the fourth aspect of the present invention, the protection of user information and the like is securely performed by the password. Further, according to the invention of claims 5 to 7, the anonymity of the user can be enhanced by the concentration of the user. According to the tenth to twelfth aspects of the present invention, it is possible to securely protect user information and privacy by anonymizing user information by a computer.
[Brief description of the drawings]
FIG. 1 is a block diagram illustrating an overall configuration of an online service system according to an embodiment.
FIG. 2 is a sequence diagram cited for describing an operation up to the start of service provision in the system of FIG. 1;
FIGS. 3A and 3B are diagrams showing a notification sent to an employee terminal, where FIG. 3A shows a company ID notification and others, FIG. 3B shows a log-in notification to an ID management company server, and FIG. Indicates a notice that the server can log in.
FIG. 4 is a diagram showing a password notification sent to an employee terminal.
FIG. 5 is a sequence diagram illustrating an example of a flow for determining an employee by anonymizing connection possibility.
FIG. 6 is a diagram illustrating an example of a contract relationship between the respective entities in the present embodiment.
[Explanation of symbols]
U… Employee (user)
UT… employee terminal (user terminal)
1… Client company, company (first organization)
100 ... Client company server (first computer)
110 ... Authentication Department
120 ... ID management unit
130 ... Management table for company
2 Counseling companies (second group)
200 Counseling agent server (second computer, service providing server)
210 ... Authentication Department
220 ... ID management unit
230 ... management table for counseling companies
3 ... ID management company (third group)
300 ... ID management company server (third computer, anonymizing device)
310 ... Authentication unit
320 ... ID management unit
330 ... ID management company management table

Claims (12)

A user terminal of a user who receives a service provided via a network, a first computer of a first organization to which the user belongs, and a second organization which provides or mediates the service to the user A second computer of the above, the information of the user in the online service performed including,
A third computer of a third party independent of the first and second parties;
A first identifier that is associated with the information of the user in the first organization by the first computer, and is required when logging in to the third computer;
A second identifier associated with the information of the user in the second group by the second computer, and required when logging in to the second computer;
Anonymization method using
The user, by using the second identifier, by logging in to the second computer from the user terminal, so that the provision of the service or the mediation of the provision,
The third computer is:
Storing a first identifier list obtained from the first party, wherein the first identifier is listed;
Authenticating, on the basis of the first identifier list, access specifying the first identifier from a user terminal of the user notified of the first identifier by the first organization;
Issuing the second identifier to notify the user if the authentication is successful;
Having,
An anonymization method in an online service characterized by the following. A user terminal of a user who receives a service provided by a network, a first computer of a first organization to which the user belongs, and a second computer of a second organization which provides or mediates the service to the user. Information of a user in an online service performed including a second computer and a third computer of a third group that performs anonymization of the user information.
A first identifier that is associated with the information of the user in the first organization by the first computer, and is required when logging in to the third computer;
A second identifier that is associated with the information of the user in the second organization by the second computer, and is required when logging in to the second computer;
Anonymization method using
The user terminal of the user notified of the first identifier by the first organization,
Inputting the first identifier notified from the first organization and displaying a screen for logging in to the third computer;
Inputting the second identifier notified from the third group and displaying a screen for logging in to the second computer;
In this order,
An anonymization method in an online service characterized by the following. The third group stores the correspondence between the first identifier and the second identifier,
The information of the user stored in the first organization in association with the first identifier and the service of the user stored in the second organization in association with the second identifier 3. An anonymization method in an online service according to claim 1, wherein information on the online service can be connected. By logging in to the second computer, the user is notified of a password required to log in to the second computer or can set the password, and provides or mediates the provision of the service. 4. The method according to claim 1, wherein when receiving the password, the second computer is authenticated by specifying the notified or set password and the second identifier. Anonymization method in online service described in section. 5. The first computer according to claim 1, wherein a first period for generating the first identifier and notifying the user is set. Anonymization method in online services of the United States. 6. The third computer according to claim 1, wherein a second period for generating the second identifier and notifying the user of the second identifier is set. Anonymization method in online services of the United States. A client company server, one or more user terminals, a service providing server that provides or mediates a service to the client company server or the user terminal, and ID management that manages an identifier of a user who operates the user terminal A method for managing a user identifier for securing the privacy of the user in a network connecting the server and the trader server,
The client company server,
Means for issuing a first identifier as an identifier of the user to a user terminal during a set first period;
Means for transmitting the list of the first identifiers to the ID manager server after the end of the first period;
Means for managing the first identifier;
With
The ID management company server,
Means for transmitting a login enable notification to the client company server after receiving the first identifier list;
Means for authenticating the user with the first identifier during a set second period;
Means for issuing the second identifier to the user terminal;
Means for transmitting the list of the second identifier to the service providing server after the end of the second period;
Means for managing the first identifier and the second identifier in association with each other;
With
The service providing server,
Means for transmitting a login enable notification to the client company server after receiving the list of the second identifier;
Means for authenticating the user with the second identifier;
Means for managing the second identifier;
Means for providing or mediating the provision of the service;
With
With this configuration, the user is allowed to log in to the client company server during the first period and obtain the first identifier via the user terminal, and then, during the second period, Log in to the ID management agent server to obtain the second identifier,
With the second identifier obtained in this way, the user can log in to the service providing server and be provided with the service or receive the mediation of the provision.
A method for managing a user identifier in an online service, characterized by: The service is provided by a user who receives the service, a first computer of a first organization to which the user belongs, and a second computer of a second organization which provides or mediates the service to the user. User information on online services,
An anonymization device of a third group that performs anonymization of the user information;
A first identifier required for the user to log in to the anonymization device and receive a notification of a second identifier;
The second identifier required for the user to log in to the second computer and receive the provision of the service or the mediation of the provision;
Anonymize using
A system in which the user who has received the notification of the second identifier logs in to the second computer using the second identifier so that the service can be provided or mediated in the provision. An anonymizing device according to
The anonymization device,
Means for authenticating the user with the first identifier issued by the first organization;
Means for generating the second identifier to notify the user and the second group;
Having,
An anonymizing device in an online service, characterized by: 9. The anonymization device in an online service according to claim 8, wherein the anonymization device includes means for storing a correspondence between the first identifier and the second identifier in a storage device. In order to make the computer an anonymizing device in the online service according to claim 8,
Said computer,
Means for authenticating the user with the first identifier issued by the first organization;
Means for generating the second identifier to notify the user and the second party;
Functioning as
An anonymization program for online services, characterized by: 11. The anonymization program in an online service according to claim 10, wherein the computer causes the computer to function as a unit that stores a correspondence between the first identifier and the second identifier in a storage device. A program storage medium storing the anonymization program in the online service according to claim 10 or 11.

Images