JP2005115892A - System and method for personalization considering privacy - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize personalization considering privacy when an application is executed in a ubiquitous computing environment. <P>SOLUTION: A procedure for requesting a service from a personal information holding host (portable terminal) to an application operating host in a public space is as follows. (1) Application rules are downloaded to the user's portable terminal. (2) A control command is generated according to personal information and the application rules. (3) The control command is sent. An operation is made according to the control command. (4) The procedure sends no personal information. The acquisition of the personal information and the generation of the command decisive of the application operation are separated to realize privacy protection. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a technology for realizing a ubiquitous computer environment, and more particularly to a system and method for personalization in consideration of privacy.

1. Applications that presuppose the realization of a ubiquitous computing environment are being researched and developed every day. The ubiquitous presence of information devices and various sensors makes it possible to realize more comfortable applications for users. As a mechanism for the application to adapt to the user's preference, there is a method of operating based on a static value set by the user. For example, there are user interface settings and hot key assignment. In the future, a variety of information can be held by reducing the size and performance of portable devices, and applications can use personal information of users in the real world. In the following description, personal information of a user is used in a broad sense, from invariant information such as gender and age to preferences and application settings. By introducing personal information, the behavior of the application can be changed according to the gender and occupation of the user. In other words, application personalization in public space can be realized.
Ryoji Honda, Kazuhiro Suzuki, Shinichi Torihara, Kazue Kuze: “Ad Hoc Network and Active Electronic Advertising Version”, Information Processing Society of Japan Computer System Symposium NO. 13, pp. 47-52, Tokyo (2000), http://www.torihara.com/wit/ap/ A. Knott and C. Mellish and J. Oberlander, and M. 0'Donnel1, "Sources of Flexibility in Dynamic Hypertext Generation", In Proceedings of the 8th International Workshop on Natural Language Generation, Herstmonceux Castle, UK, june 1996. Davies, N.M. K. Mitchell, K.M. Cheverst, and G. S. B1air, "Developing a Context Sensitive Tourist Guide", Technical Report Computing Department, Lancaster University. March 1998. World Wide Web Consortium, http: // www. w3. org / Platform for Privacy Preferences Project, http: // www. w3. org / P3p / Anonymiser, http: // www. anonymizer. com / OpenSSL, http: // www. openss1. org /

2. Personalization of applications in public space First, we will explain the personalization of applications in public space and point out problems in realizing them.

2.1 Adaptation to personal information The user uses various applications that exist at the destination. The application performs an operation adapted to the personal information held in the user's mobile terminal. As an implementation of these, there is an active poster [Non-Patent Document 1] that is a navigation system for people with disabilities who switches on the interface according to the user's obstacles and guides the route according to the user's obstacles. There are ILEX-0 [Non-Patent Document 2], which changes the description content based on knowledge of art, and GUIDE [Non-Patent Document 3], a browser that operates on a PDA that provides guidance to tourists in tourist spots. As described above, by performing an operation adapted to the personal information of various users, it is possible to reduce the input burden on the user and to personalize the application in the public space.

2.2 Forms of applications that use personal information Personal information and applications are paired, and a mobile terminal that holds personal information holds personal information for one or more applications Assume that. As an example, an application that encourages department stores to recommend products that users prefer is that personal information exists for each department store, and there is a possibility that personal information may be held on different mobile devices for each application. is there.

2.3 Privacy As described above, by introducing personal information, more convenient applications can be realized, but privacy problems arise. The privacy problem described here is that personal information that the user does not want to be made known to others who are not intended. For example, the user's address or telephone number is known to an unintended third party. The problem becomes more serious in applications in public spaces.

  Some applications in public space can be malicious. That is, there is an application that discloses the acquired personal information to a third party unintended by the user or acquires personal information unintended by the user. These applications are ubiquitous in public spaces. Therefore, it is necessary to cope with the premise that the application is not trusted.

  In addition, when a malicious third party obtains a highly functional and multifunctional mobile terminal, the risk of intercepting communication between the mobile terminal holding the personal information and the application becomes higher. . Usually, encryption is used for correspondence to communication interception, but it is not useful for the malicious application described in the previous section.

2.4 Current Privacy Protection Techniques Privacy protection techniques that are currently widely used depend on communication partners or third parties. Hereinafter, this point will be briefly described with an example.

P3P
P3P [Non-Patent Document 5] provided by W3C [Non-Patent Document 4] is a framework for disclosing to the user the usage method and range of personal information acquired from the user when browsing a Web site. In many cases, disclosure to the user is performed after acquiring personal information. Also, the user needs to read long sentences. In addition, P3P cannot guarantee the method and scope of use of personal information on the website.

Proxy server
A proxy server such as Anonymizer [Non-patent Document 6] hides the IP address and port number of the host used by the user from the Web site when the user browses the Web via the proxy server. . Thus, privacy protection can be achieved, but there is a problem of proxy server reliability.

encryption
While encryption such as SSL [Non-Patent Document 7] is effective as a countermeasure against third parties, it is based on the premise that the communication partner is trusted. As described in the previous section, there is no utility in a ubiquitous environment of malicious applications, so it is necessary to use an alternative method to encryption.

  Therefore, we propose a privacy-aware application framework for implementing applications that use personal information in the public space.

The present invention is a method for realizing privacy-aware personalization when executing an application in a ubiquitous computing environment.
Downloading an application rule that is an expression or a set of expressions that generates at least one solution based on personal information to the user's mobile device (which can be either text or a program);
Generating a control command based on personal information and the application rule in the mobile terminal;
Transmitting the control command from the mobile terminal to a host on which an application runs;
And an operation based on the control command at the host.
And a step of changing a granularity of personal information provided to the application rule based on a user rule that is a personal information disclosure condition defined by the user.

The method further includes the step of inputting dynamic personal information,
In the step of generating the control command, a control command is generated based on personal information including the dynamic personal information and the application rule,
In the step of performing an operation based on the control command in the host, dynamic personal information may be generated from the received control command, and an operation corresponding to the dynamic personal information may be performed.

The present invention is a system for realizing personalization in consideration of privacy when an application is executed in a ubiquitous computing environment, and includes a portable terminal held by a user as a personal information holding host and a space where the user moves With existing application host,
The application operating host stores an application rule storage unit that stores an application rule that is an expression or a set of expressions that generates at least one solution based on personal information, and transmits the application rule and requests a control command from the portable terminal And a command request unit to
The portable terminal includes a personal information management unit that acquires personal information necessary for the application rule, and a command that receives personal information from the personal information management unit and generates a control command based on the application rule and the personal information. And a generation unit.

For example, the command request unit of the application operating host transmits the application rule to the mobile terminal, the command generation unit of the mobile terminal requests personal information from the personal information management unit according to the application rule, and the personal information The management unit acquires necessary personal information, the personal information management unit returns personal information to the command generation unit, the command generation unit generates a control command, returns a control command to the application operation host, and the application The active host performs an operation based on the control command.
The portable terminal may further include a user rule management unit that holds user rules and provides the user rules to the command generation unit. The user rule management unit changes the granularity of personal information according to the user rule and provides it to the application rule.

The portable terminal includes a mode input unit for inputting dynamic personal information,
The command generation unit of the mobile terminal generates a control command based on personal information including the dynamic personal information and an application rule,
The application operation host may include a dynamic personal information generation unit that generates dynamic personal information from the received control command.

  We propose a framework that allows applications to operate adaptively to personal information in consideration of privacy. In the ubiquitous computing environment, high-performance and multi-functional devices enable ubiquitous applications in public spaces and high-performance mobile terminals to hold various types of information. This allows for personalization in public spaces. With the improvement in performance of mobile terminals, information held in mobile terminals can handle personal information that matches the real world, so a framework that considers privacy is required. In the personal information non-transmission model according to the present invention, privacy protection is achieved by separating the acquisition of personal information and the generation of a command that determines the operation of an application. This makes it possible to create an application that achieves both privacy protection and adaptation to personal information.

Embodiment 1 of the Invention
The flow of explanation will be described. In the third section, we propose a personal information non-transmission model as a technique to achieve both privacy protection and adaptation to personal information. Section 4 describes the design, and Section 5 describes the EA-P2 framework, which is a prototype implementation for realizing a personal information non-transmission model.

  The embodiment of the present invention relates to an application framework in consideration of privacy for realizing an application using personal information in the public space described above. First, we consider the basic operation of the target application and propose a personal information non-transmission model. Next, its features are described, and finally the functional requirements to be realized are listed.

3.1 Overview In this section, we consider the operation of the target application and propose a personal information non-transmission model.

(1) Personal information transmission type model The basic operation of an application adaptive to personal information in the public space as the target application will be described. The conventional model is called a personal information transmission type model, and it is assumed that the application operates as shown in FIG.
1. 1. Get user's personal information 2. Generate control commands based on personal information and application rules Action based on control command

  FIG. 1 shows a personal information holding host and an application operating host, and user information (User Info) is sent from the personal information holding host to the application operating host (1). It is shown that a command is generated based on (2), and a predetermined service is provided to the user by the application running host (3).

  An application rule is an expression or a set of expressions that generates one solution based on personal information. In this framework, the acquisition of personal information and the generation of control commands are separated.

(2) Personal information non-transmission model We propose a personal information non-transmission model as a method for realizing personalization in public space. The basic operation is shown in FIG.
1. 1. Download application rules to user's mobile device 2. Generate control commands based on personal information and application rules 3. Send control command Action based on control command

  FIG. 2 shows a personal information holding host and an application operating host. An application rule prepared in advance is sent from the application operating host (1), and a command based on this and personal information held in advance by the personal information holding host is sent. Is generated (2), the command is sent to the application operating host (3), and a predetermined service is provided to the user by the application operating host in response to the command (4). According to the procedure of FIG. 2, instead of sending personal information to the application running host, a command is generated by receiving an application rule from the application running host, and this command is sent to the application running host. Therefore, the procedure of FIG. 2 can receive the same service as that of FIG. 1, but personal information is not transmitted, which is preferable in terms of privacy. Instead, application rules are sent, but there is no problem for the user when they are intercepted. Therefore, the procedure of FIG. 2 has the following features.

3.2 Features Next, the features of the personal information non-transmission model are described.

3.2.1 Confidentiality against malicious applications The personal information non-transmission model proposed here is effective for malicious applications because it transmits control commands to applications instead of personal information.

3.2.2 Confidentiality against malicious third parties When using an application that is adaptive to personal information in public space, there is a risk of interception of communications. In the personal information non-transmitting model, personal information itself is never communicated, so that personal information can be protected.

3.3 Functional Requirements Next, functional requirements required for the application framework for realizing the personal information non-transmission model proposed here will be described.

(1) Confidentiality of personal information As mentioned in the previous section, since the ubiquitous presence of malicious applications is used here, it is necessary to prevent leakage of personal information to applications.

(2) Flexible description method of personal information Since the framework proposed here is based on an application adaptable to various personal information, it is necessary to describe personal information flexibly.

(3) Convenience In order not to impair the original purpose of an application adaptive to personal information that reduces the burden of user re-input and response, it is necessary to achieve the above requirements without increasing the burden on the user. is there.

4 Design This section describes the design of an application framework for realizing the personal information non-transmission model proposed in this paper.

4.1 Overall configuration Fig. 3 shows the overall configuration of this framework. The personal information holding host is a portable terminal owned by the user, and the application operation host exists in the public space where the user moves.

  A user holds a portable terminal as a personal information holding host, and uses an application that exists in a public space of a moving destination. The command request unit operates on the application operation host, and the command generation unit and the personal information management unit operate on the personal information holding host.

(1) Command request section Sends application rules and requests a control command from the personal information holding host.
(2) Personal information management unit Acquires personal information necessary for application rules and provides it to the command generation unit.
(3) Command generation unit Generates a control command based on application rules and personal information.

4.2 Basic operation Fig. 4 shows the basic operation.
1. 1. Command request part sends application rules 2. Request personal information from the personal information manager in accordance with application rules. 3. Personal information management department acquires necessary personal information. 4. Return personal information to the command generator. 5. Generate control command and return control command to application Action based on control command

4.3 Personal information template In order to create a free application, the application creator must be able to freely define personal information. For this purpose, this framework provides a template. Templates must be able to freely define element names representing information types and be able to describe various values.

4.4 Application Rules As with personal information, application rules must leave room for description by the application creator. Therefore, a template is provided as well as personal information. The template requires the following elements:
(1) Type of necessary personal information (2) Formula for command generation (3) Type of generated command

4.5 Command Request Unit The command request unit exists in the application running host and plays the role of API. The application transmits an application rule via the command request unit. Further, the command request unit causes the application to acquire a control command from the personal information holding host.

4.6 Command Generation Unit The command generation unit acquires application rules. Next, the personal information is requested from the personal information management unit required by the application rule, and a command is generated based on the value returned from the personal information management unit and the application rule.

4.7 Personal Information Management Unit The personal information management unit identifies the type of personal information and returns a value required by the application rule to the command generation unit.

5. Implementation This section describes the EA-P2 (Enhancing Privacy and Adapting User Information for Personalized Public Space) framework, which is a prototype implementation.

5.1 Personal information From the viewpoint of flexibility in data description, XML is used as the description format of personal information. XML DTD (document type definition) is shown in FIG.
The application creator describes necessary personal information in element data. Each element is identified by the attribute name and its value is represented by the attribute value. Personal information is managed by the personal information manager.

5.2 Application rules This framework provides an interface as a template for application rules. Application rules can be created by implementing this interface. Specify the required personal information XML file by the argument of the evaluate method. FIG. 6 shows the interface.

5.3 Command Request Unit FIG. 7 shows the operation of application rule transfer in the command request unit. Transfer ApplicationRuleImpl object implemented by application creator to personal information holding host.
An example of calling from an application is shown in FIG. A command is requested by the getCommand method. The return value is a control command, and the application behaves based on personal information based on the control command.
The description of the application is one line, and the application creator can use this framework easily.

5.4 Command Generation Unit The acquisition of application rules is shown in FIG. Generate a command using the evaluate method of the obtained application rule. This realizes free creation of application rules.

5.5 Personal Information Management Department Extracts elements from an XML file that contains personal information. As designed in the previous section, since the operation on the mobile terminal is assumed to be a front bank, SAPI (simple API for XML) capable of relatively high speed processing was used for the API. FIG. 10 shows the operation of personal information analysis.

The system and method according to the embodiment of the present invention have the following effects.
(1) Confidentiality of personal information Protection of personal information from third parties is achieved by converting personal information into commands.
(2) Flexible description method of personal information As long as the application creator complies with the DTD, the personal information item can be freely set. For example, when creating an application that introduces a movie of an actor that the user likes using this framework at a rental video store, one store has an element of “favorite actor” and another store has an “ It can be divided into “actors” and “favorite actresses”, and can be flexibly supported by the application.
(3) Convenience Since this framework does not increase the number of user input responses, the convenience that is the original purpose of an application adapted to personal information is not impaired. Therefore, it can be said that convenience has been achieved.

  By using the framework according to the embodiment of the present invention, a user can use an application adaptive to personal information while protecting the personal information. On the other hand, an application creator can easily create an application adaptive to personal information in a public space by using this framework.

Note that the following functions may be added.
(1) Introduction of judgment criteria by the user Although the degree of freedom of the application creator has been achieved, the confidentiality of personal information has not been sufficiently achieved. Therefore, a function that enables customization of personal information provided to the application rule by the user may be provided.
(2) Processing of personal information The personal information description method and analysis method are improved so that personal information having a hierarchical structure such as an address can be handled. It also has a function to edit information such as addition and deletion of personal information.
(3) Privacy of location information Location information is important as information that can be used by the target application in the present system and method. Location information may also be taken into account to personalize applications in public spaces. In this case, it is preferable to include privacy protection for position information.

Embodiment 2 of the Invention
The following points may be added to the system and method according to Embodiment 1 of the invention.
(1) The command is executed not only on the application host but also on the node that generates the command.
(2) Dynamic personal information may be added in addition to static personal information. Dynamic personal information is personal information that changes as appropriate according to location and situation. For example, the purpose of visiting the store.
(3) In order to have traceability, the command generation time and GPS positioning data are attached to the command as data.
(4) Add commands related to display such as content selection, device selection, and display mode selection.

  Hereinafter, a specific system will be described with reference to FIGS.

Each part of FIG. 12 will be briefly described.
An application processing unit 11 transmits an application rule via the command request unit and acquires a control command from the personal information holding host by the command request unit 12.
Reference numeral 12 denotes a command request unit that exists in the application operating host and plays the role of an API.
A storage unit 13 stores application rules in advance.
Reference numeral 14 denotes a database for storing user personal information in advance.
A dynamic personal information generation unit 15 generates dynamic personal information based on the received command and sends the dynamic personal information to the application processing unit 11.
21 obtains an application rule, requests personal information required by the application rule to the personal information management unit 22, and generates a command based on the value returned from the personal information management unit 22 and the application rule Part.
A personal information management unit 22 identifies the type of personal information and returns a value required by the application rule to the command generation unit.
Reference numeral 22 denotes a mode input unit for inputting dynamic personal information.

(A) Response system in a cardera This is a system for providing information specialized to a customer when the customer who has stored personal information in the personal portable terminal visits the cardera.
A feature of this system is that, in addition to static information stored in a database, dynamic information is generated by being combined with events and information generated by the customer's action.
The personal information holding host is a personal portable terminal.
The carderer has an application on the application operation host, and also has a personal information database (past purchase history at the store in the past, contents of loans, etc.) on the application operation host.

S1: The application operating host detects that the customer has visited the store, that is, the personal mobile terminal is within the communicable range, and transmits the application rule from the application operating host to the personal mobile terminal.

S2: A customer inputs today's visit mode (deadline, deadline for adults, wants to know details of the car, wants to try) to the personal portable terminal in response to a request from the store.

S3: In the personal portable terminal, a control command is generated based on personal information that is always held in advance and the rules required by the received application.
The control command is generated by combining the static personal information held in the personal portable terminal and the store visit mode input at the time of entering the store.
For example, a customer who instructs the store visit mode (kill time) at the time of entering the store generates a control command of kill time with children by combining static personal information and the visit mode.
For a customer who has instructed the visit mode (want to know the details of the car) at the time of entering the store, a command is generated with a set of static personal information that there is a sedan purchase record and information that wants to know the details of the car.
A command for displaying outdoor use scenes of a vehicle on a large display is generated with a set of static personal information indicating that there is a purchase record of outdoor vehicles and information indicating a store visit mode (deadline killing).

S4: The generated control command is transmitted to the application operating host of the carder.

S5: The application operating host of the carder performs navigation and services to the customer unique to the carder based on the control command.

S6: At this time, the application operating host generates dynamic personal information based on the customer database held in advance by the application operating host and the received control command, and executes the service to the customer together with the previously received command. .
For example, a customer who has instructed the store visit mode (deadline killing) at the time of entering the store uses computer processing based on a combination of static personal information and the store visit mode, that is, the information that there is a child of the family structure of static personal information and the store visit mode (deadline kill). A command with a combination of information is received. As a result, the corner where children can play is navigated to this customer.
The customer who instructs the store visit mode (want to know the details of the car) at the time of entering the store receives a command combined with information that only the past sedan has been purchased from the purchase history of static personal information.
The application operation host in the store also maintains a customer database, and receives a command to know the details of the sedan from the static personal information and commands of the customer mobile terminal.

The service of the application operation host in the store will be described.
The current age is calculated based on the date of birth from the customer database of the store's application operating host, and the age, purchase history, and visit mode (want to know the details of the car) are combined, and the sedan's 3D display is on a large screen. This service is provided along with boarding information. At this time, the price rank of the target sedan is also selected by the computer of the application operation host based on the price rank of the past purchased vehicle and the loan information. At this time, personal purchasing power (annual income / loan balance) and the like are converted into command expressions and transmitted / received, so that personal security is not leaked. The date of birth is also expressed in language like a sign according to the private car replacement cycle age model (customer purchase model devised and set by the car dealer), and there is no risk of the date and actual age leaking as data. Depending on the family composition data, the content retroactive to the safety on the child seat is displayed in the highlighted display mode on the same display following the introduction of the vehicle.
At this time, content selection, display / output device selection, display mode selection, and the like are performed using control commands.

  By making persistent merchandise appeals to customers who come to the store to kill time for adults, it is possible to avoid fostering the psychology of revisiting the store or giving the impression of an unpleasant store. In addition, customers who have a purpose can provide services that meet the purpose.

(B) When a customer inquires to the car dealer about prior knowledge about updating a private car from the personal computer at home via the Internet. In this case, the personal computer corresponds to a personal portable terminal.
Cardera has an application on the application host, and also has a personal information database (customer B's past purchase history, loan details, etc.) on the application host.

  In response to a request from the customer's carder, the carder sends the application rule from the application operating host to the personal information holding host (personal personal computer terminal).

  Enter the query details.

The control command is generated by combining the retained static personal information and the inquiry content. In order to inquire about prior knowledge about replacement of a private car, the customer requests information on the car of interest on the homepage of the cardera through the Internet according to the received application.
For example, a command that generates static personal information with a sedan purchase record and the name of the inquired car as a set, or a command that combines color information of the past purchase history with the model of the sedan is generated. .

  In the application operating host of the carder, the service is provided based on the received control command in advance and personal information that is always held.

  Although the generated control command is transmitted, the personal information being communicated is converted into the form of the control command and transmitted, and is undecipherable even if exposed to others. This command makes it possible to transmit information that has been personalized among the information requested by customers, and to ensure the security of personal information.

(C) Furniture sales system The furniture sales store is large, has a large number of products, and each one is expensive. Combining product categories with customer preferences is effective in increasing the customer's purchasing motivation. It is.

  Send the application rules to the customer's personal mobile device.

  In the portable terminal, a control command is generated based on the stored personal information and the received application rule.

This control command is expressed as a computer command by abstracting customer preferences in relation to age.
The age is calculated from the date of birth, and the abstract customer profile of the elderly customer with back pain is calculated from the medical treatment items in orthopedics. The health standard category is applied to the product category, a recommended product category including a water bed as a bed and a chair as a chair is selected, and a story control command for navigating the store is generated.

  Send the generated control command to the application host.

  Based on the received control commands, the application running host further categorizes the preferences in the store, associates them with the customer's typical profile, and displays products that match the customer's profile for each sales floor and navigates. . By selecting the content, display device, and display mode using commands, the content is displayed on the customer's mobile phone or on a large display. It navigates products that fit customers based on store visits and purchase histories at customer events, and displays products from other stores as content.

Embodiment 3 of the Invention
A method / system for realizing the introduction of judgment criteria and processing of personal information by the user described in the last part of the first embodiment of the invention will be described.

  The main point of the third embodiment of the present invention is that the personal information is provided to the application rule after changing the granularity of the personal information based on the user rule.

First, user rules will be described.
User rules determine the granularity in disclosing a user's privacy profile. When the service rule arrives at the user's host, a list of requested privacy profiles is provided. The granularity of the requested privacy profile provided for service rules can be varied by user rules.

  The user rule is a rule defined by the user himself. As described above, the user can configure according to the confidentiality of the service. For example, a privacy profile is provided with a coarse granularity for services that the user does not know, and a fine granularity is provided for services that are well known. That is, user rules should exist for each unit of privacy profile and for each service. For example, the granularity of disclosing it to the advertisement service is determined by the user rule regarding the user's birthday, and the same applies to other cases.

Next, the operation of the third embodiment of the present invention will be described.
FIG. 14 shows a simple time chart. The vertical axis represents time. Arrows indicate actions or actions. Dotted arrows indicate a different sequence of patterns.

S11: The user sets his / her privacy profile and user rules in the user device.

S12: The service is started by some event or request. For example, the service starts when the user presses the start button or when the user enters a specific area. The host operating the service immediately sends the service rule to the user's mobile device.

S13: A list of requested privacy profiles is present on the user's device according to the service rules.

S14: The privacy profile granularity is changed according to the user rule, and provided to the service rule.

S15: A control command is generated from both the service rule and the provided privacy profile.

S16: A control command is returned.

  Next, the pattern of the order of dotted arrows will be described.

S16 ': When the privacy profile to be used can be confirmed on the user side, a control command is notified to the user.

S17: The user confirms.

S18: Thereafter, a control command is returned.

  Basically, the control command indicates a part of the privacy profile because it is generated from the service rule. For example, it is assumed that the service provider has explained a service rule in which the relationship between the privacy profile and the control command is one-to-one as follows.

if (profile = A) then command = a.
else if (profile = B) the command = b.

  This explanation means that if the control command is “a”, the user's profile is “A” and the same applies to “b”. If the service is malicious, privacy issues will occur; if the service is not malicious, no problem will occur.

  Therefore, it should be ensured that a specific privacy profile cannot be derived from the service rule itself. In the embodiment of the present invention, this condition is satisfied in order to introduce the concept of granularity for the privacy profile.

  On the left side of FIG. 15, in the case of continuous data, for example, a specific number of times, an anniversary such as a birthday, a wedding anniversary, etc. are shown. If the user's privacy profile is “3”, it can be changed to “1-4” or “0-12”. Therefore, the malicious service rule cannot specify a specific profile. For example, if the user is “24 years old”, the profile can be changed to “20 years old”.

  On the right side of FIG. 15, in the case of hierarchical data, for example, an address or a partnership relationship is shown. If the user's privacy profile is “ABDD”, it can be changed to “AB” or “A”. For example, if the user's address is “XXX N. Matthews Avenue, Urbana, Illinois 61801, United States”, it can be changed to “Urbana, Illinois 61801, United States” or “Illinois 61801, United States”.

  Therefore, a one-to-one relationship cannot be established between a user's privacy profile and a control command in a malicious service rule. As described above, according to the embodiment of the present invention, it is possible to protect the application of the privacy profile simultaneously with the protection of the privacy.

  The present invention is not limited to the above embodiments, and various modifications can be made within the scope of the invention described in the claims, and these are also included in the scope of the present invention. Needless to say.

It is explanatory drawing of the conventional personal information transmission type model. It is explanatory drawing of the personal information non-transmission type model which concerns on embodiment of this invention. 1 is a conceptual diagram of a system according to an embodiment of the present invention. It is explanatory drawing of the basic operation | movement of the system which concerns on embodiment of this invention. It is an example of DTD of personal information concerning an embodiment of the invention. It is an example of the application rule which concerns on embodiment of this invention. It is an example of the transfer of the application rule which concerns on embodiment of this invention. It is an example of calling a command request unit by an application according to an embodiment of the present invention. It is an example of acquisition of the application rule which concerns on embodiment of this invention. It is an example of the analysis of XML which concerns on embodiment of this invention. It is an example of description of personal information concerning an embodiment of the invention. It is a conceptual diagram of the system which concerns on Embodiment 2 of this invention. It is explanatory drawing of the basic operation | movement of the system which concerns on Embodiment 2 of this invention. It is explanatory drawing of the basic operation | movement of the system which concerns on Embodiment 3 of this invention. It is a figure which shows the idea of the particle size which concerns on Embodiment 3 of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Application operation host 11 Application processing part 12 Command request part 13 Application rule memory | storage part 14 Personal information database 15 Dynamic personal information generation part 2 Personal information terminal 21 Command generation part 22 Personal information management part 23 Mode input part

Claims (6)

A method for realizing privacy-aware personalization when running an application in a ubiquitous computing environment,
Downloading an application rule that is an expression or a set of expressions that produces at least one solution based on personal information to the user's mobile device;
Generating a control command based on personal information and the application rule in the mobile terminal;
Transmitting the control command from the mobile terminal to a host on which an application runs;
Performing an operation based on the control command at the host.   The method according to claim 1, further comprising: changing a granularity of personal information provided to the application rule based on a user rule that is a personal information disclosure condition defined by a user. A system for realizing personalization in consideration of privacy when executing an application in a ubiquitous computing environment, and operating the application that exists in the user's mobile terminal as a personal information holding host and the user's destination space With a host,
The application operating host stores an application rule storage unit that stores an application rule that is an expression or a set of expressions that generates at least one solution based on personal information, and transmits the application rule and requests a control command from the portable terminal And a command request unit to
The portable terminal includes a personal information management unit that acquires personal information necessary for the application rule, and a command that receives personal information from the personal information management unit and generates a control command based on the application rule and the personal information. A system including a generation unit. The command request unit of the application operation host sends the application rule to the mobile terminal,
The command generation unit of the mobile terminal requests personal information from the personal information management unit according to the application rules,
The personal information management unit obtains necessary personal information,
The personal information manager returns personal information to the command generator,
The command generation unit generates a control command, returns the control command to the application operation host,
The system according to claim 3, wherein the application operating host performs an operation based on a control command.   The system according to claim 3, wherein the mobile terminal further includes a user rule management unit that holds a user rule and provides the user rule to the command generation unit.   The system according to claim 5, wherein the user rule management unit changes a granularity of personal information according to the user rule and provides it to the application rule.

Images