JP2005284353A - Personal information use system, method for controlling the same system, map file generating device and access control policy file generating device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To properly and automatically operate personal information according to a privacy policy. <P>SOLUTION: A map file where the correspondence of the description of personal information in a privacy policy and the description of personal information in an an HTML document or the like is stored in a WWW server. In the reception of an HTTP request, the description of the personal information in the privacy policy corresponding to the description of the personal information of the HTML document described in the HTTP request is acquired from the map file, and whether or not the personal information is turned to be the object of control related with the policy is judged from the description of the personal information, and when it is the object of control, the control of encryption or the like is operated. Also, an access control file irrelevant to the specifications of a database installed in the WWW server is stored, and access control from a Web application to the database is operated according to the file. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a personal information utilization system capable of operating personal information appropriately and automatically in accordance with a privacy policy, a control method for the personal information utilization system, a map file generation device, and an access control policy file generation device.

  In recent years, many organizations such as companies and organizations use the WWW (World Wide Web) system to perform operations such as product sales and information / service provision to general users. Many of these services collect and use personal information of customers who are users of the WWW system. Personal information registered by a user accessing a personal information registration Web application is used for marketing such as customer preference analysis, or as information for providing customers with more appropriate information. Or used as a product delivery or customer contact. In addition, personal information is stored in a database, and personal information is also used from devices installed in organizations such as companies and organizations.

  In recent years, companies and organizations that handle personal information are strongly required to handle personal information carefully in consideration of customer privacy. In addition, if the customer's privacy is neglected, the trust of the customer will be lost, and the registration of personal information will be avoided by the customer, leading to the loss of business opportunities. Shows active efforts.

  For companies and organizations that handle personal information, laws and ordinances that impose various obligations to respect the privacy of individuals are in place in each country, and various penalties are also stipulated. One example is the Personal Information Protection Law in Japan. Many countries have enacted laws and systems related to the protection of personal information based on the spirit of the OECD eight principles announced in 1989. The above 8 principles are the principle of collection that cannot be collected indefinitely and the consent of the person is required for collection, the principle of clarification of purpose that the purpose of use must be clarified and presented to the user, and the individual who is not the purpose Individuals who can use information, do not use the information, use the principle of security protection to prevent unauthorized access, destruction, and falsification, and allow users to view, correct, delete, and suspend use of self-information The principle of participation, the principle of information content that personal information must be kept up-to-date, the principle of disclosure to disclose policies and responsible persons for management, the personal information manager is responsible for the implementation It consists of the principle of responsibility. Companies and organizations must collect and use personal information based on these principles.

From the background described above, when registering personal information, let the user browse the privacy policy that documents the type of personal information to be collected, the purpose of collection, the mode of use, and the means to resolve disputes. There are many WWW sites that ask for consent. In recent years, an increasing number of WWW sites provide privacy policies using XML (Extensible Markup Language) documents according to the framework of P3P (Platform for Privacy Preferences), which is a W3C standard. In this case, browsers are sent from the WWW site. The generated XML document is analyzed and a screen for allowing the user to browse is generated, and the user browses the screen when transmitting personal information. In addition, for each item included in the privacy policy, actions that the user can take, such as permission to publish or refrain from publishing personal information, are registered in advance so that the handling of personal information can be determined semi-automatically. . Furthermore, with regard to the use of personal information other than the purpose of use presented by the privacy policy, for example, the policy on access control for personal information in the database is consistent with the privacy policy so that users inside the organization cannot use for purposes other than the purpose of use. The administrator may set it as follows. For example, in Japanese Patent Laid-Open No. 2004-228867, when a statement that a user's address is used for product delivery is a privacy policy, reading of address data by an internal user belonging to a department in charge of product delivery is permitted. Access control is performed such that access from other departments is denied.
JP 2001-188804 A W3C P3P (Platform for Privacy Preferences) 1.0 specification “The Platform for Privacy Preferences 1.0 (P3P1.0) Specification” http://WWW.w3.org/TR/P3P/

  By the way, in order to set the access control policies of a plurality of databases existing in the system so as not to contradict the privacy policy, it is necessary for an administrator or the like to carefully set and to check for setting errors. Also, in a large-scale system configured with multiple databases, access control policy specifications such as description formats differ, so individual databases are required to set and operate them manually. You need to be familiar with the specifications. Furthermore, it is necessary to deal with each database individually, and enormous effort is required to perform access control by a privacy policy. For this reason, a site for operating the WWW system is required to have a mechanism for appropriately and automatically operating personal information in accordance with the privacy policy presented to the user and agreed to.

  The present invention has been made in view of such a background, a personal information utilization system capable of operating personal information appropriately and automatically in accordance with a privacy policy, a control method for a personal information utilization system, a map file generation device, and An object of the present invention is to provide an access control policy file generation device.

  A main invention of the present invention for achieving the above object is a personal information utilization system, which is realized by a CPU, a memory, and the CPU executing a program stored in the memory. A Web application, an HTTP server, a personal information processing unit, a personal information access control unit, a privacy policy file, a description of personal information in the privacy policy file, and a source of a program that realizes the HTML document or the Web application A map file describing correspondence with the notation of personal information in the code, and the personal information processing unit supports notation of personal information of the HTML document described in the HTTP request received by the HTTP server In the privacy policy file The notation of information is obtained by referring to the map file, and the personal information processing unit is configured to match the notation of the obtained personal information with the privacy policy file, and thereby the personal information described in the HTML document. Is determined to be subject to policy-related control in the privacy policy file, and the personal information processing unit determines whether the personal information described in the HTTP request is subject to policy-related control in the privacy policy file. The personal information described in the HTTP request is notified to the personal information access control unit, and the personal information access control unit transmits the personal information described in the HTTP request. Is encrypted and notified to the personal information processing unit, Serial personal information processing unit, the encrypted personal information notifies the HTTP server, the HTTP server, and to notify the personal information encrypted to the Web application.

  According to the present invention, personal information can be used appropriately and automatically in accordance with a privacy policy.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 1A is a schematic configuration of a personal information utilization system described as an embodiment of the present invention. The Internet 3, the internal network 13, and the boundary network 6 are connected via the firewall 5. The internal network 13 is a communication network provided in an organization such as a company. An internal client 7 is connected to the internal network 13. The boundary network 6 is a communication network operated by the organization or the like. A WWW server 1 and a database server 10 are connected to the boundary network 6. The firewall 5 performs access control for protecting the internal network 13 and the boundary network 6 from unauthorized access through the Internet 3. For example, the firewall 5 performs access control such that access to the WWW server 1 from the Internet 3 is permitted but access to a device connected to the internal network 13 is not permitted. The client 2 is a computer that accesses a WWW server through the Internet 3.

  FIG. 1B is an example of a computer used as hardware for the WWW server 1, database server 10, client 2, and internal client 7. The computer 160 includes a CPU (Central Processing Unit) 161, a memory 162, an input device 163, a display device 164, an external storage device 165, a communication interface 166, and the like. These are communicably connected via a bus 167. The CPU 161 performs overall control of the computer 160. A program or data to be executed by the CPU 161 is stored in a memory 162 composed of RAM / ROM or the like. The external storage device 164 is, for example, a hard disk drive, CD-ROM, CD-R, DVD-ROM / RAM, or the like. The input device 163 is, for example, a keyboard or a mouse, and the display device 164 is, for example, a liquid crystal display or a cathode ray tube display. The communication interface 166 connects the computer 160 to the Internet 3, the internal network 13, and the boundary network 6. As the communication interface 166, for example, a NIC (Network Interface Card) is used.

  Various functions provided by the WWW server 1 are realized by the CPU 161 executing programs stored in the memory 162 or the external storage device 164. The WWW server 1 and the database server 10 can also be configured by the same computer. The WWW server 1 and the database server 10 can also be configured by a plurality of computers connected to each other so as to communicate with each other.

  In the WWW server 1, a personal information registration application 8 and a personal information browsing application 9 operate as Web applications. The personal information registration application 8 provides a Web service related to registration of personal information to the client 2 connected to the Internet 2. As an example of such a personal information registration application 8, there is a Web application that allows a customer to register for a product discount member in Internet shopping. The personal information registration application 8 transmits a personal information input screen 20 to the client 2 in response to a request from the client 2. The personal information registration application 8 receives the personal information input on this screen from the client 2 and registers it in the database 11.

  The personal information browsing application 9 provides a function of providing the internal information to the personal information registered in the database 11 by the personal information registration application 8. As such a personal information browsing application 9, for example, there is a customer management application used by an employee of an Internet shopping operating company that uses personal information registered by a Web application for Internet shopping. For example, the personal information browsing application 9 retrieves personal information from the database 11 in response to a request from the internal client 7 and transmits the retrieved personal information to the internal client 7.

  FIG. 2 shows a mechanism relating to registration of personal information in the database 11 performed via the personal information input screen 20. As shown in FIG. 2, the personal information input screen 20 is provided with a name input field 21, a telephone number input field 22, a mail address input field 23, and a send button 24 as personal information input fields. Yes. The personal information input in the input fields 21 to 23 by the user is transmitted to the WWW server 1 via the Internet 3 when the transmission button 24 is clicked. The transmitted personal information is received by a web application “/ register” 34 which is one of the web applications constituting the personal information registration application 8. The Web application “/ register” 34 registers (writes) the received personal information in the database 11.

  As shown in FIG. 2, the HTML document 25 is an HTML document for displaying a personal information input screen 20 transmitted from the WWW server 1 to the client 2. The HTML document 25 includes a form tag 33 in which a Web application that is a destination of input data is described, item names 26, 28, and 30 corresponding to the input fields 21 to 23, tags 27, 29, and 31, and a send button 24. Are described. In the form tag 33, “/ register” is described as the value of the action attribute which is an attribute for designating the transmission destination of the personal information. “Input” described as the tags 27, 29, and 31 corresponding to the input fields 21 to 23 means an input field, and the input type to the input fields 21 to 23 is set in the “type” attribute. In FIG. 2, “text” indicating text input is described. In the name attribute written together with the type attribute, a label to which the value input in the input field is associated is described. For example, when “johndoe” is entered in the name input field 21, a value (attribute value) “johndoe” is associated with a label “name” set in the name attribute. Similarly, the value (attribute value) “555-5555” is associated with the label “phone” set for the telephone number input field 22. Further, a label “email” set in the mail address input field 23 is associated with a value (attribute value) “johndoe@example.com”.

  When the send button 24 is clicked, the client 2 has a description “Name=johndoe&phone=555-5555&email=johndoe@example.co” in which the label and the value associated with the label are connected by the “&” symbol. A character string is generated and transmitted to the Web application “/ register” 34 as personal information. The web application “/ register” 34 analyzes the received character string to extract personal information such as name, telephone number, and mail address, and registers the extracted personal information in the database 11.

  The browser 4 that operates on the client 2 is a Web browser that supports P3P. The browser 4 displays a privacy policy screen 40 that is a screen for allowing the user to confirm the privacy policy when the transmission button 24 is clicked by the user when transmitting personal information from the client 2 to the Web application “/ register” 34. indicate.

  FIG. 3 shows a mechanism in which the privacy policy screen 40 is displayed on the screen of the client 2. The privacy policy screen 40 is displayed when the browser 4 interprets a P3P policy document described in XML (Extensible Markup Language) according to the P3P framework. The P3P policy file 43 is a file in which the privacy policy is described according to the above P3P. The P3P policy file 43 is stored in the WWW server 1 or the database server 10. In the P3P policy file 43 shown in FIG. 3, a tag 44 describing the purpose and a tag 45 describing the information to be collected are described as privacy policies. The tag 45 describing information to be collected includes one or more DATA tags. The DATA tag includes a ref attribute. The values that can be set in the ref attribute are defined in the P3P specification. The value set in the ref attribute specifies personal information to which the P3P policy file is applied. The tag 45 corresponding to the collected information 42 displayed on the privacy policy screen 40 includes a tag 46 corresponding to the name, a tag 47 corresponding to the telephone number information, and a tag 48 corresponding to the mail address. . Among these, “# user.name” is set as the value of the ref attribute of the tag 46 corresponding to the name. Also, “# user.home-info.telecom.telephone” is set in the ref attribute of the tag 47 corresponding to the telephone number. In addition, “# user.home-info.online.email” is set in the ref attribute of the tag 48 corresponding to the mail address.

  The P3P policy file 43 is transmitted from the WWW server 1 to the client 2 at an appropriate timing such as a timing at which the HTML document 25 is transmitted to the client 2 or a timing at which the transmission button 24 is clicked. On the privacy policy screen 40, for example, information such as the purpose of collection 41, information 42 to be collected, a solution at the time of dispute and contact information (not shown) corresponding to the eight principles of OECD are described. The user confirms whether or not to transmit personal information by looking at the contents described in the privacy policy screen 40 and then clicks the transmission button 24 on the personal information input screen 20.

  FIG. 4 shows various functions implemented in the WWW server 1 and the database server 10. In the WWW server 1, the HTTP server 80 that communicates with the client 2 and the internal client 7 according to the HTTP protocol (Hypertext Transfer Protocol), the Web application “/ register” 34, the Web application “/ viewer” 92, and the Servlet function. A Servlet application 93 that is a Web application to be used, a CGI engine 83 that provides a CGI (Common Gateway Interface) function, a Servlet engine 84 that provides a JAVA (registered trademark) Servlet function, a monitor unit 120, and a personal information processing unit 88. , Etc. are functioning.

  The CGI engine 83 provides the CGI function to the Web application “/ register” 34 and the Web application “/ viewer” 92. The Servlet engine 84 provides a Servlet function to the Servlet application 93. The personal information processing unit 88 is positioned as an extension program of the HTTP server 80. The monitor unit 120 is positioned as an extension program of the CGI engine 83 and the Servlet engine 84, and monitors and controls communications performed between the Web applications 34, 92, and 93 and other functions.

  The personal information processing unit 88 includes a control unit 100 that performs overall control of the personal information processing unit 88, a map file analysis unit 102 that analyzes the contents of a map file 60 described later, and analyzes the contents of the P3P policy file 43. Policy analysis unit 103, map file analysis unit 102, personal information control unit 101 that controls personal information by communicating with policy analysis unit 103, and input parameters that analyze parameters transmitted from client 7 through the Internet 3 Communication between the analysis unit 104, the input parameter processing unit 105 that performs processing related to encryption of input parameters, the HTTP server input / output unit 106 that performs input / output with the HTTP server 80, and the personal information access control unit 89 Access control unit input / output unit 107 for performing log information, which will be described later Log recording unit 108, and includes features such as.

  In the database server 10, the database 11, the personal information access control unit 89, and the like function. The database 11 has a function as a DBMS (Database Management System) and has various functions related to data operations such as a personal information registration function and a search function. The personal information access control unit 89 includes a control unit 110 that comprehensively controls the personal information access control unit 89, a map file analysis unit 111 that analyzes the map file, a policy analysis unit 112 that analyzes the P3P policy file 43, and will be described later. An access control policy file analysis unit 113 that analyzes the access control policy file 70, an access control unit 114 that performs access control by communicating with the map file analysis unit 102, the policy analysis unit 103, and the access control policy file analysis unit 113, an individual An encryption processing unit 115 that encrypts information, a decryption processing unit 116 that decrypts encrypted personal information, a personal information processing unit input / output unit 118 that communicates with the personal information processing unit 88, and a database input that communicates with the database 11. Output unit 119, log for recording log information to be described later Recording unit 121, and includes features such as.

  The map file referred to by the map file analysis unit 102 of the personal information processing unit 88 and the map file analysis unit 111 of the personal information access control unit 89 realizes notation of personal information in the P3P policy file and an HTML document or a Web application. Correspondence with the notation of personal information in the source code of the program is described. Note that the notation of personal information here is, for example, an attribute value notation corresponding to personal information if it is an HTML document or XML document, and if it is the source code of a program that implements a Web application, for example. Is a notation of a variable corresponding to. The map file is stored in the WWW server 1 and the database server 10 (map file storage unit). The map file is generated by a map file generation device 67 which is a computer (information processing device) in which an application for generating the map file is installed. For example, a computer having the configuration shown in FIG. 1B is used as the computer.

  FIG. 5 shows various functions of the map file generation device 67 realized by the CPU of the map file generation device 67 executing a program stored in the memory. In the map file generation device 67, a control unit 301 that performs overall control of the map file generation device 67, a user input / output unit that is a function of accepting input of information from a keyboard or a mouse or displaying information on a display 302, a map file processing unit 303 that performs processing related to generation of a map file, a P3P policy file processing unit 304 that performs processing related to a P3P policy file, and analysis and editing of source codes of the HTML document 25 and the Web applications 34, 92, and 93 A source code processing unit 306, a file input unit 307 that performs processing related to reading of an input file, a file generation unit 308 that performs processing related to generation of a map file, and the like.

  FIG. 6 shows a mechanism for generating the map file 60 by the map file generating device 67. The map file generating device 67 is provided with a P3P policy file 43, a file describing the HTML document 33 of the personal information input screen 20 (hereinafter referred to as “HTML file”), and a web application source code 66 as inputs. . In FIG. 6, the source code of the Web application “/ register” 34 that is a Web application that implements the personal information registration application 8 is given as the source code 66 of the Web application. The map file generating device 67 generates a map file 60 by performing interactive processing with the operator based on the given data.

  The map file 60 shown in FIG. 6 includes a mapinfo tag 61 that describes application information, a policy tag 62 that describes related P3P policy file information, and DATA tags 63, 64, and 65 that describe the correspondence of individual information. Is described. In FIG. 6, the DATA tag 63 describes “# user.name” described in the tag 46 corresponding to the name in the P3P policy file 43, and the name tag 27 in the HTML document 33 of the personal information input screen 20. The associated identification label “name” is associated. In addition, “# user.home-info.telecom.telephone” described in the tag 47 corresponding to the telephone number in the P3P policy file 43 and the name tag 29 in the HTML document 33 of the personal information input screen 20 are described. Is associated with the identification label “phone”. In addition, “# user.home-info.online.email” described in the tag 48 corresponding to the mail address in the P3P policy file 43 and the mail address tag 31 of the HTML document 33 on the personal information input screen 20 are described. Is associated with the identification label “email”.

  FIG. 7 is a flowchart for explaining processing relating to generation of a map file. First, the P3P policy file 43, the HTML document 25 of the personal information input screen 20, and the source code 66 of the Web applications 34, 92, 93 are input to the map file generating device 67 (step 260). Next, the P3P policy file 43 is analyzed by the P3P policy file processing unit 304, and the notation of the personal information described in the P3P policy file is acquired (step 261). Further, the HTML document 25 or the Web application source code 66 is analyzed by the map file processing unit 303, and the notation of the personal information included in the HTML document 25 or the Web application source code 66 is obtained (step 262).

  Next, the map file processing unit 303 compares the notation of the personal information read in step 261 with the notation of the personal information read in step 262, and makes a temporary association for similar items. For example, when similarity is recognized that one character string is included in the other character string, it is determined that both are notations corresponding to the same personal information, and the two are stored in association with each other (step 263). . For example, for “name”, which is the personal information notation in the HTML document 25, and “# user.name”, which is the personal information notation in the P3P file, the former character string is included in the latter character string. These are stored in association with each other as being similar.

  Next, the map file generation device 67 displays the generated temporary association on the display device and presents it to the operator. Further, the map file generation device 67 does not correspond to the personal information not supported temporarily among the personal information included in the source code of the HTML document 25 and the Web application 34, 92, 93. The information is displayed on the display device. FIG. 8 shows an example of a screen (hereinafter referred to as “map information correction screen”) displayed on the display device at this time. The personal information name is displayed in the personal information column 311 of the map information correction screen 310. In the personal information name column 312 of P3P, the description of the personal information included in the P3P policy file 43 in which the personal information 311 is temporarily associated is displayed. In the parameter column 313, the description of the personal information included in the source code of the HTML document 25 or the Web application 34, 92, 93 is displayed. When the displayed temporary correspondence needs to be corrected, the operator can correct the temporary correspondence by inputting correction information in the entry / correction column 314 as appropriate. The operator after correction clicks the confirmation button 320. When the confirmation button 320 is clicked, the map file processing unit 303 determines a temporary association according to the input correction information (step 265). The file output unit 308 generates and outputs the map file 60 describing the determined association (step 266).

  As described above, the map file generating device 67 automatically generates the P3P policy file 43, the HTML document 25, or the source code of the program that realizes the Web applications 34, 92, 93, which is given by input. Generate a map file. Therefore, the administrator or the like can easily generate the map file 60 using the map file generation device 67. The map file 60 may be recorded on a recording medium or supplied to the WWW server 1 or the database server 10 via a communication network.

  The access control policy file analyzed by the access control file analysis unit 113 of the personal information access control device 89 includes information specifying a Web application to be controlled with respect to the policy in the P3P policy file, an identifier of the P3P policy file, and permission information , Etc. are described files. The access control policy file is stored in the database server 10 (access control policy file storage unit).

  FIG. 9 shows various functions realized when the CPU of the access control policy file generation device 74 executes a program stored in the memory. In the access control policy file generation device 74, a control unit 351 that performs overall control of the access control policy file generation device 74, receives information input from an operator from a keyboard or mouse, and displays information to be presented to the operator on a display A user input / output unit 352 that is a display function, a P3P policy file processing unit 354 that performs processing related to a P3P policy file such as analysis of a P3P policy file, an access control unit 355 that performs processing of an access control policy file, an HTML document 25, A source code processing unit 356 that analyzes and edits the source code of a Web application, a file input unit 357 that performs processing related to reading of an input file, a file generation unit 358 that performs processing related to generation of an access control policy file, and the like. That. Note that the map file generating device 67 and the access control policy file generating device 74 may be realized using the same computer.

FIG. 10 illustrates a mechanism by which the access control policy file 70 is generated by the access control policy file generation device 74. In the access control policy file generation device 74, the P3P policy file 43, the map file 60 generated by the map file generation device 67, the purpose of clarification of the eight principles of OECD, the purpose of use of personal information, etc. are described. The rule file 76 and the web application source code 66 are given as inputs. FIG. 10 shows a case where the source code 66 of the Web application “/ viewer” 92, which is a Web application that implements the personal information registration application 8, is given as the source code 66 of the Web application. The rule file 76 is a file created in advance by an administrator or the like. The rule file 76 describes the purpose of use in the privacy policy corresponding to the purpose clarification principle among the eight principles of the OECD, and permission information for realizing access control according to this purpose of use.
The rule file 76 shown in FIG. 10 includes a PURPOSE tag 78 that describes the purpose of use of P3P and permission information 73. The rule file 76 shown in FIG. 10 expresses that the “sales department” allows reading personal information. Note that the rule file 76 is referred to in order to generate the access control policy file 70, but the final content is determined by the operator input 68. The access control policy file generation device 74 performs interactive processing with the operator based on the given data, and reads / writes personal information directly from the access control policy file 70 or the database server 10 via the personal information access control unit 89 without fail. A source code 75 modified to be generated is generated and output.

  FIG. 11 is a flowchart for explaining processing relating to generation of the access control policy file 70. First, the source code 66 of the Web application for accessing the personal information registered in the P11P policy file 43, the map file 60, the rule file 76, and the database 11 is given via the file input unit 307 (step 270). Then, the access target specifying unit 356 analyzes the given source code 66 and specifies personal information accessed by the Web application (step 271). Next, the privacy policy file processing unit 354 analyzes the P3P policy file 43 and reads the purpose of use for collecting the personal information obtained in step 271 from the P3P policy file (step 272). The access control unit 355 analyzes the rule file 76, and acquires permission information corresponding to the purpose of use acquired by the privacy policy file processing unit 354 (step 273). Then, the access control unit 355 creates a temporary access control policy based on the information acquired as described above (step 274). The contents of the created temporary access control policy are displayed on the display device by the user input / output unit 302 (step 275).

  FIG. 12 shows a screen (hereinafter referred to as “access control information correction screen”) displayed on the display device at this time. In the program name column 331 of the access control information correction screen 330, the identifier of the Web application is described. The P3P usage purpose column 332 describes the content of the usage purpose acquired from the rule file 76. The subject name and group name column 333 of the access control information correction screen 330 describes the subject name and group name, which are information obtained from the rule file 76 and specify the subject who accesses the personal information. The action column 334 describes actions that can be executed (for example, reading or writing of personal information). When the temporary access control policy needs to be corrected, the operator inputs the correction information in the entry / correction column 314 of the access control information correction screen 330. When the operator clicks the confirmation button 337, the access control unit 355 confirms the temporary association according to the modification information input on the access control policy modification screen 330 (step 276), and the access control policy describing the confirmed association. A file 70 is generated (step 277). On the other hand, the source code correction unit 359 generates source code that is corrected so that the Web application always accesses the database 11 via the personal information access control unit 89 (step 278). The file generation unit 358 outputs the access control policy file 70 describing the determined access control policy and the corrected source code from the file output unit 308 (step 279). These may be recorded on a recording medium or supplied to the database server 10 via a communication network.

  According to the access control policy file generation device 74 described above, the access control policy file 70 is automatically generated by providing as input the P3P policy file, the source code of the program that implements the Web application, the map file, and the rule file. Can be generated automatically. As a result, the administrator or the like can easily generate the access control policy file 70.

=== Processing when an HTTP request is received ===
When the personal information registration application 8 or the personal information browsing application 9 is used, an HTTP request in which personal information is appropriately described is transmitted from the client 2 to the WWW server 1 via the Internet 3. Here, processing performed in the WWW server 1 and the database server 10 when an HTTP request is transmitted will be described.

  FIG. 13 is a flowchart for explaining the above process. The HTTP request transmitted from the client 2 is received by the HTTP server 80 of the WWW server 1. The HTTP server 80 notifies the received HTTP request to the input / output unit 106 of the personal information processing unit 88 with the HTTP server 80. Next, the input parameter analysis unit 104 of the personal information processing unit 88 starts analyzing the notified HTTP request. Further, the map file analysis unit 102 starts analysis of the map file 60 stored in the WWW server 1, and the policy analysis unit 103 starts analysis of the P3P policy file 43 (step 201). Here, in the above analysis, the map file analysis unit 102 determines whether or not the value set in the “target” of the mapinfo tag 61 of the map file 60 matches the identifier of the Web application set as the transmission destination of the HTTP request. Is determined (step 202). If they do not match (step 202: NO), the work content is recorded in the log file as log information to be described later by the log recording unit 108 (step 211), and control is returned to the HTTP server 80 (step 212).

  If the value set in “target” of the mapinfo tag 61 of the map file 60 matches the transmission destination of the HTTP request in step 202 (step 202: YES), the personal information control unit 101 determines that the map file 60 The personal information notation in the P3P policy file 43 corresponding to the personal information notation set in the HTTP request is acquired. Then, the personal information control unit 101 determines whether or not the personal information in the P3P policy file 43 is subject to policy control based on the notation of the personal information in the P3P policy file 43 (step 203). If it is determined that it is not a control target (step 203: NO), the work content is recorded in the log file as log information described later by the log recording unit 108 (step 211), and the HTTP server 80 is controlled. Is returned (step 212).

  On the other hand, if it is determined in step 203 that the personal information is subject to privacy protection (step 203: YES), the personal information processing unit 88 requests the personal information access control unit 89 to encrypt the personal information (step 203). 204). The personal information access control unit 89 requested to encrypt the personal information is encrypted by the encryption processing unit 115. The encrypted personal information is registered in the database 11 by the database input / output unit 119 and notified to the personal information processing unit 88 through the personal information processing unit input / output unit 118 (step 205). The personal information processing unit 88 notifies the encrypted personal information to the HTTP server 80 (step 206). The work content is recorded in the log file as log information described later by the log recording unit 108 (step 207), and control is returned to the HTTP server 80 (step 208). When the encrypted personal information is notified, the HTTP server 80 notifies the Web application in place of the original personal information set in the HTTP request (step 209).

  FIG. 14 shows the process of encrypting personal information performed by the personal information access control unit 89 in response to a request from the personal information processing unit 88 in the process of step 204 of FIG. 13 and the encrypted personal information database 11. It is a flowchart explaining the process regarding registration. When receiving a request from the personal information processing unit 88, the personal information access control unit 89 acquires personal information from the personal information processing device input / output unit 118 (step 220). Next, the personal information access control unit 89 encrypts the acquired personal information using the key information 117 stored in the database server 11 (step 221). The encrypted personal information is registered in the database 11 by the database input / output unit 119 (step 222). The encrypted personal information is passed to the personal information processing unit 88 via the personal information processing device input / output unit 118 (step 223). The fact that the personal information is registered in the database 11 is recorded in the log file as log information by the log recording unit 121 (step 224).

  As described above, when the personal information described in the HTTP request is subject to policy control in the P3P policy file, the content of the personal information described in the HTTP request is encrypted. The web application is notified from the HTTP server 80. As a result, the personal information can be safely protected from unauthorized access on the route through which the content of the personal information is notified from the HTTP server 80 to the Web application, and the security performance can be improved.

=== Access control ===
When the personal information registration application 8 or the personal information browsing application 9 is used, an access request for the database 11 is generated from the Web applications 34, 92, 93. When an access request for the database 11 is generated from the Web application 34, 92, 93, the personal information access control unit 89 performs access control according to the policy for the access request. Hereinafter, the processing related to the access control will be described with reference to the flowchart shown in FIG. In the following description, it is assumed that the program realizing the Web applications 34, 92, and 93 has been rewritten by the access control policy file generation device 74 described above. Therefore, it is assumed that the Web application 34, 92, 93 accesses the database 11 through the personal information access controller 89.

  The monitor unit 120 monitors in real time whether an access request for the database 11 is generated from the Web application 34, 92, 93. When the monitor unit 120 detects that an access request for the database 11 is generated from the Web application 34, 92, 93 (step 240), the monitor unit 120 acquires the identifier of the Web application and personal information to be requested to the database 11 (step 240). 241).

  Next, the monitor unit 120 notifies the access control unit 114 of the personal information access control unit 89 of a request for determining whether to permit the access request. Upon receiving this notification, the access control unit 114 starts determining whether access is possible (step 242). First, the personal information access control unit 89 converts the notation of requested personal information into the notation of personal information in the P3P policy file 43 by referring to the map file 60. Next, the personal information access control unit 89 checks whether or not the personal information is a control target in the P3P policy file 43 using the converted personal information notation, and if it is a control target, further access control is performed. Access permission is determined by referring to the permission tag 73 of the policy file 70.

  If it is determined in step 242 that access is denied (step 242: NO), the log recording unit 121 indicates that the access request has been made, and log information indicating that the access request has been denied. Is recorded in the log file (step 250). In addition, the access control unit 114 notifies the monitor unit 120 to that effect. Upon receiving this notification, the monitor unit 120 notifies the Web applications 34, 92, and 93 that access has been denied for the above access (step 251).

  If it is determined in step 242 that access is permitted (step 242: YES), then the personal information access control unit 89 determines whether the access is related to reading of personal information or It is determined whether the access is related to writing of personal information (step 243).

  If it is determined in step 243 that the access is related to reading of personal information (step 243: YES), the personal information access control unit 89 acquires the personal information to be read from the database server 10 (step 243). 244), the obtained personal information is decrypted by the decryption processing unit 116 (step 245). Key information 117 is used for decryption. The decrypted personal information is notified from the personal information access control unit 89 to the monitor unit 120, and further notified from the monitor unit 120 to the Web applications 34, 92, and 93 (step 246) and controlled by the Web applications 34, 92, and 93. Is returned (step 247). Note that the log recording unit 121 records the above access fact as log information in a log file (step 248).

  If it is determined in step 243 that the access is related to writing of personal information (step 243: NO), the personal information access control unit 89 encrypts the personal information by the encryption processing unit 115 (step 249), The registered personal information is registered in the database 11 (step 250). The personal information access control device 89 notifies the Web application of the completion of processing via the monitor unit 120, and returns control to the Web applications 34, 92, and 93 (step 251). The log recording unit 121 records the above access facts in a log (step 252).

  By the way, in a WWW server that provides a service that handles personal information on the Internet or the like, the designer uses notation of personal information in a source code of a program that realizes an HTML document or a Web application for generating a screen that handles personal information. And programmers can decide freely. For this reason, unification of notation of personal information is not necessarily achieved between HTML documents and source codes. Also, for example, in the HTML document, the item “name” is described as “name”, while the same item is described as “user.name” in the P3P policy file. And notation of personal information in the P3P policy file are often not unified. For this reason, the following problem has arisen when trying to control the policy of the P3P policy file in the WWW server. In other words, for example, personal information acquired or provided using a screen generated by an HTML document or a Web application that attempts to access a database attached to a WWW server is used to control a policy described in a P3P policy file. When trying to do so, it is determined whether the personal information acquired or provided using the above screen or the personal information included in the access request to the database is a control target in the P3P policy file. It is necessary, but in this case, the two notations could not be easily matched.

  In the personal information utilization system described above, the map file 60 is stored in the WWW server 1 or the database server 10 in advance, and the notation of the personal information in the P3P polyfile corresponding to the notation of the personal information described in the HTTP request. Is obtained by referring to the map file 60. Then, by comparing the acquired notation of the personal information with the P3P policy file 43, it is determined whether or not the personal information is subject to policy control in the P3P policy file 43. By storing the map file 60 created in advance in this way, it is acquired using a screen generated by the HTML document without any changes to the HTML document or Web application described by the designer or programmer. Alternatively, it is possible to appropriately and automatically perform control related to policies according to the P3P policy file for personal information to be provided, and policy related to policies described in the P3P policy file for Web applications attempting to access the database. It becomes.

  Conventionally, in order to control access to a database in accordance with the purpose of use of personal information, a program in which a system administrator or the like describes information related to access control to a database corresponding to the purpose of use. It was necessary to create data, and in this case, information related to access control had to be described so as not to contradict the purpose of use. Also, when multiple databases with different specifications are attached to the WWW server, the above programs and data must be created for each database, and information related to access control is described so as not to contradict the purpose of use. It took a lot of effort.

  In the personal information utilization system described above, the WWW server 1 previously generates and stores an access control policy file generated based on a rule file in which the purpose of use of personal information is described, and notifies an access request. It is determined by referring to the access control policy file whether the Web application is a policy control target. For this reason, even if a plurality of databases having different specifications exist, access control can be appropriately and automatically performed for access performed from the Web application to the database only by referring to only the access control policy file. it can. Further, when performing such access control, the administrator or the like does not need to be familiar with the specifications of each database, and can easily set access control suitable for the purpose of use of the privacy policy.

=== Log file ===
FIG. 16 shows an example of log information recorded in the log file by the log recording unit 108 of the personal information processing unit 88 or the log recording unit 121 of the personal information access control unit 89.

  The log information 131 is log information recorded regarding the process of accessing the personal information registration application 8 from a user operating the client 7 connected to the Internet 3 and registering the personal information. The log information 131 includes date and time 1311 when the log information was recorded, name information 1312 and telephone number information 1313 and mail address information 1314 which are personal information registered in the processing, and content 1315 of processing performed by the Web application. , The identifier 1316 of the Web application that performed the process, and the file name 1317 of the P3P policy file applied in the process.

  The log information 132 is log information corresponding to processing performed when a user of an organization who operates the internal client 7 connected to the internal network 13 accesses the personal information browsing application 9. The log information 132 includes date and time 1321 when the log information was recorded, name information 1322, telephone number information 1323 and mail address information 1324, which are personal information browsed in the process, content 1325 of access control processing, It includes the identifier 1326 of the Web application that performed the process, the file name 1327 of the P3P policy file applied in the process, the user account 1328 of the user of the personal information browsing application 9 in the process and the department 1329 to which it belongs. The log information 132 is generated based on the P3P policy file 43, the map file 60, and the access control policy file 70 so that the content 1325 of the process related to access control is “permitted to browse”. This corresponds to the case where access is permitted in the verification by the file 70, and indicates that the processing was performed in accordance with the purpose of use described in the P3P policy file 43 described in the P3P file name 142. ing.

  Similarly to the log information 132, the log information 133 is log information corresponding to processing performed when a user in the organization accesses the personal information browsing application 9. The log information 133 corresponds to a case where access is denied in the verification by the access control policy file 70 so that the content 1335 of the process related to access control is “browse denied”. In other words, the log information 133 indicates that the processing is a use that does not conform to the purpose of the P3P policy file 43 described in the P3P file name 1337.

  By referring to such log information, the administrator or the like can grasp surely and in detail whether or not each access to the Web application performed by the user is performed in accordance with the purpose of use of the P3P policy file. it can. For this reason, the administrator or the like can use the log information as audit data for checking whether or not the access control for the personal information is appropriately performed according to the P3P policy file.

  Conventionally, when log information output from a DBMS that manages a database for managing personal information is used as an audit material, log information written by a person familiar with the DBMS in a description format unique to the DBMS. It was necessary to analyze. Especially when multiple types of databases with different specifications are implemented, it is necessary to analyze log information by those who are familiar with the specifications of each database. Also, it has been a great effort to determine whether each piece of log information in different description formats is suitable for the purpose of use of the P3P policy file.

  In the personal information utilization system, the log information is created regardless of the specifications of the database in which the personal information is stored. The description format is also independent of the database. For this reason, even if it is not a person familiar with handling of each database, it is possible to analyze log information, and this solves said problem.

  The above description of the embodiment is for facilitating understanding of the present invention, and does not limit the present invention. It goes without saying that the present invention can be changed and improved without departing from the gist thereof, and that the present invention includes equivalents thereof.

It is a figure which shows the structure of the personal information utilization system demonstrated as one Embodiment of this invention. It is a figure which shows an example of a structure of the computer used as hardware of the WWW server 1, the database server 10, the client 2, and the internal client 7 demonstrated as one Embodiment of this invention. It is a figure which shows the mechanism regarding the registration to the database 11 of the personal information performed via the personal information input screen 20 demonstrated as one Embodiment of this invention. It is a figure explaining the mechanism in which the privacy policy screen 40 demonstrated as one Embodiment of this invention is displayed. It is a figure which shows the various functions implement | achieved in the WWW server 1 and the database server 10 demonstrated as one Embodiment of this invention. It is a figure which shows the various functions of the map file generation apparatus 67 implement | achieved when the CPU of the map file generation apparatus 67 demonstrated as one Embodiment of this invention runs the program memorize | stored in memory. It is a figure which shows the structure in which the map file 60 is produced | generated by the map file production | generation apparatus 67 demonstrated as one Embodiment of this invention. It is a figure which shows the flowchart explaining the process regarding the production | generation of a map file demonstrated as one Embodiment of this invention. It is a figure which shows an example of the map information correction screen 310 demonstrated as one Embodiment of this invention. The figure which shows various functions of the access control policy file generation apparatus 74 implement | achieved when CPU of the access control policy file generation apparatus 74 demonstrated as one Embodiment of this invention runs the program memorize | stored in memory. is there. It is a figure explaining the mechanism in which the access control policy file 70 is produced | generated by the access control policy file production | generation apparatus 74 demonstrated as one Embodiment of this invention. It is a figure which shows the flowchart explaining the process regarding the production | generation of the access control policy file 70 demonstrated as one Embodiment of this invention. It is a figure which shows an example of the access control policy correction screen 330 demonstrated as one Embodiment of this invention. It is a figure which shows the flowchart explaining the process performed in the WWW server 1 and the database server 10, when an HTTP request is transmitted as an embodiment of the present invention. The personal information encryption processing performed by the personal information access control unit 89 in response to a request from the personal information processing unit 88 in the processing of step 204 in FIG. It is a figure which shows the flowchart explaining the process regarding registration to the database of personal information. It is a figure which shows the flowchart explaining the process regarding access control demonstrated as one Embodiment of this invention. It is a figure which shows an example of the log information recorded on a log file demonstrated as one Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 WWW server 2 Client 3 Internet 4 Browser 10 Database server 11 Database 13 Internal network 20 Personal information input screen 25 HTML document 34, 92, 93 Web application 40 Privacy policy 43 P3P policy file 60 Map file 67 Map file generation device 70 Access control Policy file 74 Access control policy file generation device 76 Rule file 80 HTTP server 88 Personal information processing unit 89 Personal information access control unit 120 Monitor unit 130 Log file 160 Information processing device

Claims (11)

CPU, memory,
The CPU is implemented by executing a program stored in the memory.
Web application, HTTP server, personal information processing unit, personal information access control unit,
A privacy policy file, a map file in which correspondence between the notation of personal information in the privacy policy file and the notation of personal information in the source code of the program realizing the HTML document or the Web application is stored;
The personal information processing unit obtains the description of the personal information in the privacy policy file corresponding to the description of the personal information of the HTML document described in the HTTP request received by the HTTP server by referring to the map file. And
Whether the personal information processing unit compares the notation of the acquired personal information with the privacy policy file, so that the personal information described in the HTML document is a target of policy control in the privacy policy file. Determine whether
The personal information processing unit, when it is determined that the personal information described in the HTTP request is subject to policy control in the privacy policy file, the personal information described in the HTTP request To the personal information access control unit,
The personal information access control unit encrypts the personal information described in the HTTP request and notifies the personal information processing unit;
The personal information processing unit notifies the HTTP server of the encrypted personal information,
The HTTP server notifies the Web application of the encrypted personal information;
Personal information utilization system characterized by CPU, memory,
A web application, an HTTP server, a personal information processing unit, a personal information access control unit, a database, which is realized by the CPU executing a program stored in the memory;
In a privacy policy file, a map file in which the correspondence between the notation of personal information in the privacy policy file and the notation of personal information in the source code of the program that implements the HTML document or the Web application is described, and in the privacy policy file Storing information for specifying a Web application to be controlled regarding a policy, an access control policy file in which an identifier and permission information of the privacy policy file are described,
The Web application notifies the personal information access control unit of an access request for personal information,
The personal information access control unit displays the notation of the personal information in the privacy policy file corresponding to the notation of the personal information that is the target of the access request, the map file, the privacy policy file, and the access control. Obtained by referring to the policy file,
The personal information access control unit compares the notation of the acquired personal information with the privacy policy file, so that the personal information that is the target of the access request is a target of policy control in the privacy policy file. To determine whether
If the personal information access control unit determines that the personal information subject to the access request is subject to policy control in the privacy policy file, the personal information access control unit further notifies the access request. Determining whether the Web application is subject to policy control by referring to the access control policy file;
The personal information access control unit processes the access request according to the control when determining that the Web application that has notified the access request is a policy control target in the access control policy file. about,
Personal information utilization system characterized by The personal information utilization system according to claim 2,
The access request for the personal information is a request for reading personal information from the database,
The processing for the access request performed by the personal information access control unit according to the control of the policy is processing for reading personal information from the database, decrypting the personal information, and notifying the Web application of the decrypted personal information. ,
Personal information utilization system characterized by The personal information utilization system according to claim 2,
The access request for the personal information is a request for writing the personal information to the database,
The process for the access request performed by the personal information access control unit according to the control of the policy is a process of encrypting the personal information to be written and writing it in the database.
Personal information utilization system characterized by The personal information utilization system according to claim 1,
The personal information processing unit generates log information indicating a result of the determination when determining whether the personal information described in the HTTP request is a target of control related to a policy, and stores the log information Having a recording unit,
Personal information utilization system characterized by The personal information utilization system according to any one of claims 2 to 4,
A log recording unit for generating and storing log information indicating a result of the determination when determining whether the Web application that has transmitted the access request is a policy-related control target in the access control policy file; Preparing,
Personal information utilization system characterized by CPU, memory,
The CPU is implemented by executing a program stored in the memory.
Web application, HTTP server, personal information processing unit, personal information access control unit,
A privacy policy file, and a map file in which the correspondence between the notation of personal information in the privacy policy file and the notation of personal information in the source code of the program realizing the HTML document or the Web application is stored A method for controlling a personal information utilization system,
The personal information processing unit obtains the description of the personal information in the privacy policy file corresponding to the description of the personal information of the HTML document described in the HTTP request received by the HTTP server by referring to the map file. And
Whether the personal information processing unit compares the notation of the acquired personal information with the privacy policy file, so that the personal information described in the HTML document is a target of policy control in the privacy policy file. Determine whether
The personal information processing unit, when it is determined that the personal information described in the HTTP request is a target of policy control in the privacy policy file, the personal information described in the HTTP request. To the personal information access control unit,
The personal information access control unit encrypts the personal information described in the HTTP request and notifies the personal information processing unit;
The personal information processing unit notifies the HTTP server of the encrypted personal information,
The HTTP server notifies the Web application of the encrypted personal information;
A control method of a personal information utilization system characterized by the above. CPU, memory,
A web application, an HTTP server, a personal information processing unit, a personal information access control unit, a database, which is realized by the CPU executing a program stored in the memory;
In a privacy policy file, a map file in which the correspondence between the notation of personal information in the privacy policy file and the notation of personal information in the source code of the program that implements the HTML document or the Web application is described, and in the privacy policy file A control method for a personal information utilization system storing information for specifying a Web application to be controlled with respect to a policy and an access control policy file in which an identifier and permission information of the privacy policy file are described.
The Web application notifies the personal information access control unit of an access request for personal information,
The personal information access control unit displays the notation of the personal information in the privacy policy file corresponding to the notation of the personal information that is the target of the access request, the map file, the privacy policy file, and the access control. Obtained by referring to the policy file,
The personal information access control unit compares the notation of the acquired personal information with the privacy policy file, so that the personal information that is the target of the access request is a target of policy control in the privacy policy file. To determine whether
If the personal information access control unit determines that the personal information subject to the access request is subject to policy control in the privacy policy file, the personal information access control unit further notifies the access request. Determining whether the Web application is subject to policy control by referring to the access control policy file;
The personal information access control unit processes the access request according to the control when determining that the Web application that has notified the access request is a policy control target in the access control policy file. about,
A control method of a personal information utilization system characterized by the above. An apparatus for generating the map file according to claim 1 or 2,
CPU, memory, display device,
A P3P policy file in which a privacy policy relating to personal information is described, and an input interface for receiving input of an HTML document for generating a screen that handles personal information or a source code of a program that implements a Web application,
Similarity between notation of personal information in the privacy policy file and notation of personal information described in the HTML document or the source code realized by the CPU executing a program stored in the memory The temporary correspondence between the two is performed based on the degree, the temporary correspondence is displayed on the display device, the data for correcting the temporary correspondence is received, and the temporary correspondence is received based on the received data. A map file processing unit that generates a map file by correcting the correspondence;
A map file generation device comprising: An apparatus for generating the access control policy file according to claim 2,
CPU, memory, display device,
A privacy policy file, a source code of a program that implements a Web application, a map file that describes the correspondence between the notation of personal information in the privacy policy file and the notation of personal information described in the source code, An input interface for receiving input of a rule file in which purpose of use and permission information are described;
Have
The CPU is implemented by executing a program stored in the memory.
An access target identifying unit that identifies personal information accessed by the Web application by analyzing the source code;
A privacy policy file processing unit for acquiring information indicating a purpose of use related to the collection of the personal information specified by the access target specifying unit based on the privacy policy file;
A temporary information in which permission information corresponding to the usage purpose acquired by the usage purpose acquisition unit is acquired from the rule file, and information for specifying the Web application, an identifier of the privacy policy file, and the permission information is described. An access control policy file is generated and displayed, data for correcting the temporary access control policy file is received, and the temporary access control policy file is corrected based on the received data. Access control unit to generate,
An access control policy file generation device characterized by comprising: The access control policy file generation device according to claim 10,
A source code correction unit that corrects a source code of a program that realizes the Web application so as to be accessed via the personal information access control unit when the Web application accesses a database;
An access control policy file generation device characterized by comprising:

Images