JP2015125646A - Anonymization system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for request of access permission based on a number of occurrence of a term forming anonymous information, setting the access permission automatically and managing proper access.SOLUTION: Anonymization target data is acquired, and plural terms forming the target data are abstracted for making abstraction candidate data. In a condition that combination of values of items of the abstraction candidate data is not limited to an individual person of the target person, the abstraction candidate data satisfying the condition for search is selected as anonymization information, and the number of occurrence of terms forming the anonymization information is determined. Based on the number of occurrence of the anonymization information, access permission of the anonymization information is decided. When access request from a user terminal to the anonymization information is received, the access permission of the user and access permission of the anonymization information are compared, and then access by the user having access permission to the anonymization information, is permitted.

Description

  The present invention relates to a technique for using personal information by making it anonymous or diversified.

  With the development of information processing technology, information is collected in many everyday situations, and processing using the collected information is performed. For example, when a consumer purchases a product as a member of a store, the consumer's name, age, gender, address, e-mail address, etc. are often registered at the time of membership registration. When a consumer purchases a product, the store-side system records the consumer and the purchased product information in association with each other. By accumulating and analyzing information on purchased products in this way, it is possible to estimate the consumer's preferences and perform a service such as sending a direct mail when a new product preferred by the consumer is released. it can. Furthermore, by analyzing information of many consumers, information such as products preferred by women in their 20s and products preferred in the Kanto area can be derived and used for marketing and the like.

  Such information has high utility value not only for the store but also for the manufacturer of the product and other companies, and there has been a demand to use it for recommendations such as advertisements and coupons.

  However, the consumer's personal information in the store cannot be provided to others without obtaining the consent of each consumer. For this reason, when providing information related to the consumer to others, it is necessary to anonymize so that individuals cannot be identified.

  Some conventional anonymization methods perform anonymization by deleting information that directly identifies an individual such as a name and a telephone number, but this alone may not be sufficient. For example, if there is only one person 25 years old in the member list in which the age is described, the person can be identified when he / she knows that the 25-year-old acquaintance is the member. That is, if there is only one person with the attribute of a 25-year-old member, there is a high possibility that an individual can be indirectly identified by comparing with other information.

  Therefore, if the age description in the member list is abstracted into 10-year breaks, and there are multiple people with the same attribute, such as three in their 20s, who of the three is identified become unable. As described above, when providing personal information to other business operators, it is desired that anonymization is sufficiently performed so that an individual cannot be identified indirectly, as well as an individual cannot be identified directly.

  Also, depending on the importance of anonymous information, etc., set the rank of authority that can access anonymous information, and for those who have authority over this rank, allow access to anonymous information, and authority over this rank Access management may be performed so that no one is allowed access to anonymous information.

JP 2003-196391 A JP 2003-233551A Japanese Patent Laid-Open No. 2005-100408 JP 2004-086383 A JP 2005-346248 A

  If the value of each item is excessively abstracted in order to perform sufficient anonymization, even if the anonymity is satisfied, there may be data having no utility value. For example, when data is used to know the trend of fashion, the age item is important, and if the age item is excessively abstracted for anonymization, the use value as fashion marketing data is lost. In addition, in order to satisfy anonymity, as a result of separating and abstracting age items so that there are multiple people with the same attribute, for example, when a group is created with a break such as 17 to 22 years old Since the same group is mixed with adults and minors, high school students and working adults are mixed, information on people with very different tastes and lifestyles is mixed, and the use value as statistical information and marketing information Will disappear.

  Therefore, the applicant creates a plurality of abstraction candidates, obtains the value of each abstraction candidate, and selects a high-value abstraction candidate as anonymous information, so that anonymous information with high utility value is automatically obtained. We propose an anonymization system that can be obtained.

  On the other hand, in order to perform access management, the administrator determines the rank of the access authority of the user in advance according to the affiliation, position, contract, etc. of each user. Also, the rank of the access authority for anonymous information is determined by the administrator according to the genre, importance, and level of abstraction of the anonymous information.

  Thus, the setting of access rights is a high-load process that requires manpower. Therefore, in the anonymization system in which anonymous information having high utility value is automatically obtained as described above, even if a plurality of anonymous information is automatically obtained, the level of access authority is manually set for each anonymous information. If it has been decided, anonymous information cannot be provided smoothly.

  In particular, when generating a large amount of anonymous information by changing the degree of abstraction and the items to be abstracted so that anonymous information with high utility value can be provided for various users, the accelerator authority of each anonymous information Since it is not practical to set the level manually, it was not possible to access and manage various types of anonymous information specialized for the needs of various users.

  Therefore, the present invention provides a technique for obtaining access authority based on the number of occurrences of words constituting anonymous information, and automatically setting access authority and appropriately managing access.

In order to solve the above problems, the authority setting device of the present invention is
An anonymous information acquisition unit for acquiring anonymous information;
An appearance number obtaining unit for obtaining the number of appearances of words constituting the anonymous information;
An authority determining unit that determines an access authority for the anonymous information based on the number of appearances of the anonymous information.

  The authority setting device has the minimum number of appearances of the words constituting the anonymous information as the minimum number of appearances, and the ratio of the minimum number of appearances to the total number of words constituting the anonymous information as the minimum appearance rate, The authority determining unit may determine the access authority for the anonymous information based on the minimum appearance rate.

  The authority setting device refers to an authority storage unit that associates and stores a minimum appearance rate of the anonymous information and the access authority, and the authority determining unit determines the access authority based on the number of appearances of the anonymous information. You may do it.

  In the authority setting device, the authority determining unit may determine the rank of the access authority according to a minimum appearance rate of the anonymous information.

Moreover, in order to solve the said subject, the anonymization apparatus of this invention is
A data acquisition unit for acquiring anonymization target data;
An abstraction unit that abstracts at least one of a plurality of words constituting the target data to be abstraction candidate data;
A test unit for testing on condition that the combination of the values of the items of the extraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data satisfying the test condition as anonymous information;
An appearance number obtaining unit for obtaining the number of appearances of words constituting the anonymous information;
An authority determining unit that determines an access authority for the anonymous information based on the number of appearances of the anonymous information.

  The anonymization device, the number of appearances of the words constituting the anonymous information is the minimum number of appearances, the ratio of the minimum number of appearances to the total number of words constituting the anonymous information is the minimum appearance rate, The authority determining unit may determine the access authority for the anonymous information based on the minimum appearance rate.

  The anonymization device refers to an authority storage unit that associates and stores a minimum appearance rate of the anonymous information and the access authority, and the authority determination unit determines the access authority based on the number of appearances of the anonymous information. You may do it.

  In the anonymization device, the authority determining unit may determine the rank of the access authority according to a minimum appearance rate of the anonymous information.

Moreover, in order to solve the said subject, the anonymization system of this invention is
A data acquisition unit for acquiring anonymization target data;
An abstraction unit that abstracts at least one of a plurality of words constituting the target data to be abstraction candidate data;
A test unit for testing on condition that the combination of the values of the items of the extraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data satisfying the test condition as anonymous information;
An appearance number obtaining unit for obtaining the number of appearances of words constituting the anonymous information;
An authority determining unit that determines the access authority of the anonymous information based on the number of appearances of the anonymous information;
When an access request to the anonymous information is received from the user's terminal, the access authority of the user is compared with the access authority of the anonymous information, and the access authority of the user is necessary for accessing the anonymous information. And an access control unit that permits access to anonymous information of the anonymous level corresponding to the level,
Is provided.

  The anonymization system is defined as the minimum number of appearances of the words constituting the anonymous information, the minimum number of appearances, and the ratio of the minimum number of appearances to the total number of words constituting the anonymous information as the minimum appearance rate, The authority determining unit may determine the access authority for the anonymous information based on the minimum appearance rate.

  The anonymization system refers to an authority storage unit that associates and stores a minimum appearance rate of the anonymous information and the access authority, and the authority determination unit determines the access authority based on the number of appearances of the anonymous information. You may do it.

  In the anonymization system, the authority determining unit may determine the rank of the access authority according to a minimum appearance rate of the anonymous information.

In addition, in order to solve the above problem, the authority setting method of the present invention includes:
Obtaining anonymous information;
Determining the number of occurrences of words constituting the anonymous information;
The computer executes a step of determining an access authority for the anonymous information based on the number of appearances of the anonymous information.

  In the authority setting method, the computer sets the minimum number of appearances of the words constituting the anonymous information as the minimum number of appearances, and minimizes the ratio of the minimum number of appearances to the total number of words constituting the anonymous information. The access rate for the anonymous information may be determined based on the minimum appearance rate.

  In the authority setting method, the computer determines the access authority based on the number of appearances of the anonymous information with reference to an authority storage unit that stores the minimum appearance rate of the anonymous information and the access authority in association with each other. May be.

  In the authority setting method, the computer may determine the rank of the access authority according to a minimum appearance rate of the anonymous information.

  Further, the present invention may be an authority setting program for causing a computer to execute the authority setting method. Further, the authority setting program may be recorded on a computer-readable storage medium.

  Here, the computer-readable storage medium refers to a storage medium that stores information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from the computer. . Examples of such storage media that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card. Further, there are a hard disk, a ROM (read only memory) and the like as a storage medium fixed to the computer.

  INDUSTRIAL APPLICABILITY The present invention can provide a technique for obtaining access authority based on the number of appearances of words constituting anonymous information, automatically setting access authority, and appropriately managing access.

FIG. 1 is an explanatory diagram of anonymization. FIG. 2 is an explanatory diagram of diversification. FIG. 3 is a functional block diagram of the anonymization system. FIG. 4 is a diagram illustrating an example of the personal information DB. FIG. 5 is a diagram illustrating an example of anonymous information stored in the anonymous information DB. FIG. 6 is a diagram illustrating an example of information for managing access to anonymous information. FIG. 7 is a diagram illustrating a hardware configuration of the anonymization device. FIG. 8 is a diagram illustrating a hardware configuration of the management server. FIG. 9 is a diagram illustrating an example of user management information stored in the user management DB. FIG. 10 is an explanatory diagram showing an outline of the anonymization method executed by the anonymization device according to the program. FIG. 11 is a diagram illustrating anonymization processing. FIG. 12 is an explanatory diagram of a dictionary used for anonymization. FIG. 13 is an explanatory diagram of a dictionary used for anonymization. FIG. 14 is an explanatory diagram of a dictionary used for anonymization. FIG. 15 is an explanatory diagram of abstraction candidate data. FIG. 16 is a diagram illustrating an example of a part of the age item in the target data. FIG. 17 is a diagram illustrating an example of value data acquired for age. FIG. 18 is a diagram showing the value of the age item. FIG. 19 is a diagram illustrating the value of the age item. FIG. 20 is a diagram illustrating an example of a part of the age item in the abstraction candidate data. FIG. 21 is a diagram illustrating an example of value data of each word acquired for the age. FIG. 22 is a diagram showing the value of the item of the age. FIG. 23 is a diagram illustrating the value of the age item. FIG. 24 is a diagram illustrating processing in which the anonymization device confirms the disclosure condition of anonymous information. FIG. 25A is a diagram illustrating an example of the authority setting DB. FIG. 25B is a diagram illustrating an example of the authority setting DB. FIG. 26 is a diagram illustrating an example of the disclosure condition DB. FIG. 27 is a diagram illustrating a specific example of processing for setting access authority. FIG. 28 is an explanatory diagram of an access management method by the management server. FIG. 29 is a functional block diagram of the anonymization system. FIG. 30 is a diagram illustrating an example of the dictionary DB. FIG. 31 is a diagram illustrating an example of the priority DB. FIG. 32 is a diagram illustrating an example of a common DB. FIG. 33 is a diagram illustrating an example of the personal information DB. FIG. 34 is a diagram illustrating an example of anonymous information stored in the anonymous information DB. FIG. 35 is a diagram illustrating an example of information for managing access to anonymous information. FIG. 36 is a diagram illustrating a hardware configuration of the management server 20. FIG. 37 is a diagram illustrating a hardware configuration of the anonymization device 10. FIG. 38 is an explanatory diagram of processing in which the management server 20 creates an integrated anonymization dictionary. FIG. 39 is an explanatory diagram of processing for integrating anonymization dictionaries. FIG. 40 is an explanatory diagram of each dimension created by the processing of FIG. FIG. 41 is an explanatory diagram of a plurality of dimensions. FIG. 42 is a diagram showing an example in which each word included in the dimension shown in FIG. 13 is weighted. FIG. 43 is an explanatory diagram of a process for calculating the priority of each dimension by adding up the weights of the respective words. FIG. 44 is a diagram illustrating an example of anonymization in Company A. FIG. 45 is a diagram illustrating an example of anonymization in the B company.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<Embodiment 1>
§1. Anonymization FIG. 1 is an explanatory diagram of k-anonymization, and FIG. 1A shows an example in which the last name item is deleted from the member information including the last name, age, and sex items.

  As shown in Fig. 1 (A), if there is only one 16-year-old woman in the member information in which the age is described, when the 16-year-old woman is found to be this member, the person is identified. it can. That is, if there is only one person with the attribute of 16 years old and female, there is a possibility that an individual can be identified by comparing with other information.

  In FIG. 1 (B), the description of the age in the member list is abstracted and classified by age, such as 0's (under 10 years), 10's, and 20's. However, even in this case, there is only one female teenager, and an individual can be identified as in FIG. 1A, which is insufficient for anonymization.

  Therefore, in FIG. 1 (C), it was further abstracted and the age divisions were changed to those in their teens (under 19 years old) and those in their 20s. In the case of FIG. 1C, there are two women in their teens or less, and the attributes of “10 or less” and [female] are not single. For this reason, even if it turns out that a 16-year-old woman is this member as mentioned above, it cannot be specified which is the data of the 16-year-old woman. In this way, the state where there are more than k people (2 people in this example) with the same attribute is called “k-anonymity”, and processing such data as “k-anonymization” Called.

  FIG. 2 is an explanatory diagram of l-diversification, and shows an example in which the data of the used station for each user is abstracted and used as the data of the ward to which the used station for each user belongs.

In the pre-abstraction data, since the station is specified, there is a possibility that the user can be specified by comparing the data such as the residence near Shinjuku Station and the work place near Tokyo Station. For this reason, by abstracting the use station and making it a ward to which the use station belongs, there are a plurality of users who use stations in Shinjuku ward and stations in Chiyoda ward, and the user is not specified. In this way, the state where the attribute value has the possibility of l types, such as “Use stations in Shinjuku ward and Chiyoda ward” is called “I-diversity” and data like that Is called “l-diversification”.

The anonymization system 100 of the first embodiment abstracts the target data so as to satisfy the “k-anonymity” and “l-diversity”, that is, the combination of the values of the data items is one individual of the target data. Anonymization is performed by abstracting so that it is not limited to.

§2. System Configuration FIG. 3 is a functional block diagram of the anonymization system. The anonymization system 100 according to the first embodiment receives an access request from the anonymization device 10 that anonymizes personal information, the anonymous information DB 145 that stores anonymous information anonymized by the anonymization device 10, and the user terminal 30. The management server 20 receives and provides anonymous information according to the access authority of each user.

  As shown in FIG. 3, the anonymization device 10 includes a data acquisition unit 101, an abstraction unit 102, a test unit 103, a selection unit 104, a value determination unit 106, a value data acquisition unit 107, a word category analysis unit 108, a word value. A calculation unit 109, an appearance number acquisition unit 111, an authority determination unit 112, a personal information database (DB) 131, a disclosure condition DB 132, a search information accumulation DB 133, a temporary processing DB 134, and an authority setting DB (authority storage unit) 135 are provided.

The data acquisition unit 101 acquires data including a plurality of items associated with an individual, that is, personal information as anonymization target data. For example, the data acquisition unit 101 receives data from another computer via a network or reads target data from a database via the network. In addition, the data acquisition unit 101 inputs a questionnaire written by a visitor at the event site or personal information heard from the visitor from a keyboard or the like and stores it in the personal information DB 131, and stores this personal information from the personal information DB 131. The acquisition unit 101 reads out the target data. It is also possible to read the information on the visitor's business card or questionnaire and use it as electronic data by OCR (Optical Character Recognition), or to obtain information about the visitor from the visitor's RF-ID tag or IC chip. May be. The data acquisition unit 101 may acquire not only the anonymization target data but also anonymous information anonymized on the business side. That is, the data acquisition unit 101 may function as an anonymous information acquisition unit.

  The abstraction unit 102 refers to the integrated anonymization dictionary including the dimensions, and generates anonymization candidate data by replacing words that are values of items in the target data with words abstracted based on the priority. .

  The test unit 103 performs test on the condition that the combination of the item values of the abstraction candidate data is not limited to one individual of the target data. For example, the test | inspection part 103 tests on condition that the combination of the value of the item of abstraction candidate data satisfy | fills k-anonymity or l-diversity.

  The selection unit 104 selects the abstraction candidate data based on the value of the abstraction candidate data that satisfies the test condition. For example, the selection unit 104 selects a predetermined number of abstraction candidate data satisfying k-anonymity and l-diversity in descending order of value. The selection unit 104 may select abstraction candidate data having the highest value among the abstraction candidate data satisfying k-anonymity and l-diversity.

  The value determination unit 106 obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data.

  The value data acquisition unit 107 acquires (receives) word value data included in the abstraction candidate data from the search information storage DB. Further, the value data acquisition unit 107 makes a request to another device when the value data of the word is not registered in the search information storage DB, and registers the acquired value data in the search information storage DB (data request ) And periodically visit other devices to acquire the latest value data and update the value data registered in the search information storage DB (data crawler). In this embodiment, the statistical information of each word is received from the search engine 90 as this value data. Here, the statistical information of each word includes, for example, an SEM advertising unit price (unit price per click), a click rate, an average ranking, the number of display times per day, the number of clicks per day, and the like. Note that the value acquisition destination is not limited to a search engine, and may be a web page, an SNS, or the like. In this case, for example, the use frequency of each word in a web page or SNS may be used as the value.

  The word category analysis unit 108 analyzes data on a website or the like to obtain a new word or a word (category) obtained by abstracting the word and registers it in the search information storage DB.

  Based on the value of the word acquired by the value data acquisition unit 107, the value calculation unit 109 obtains statistical information on the value of the word, such as an annual average, a monthly average, or a weekly average of the word value.

  The appearance number acquisition unit 111 obtains the number of appearances of words constituting the anonymous information. For example, in anonymous information, information of one individual is regarded as one data (1 record), and how many times the same information (word) appears is counted as the number of appearances. If each person's information consists of a single item, the number of occurrences is counted for each item that has the same word as the value of that item. The number of occurrences is counted for each word combination that has the same value.

  Further, the appearance number acquisition unit 111 sets the minimum number of appearances of the words constituting the anonymous information as the minimum number of appearances, and sets the ratio of the minimum number of appearances to the total number of words constituting the anonymous information as the minimum number of appearances. You may function as an appearance rate acquisition part calculated | required as a rate.

  The authority determining unit 112 determines the access authority of the anonymous information based on the number of appearances of the anonymous information or a value such as the minimum appearance rate calculated based on the number of appearances, and adds it to the anonymous information DB 145 in addition to the anonymous information. Remember. The authority determining unit 112 refers to, for example, the authority determining unit that refers to the authority storage unit that stores the access authority in association with a value such as the number of appearances of anonymous information or the appearance rate calculated based on the number of appearances. Determines the access authority based on the number of appearances of the anonymous information.

  FIG. 4 is a diagram illustrating an example of the personal information DB 131. The personal information DB 131 stores personal information received by the data acquisition unit 101 from another computer and personal information before anonymization such as a keyboard. The personal information in FIG. 4 stores, for example, a personal ID, age, address, car name, and the like.

  The personal ID is identification information for identifying an individual such as a member number or a serial number, and may be a name, a telephone number, or an e-mail address.

  The vehicle name is information for identifying the individual vehicle, and is a name, common name, nickname, or the like. In the present application, the vehicle name may include identification information such as year and model number.

The disclosure condition DB 132 stores the condition of anonymous information that can be disclosed, for example, “can be released when the minimum number of appearances is 30 or more, but cannot be disclosed to the outside”, “when keyword = XXX is included, “Minimum number of appearances that can be disclosed, availability of disclosure outside the company, and keywords that cannot be disclosed” are stored as disclosure conditions. The disclosure condition is “When dictionary ID = D1 is used, internal disclosure is possible when the minimum number of appearances is 5 or more, public disclosure is not possible when the minimum number of appearances is less than 5, and external when the minimum number of appearances is 10 or more. It may be a condition that determines whether or not to be open according to the dictionary used for anonymization, such as “open to the public or not to be open to the public if it is less than that”.

  The anonymous information DB 145 stores anonymous information that has been anonymized by the anonymization device 10. The anonymous information DB 145 stores a plurality of anonymous information such as anonymous information with different personal information before anonymization and anonymous information with different dictionaries used for anonymization, and information for managing access to these anonymous information. Remember.

  FIG. 5 is a diagram illustrating an example of anonymous information stored in the anonymous information DB 145. The anonymous information is an abstraction of each word of personal information. In the example of FIG. 5, the age, address (prefecture name), vehicle type, and minimum number of appearances are stored in association with each other.

  FIG. 6 is a diagram illustrating an example of information for managing access to anonymous information (hereinafter also referred to as access management information). As shown in FIG. 6, this access management information includes, for example, a level, an anonymous information ID, a usage dictionary, a minimum appearance rate, an information type, an outline, and the like. Here, the level is information indicating an authority to access the anonymous information, and is obtained based on a value such as the minimum appearance rate calculated based on the minimum appearance number or the minimum appearance number of the anonymous information as described later. ing.

The anonymous information ID is information that uniquely identifies anonymous information. The use dictionary is information indicating a dictionary used for anonymization of the anonymous information, for example, identification information of each dictionary. The minimum appearance rate is a ratio of the minimum number of appearances to the total number of words constituting the anonymous information. Here, the minimum number of appearances is the smallest number of individuals having the same attribute value in the anonymous information, that is, the number of appearances of words constituting the anonymous information.

  The information type indicates a type such as whether the anonymous information is statistical information based on a plurality of personal information or anonymized personal information held by a specific business operator. In the example of FIG. 6, when the anonymous information is statistical information obtained by calculating the average or total of a plurality of anonymous information, this type is shown as average or total, and the personal information of a specific business operator is anonymized, The name of this company is shown. The overview is an explanation of the anonymous information, and shows items included in the anonymous information and conditions for anonymization, for example.

  The anonymous information DB 145 may be stored in a storage device included in the anonymization device 10 or the management server 20, or an apparatus such as an independent file server if accessible from the anonymization device 10 and the management server 20. It may be stored in.

  As shown in FIG. 3, the management server 20 includes a request reception unit 201, an access control unit 202, an output control unit 203, and a user management DB 251.

  The request reception unit 201 receives an access request for acquiring anonymous information from the user's terminal.

  When the access control unit 202 receives an access request from a user, the access control unit 202 permits access to anonymous information at an anonymous level corresponding to the authority level of the user.

  The output control unit 203 reads the anonymous information permitted to be accessed by the access control unit 202 from the anonymous information DB 145 and outputs it. For example, it is transmitted to the terminal 30 of the requesting user. Here, the output of anonymous information may be display output by a display device, print output by a printer, transmission to another computer, writing to a storage medium, or the like.

  FIG. 7 is a diagram illustrating a hardware configuration of the anonymization device 10. The anonymization device 10 is a so-called computer having a CPU 11, a memory 12, a communication control unit 13, a storage device 14, and an input / output interface 15.

  The CPU 11 executes the program expanded in an executable manner in the memory 12 and executes the data acquisition unit 101, the abstraction unit 102, the test unit 103, the selection unit 104, the value determination unit 106, the value data acquisition unit 107, the word The functions of the category analysis unit 108, the word value calculation unit 109, the appearance number acquisition unit 111, and the authority determination unit 112 are provided.

  The memory 12 can also be called a main storage device. The memory 12 stores, for example, a program executed by the CPU 11, data received via the communication control unit 13, data read from the storage device 14, and other data.

  The communication control unit 13 is connected to another device via a network and controls communication with the device. The input / output interface 15 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray (registered trademark) disc. The drive device reads the program from the removable storage medium and stores it in the storage device 14.

The storage device 14 can also be called an external storage device. The storage device 14 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 14 exchanges data with the drive device. For example, the storage device 14 stores a program installed from the drive device. Further, the storage device 14 reads out the program and delivers it to the memory 12. In the present embodiment, the storage device 14 stores the personal information DB 131 and the disclosure condition DB 132 described above.

  FIG. 8 is a diagram illustrating a hardware configuration of the management server 20. The management server 20 is a so-called computer having a CPU 21, a memory 22, a communication control unit 23, a storage device 24, and an input / output interface 25.

  The CPU 21 executes a program that is executable on the memory 22 and provides the functions of the request receiving unit 201, the access control unit 202, and the output control unit 203 described above.

  The memory 22 can also be called a main storage device. The memory 22 stores, for example, a program executed by the CPU 21, data received via the communication control unit 23, data read from the storage device 24, other data, and the like.

  The communication control unit 23 is connected to another device via a network and controls communication with the device. The input / output interface 25 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 24.

The storage device 24 can also be referred to as an external storage device. The storage device 24 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 24 exchanges data with the drive device. For example, the storage device 24 stores an information processing program installed from the drive device. The storage device 24 reads out the program and delivers it to the memory 22. In the present embodiment, the storage device 24 stores the user management DB 251 described above.

  FIG. 9 is a diagram illustrating an example of user management information stored in the user management DB 251. As shown in FIG. 9, the user management DB 251 associates each user's identification information (user ID), authority information, and usable dictionary information as user management information.

§3. Anonymization method Next, the anonymization method of this embodiment will be described. FIG. 10 is an explanatory diagram showing an outline of an anonymization method executed by the anonymization device 10 according to a program. As shown in FIG. 10, the anonymization device 10 first acquires anonymization information (step S1), determines whether or not the anonymous information satisfies the disclosure condition (step S2), and satisfies the disclosure condition. Access authority is set to the anonymous information (step S3).

  In addition, acquisition of the anonymization information in step S1 may be such that the anonymization device 10 receives the anonymization information anonymized by the business operator having the personal information from each business operator, or the anonymization device from each business operator. 10 may receive personal information and anonymize and acquire it.

FIG. 11 is a diagram illustrating anonymization processing. When performing anonymization processing, the anonymization device 10 first acquires (receives) personal information from another computer or input means as shown in FIG. 11 (step S10), and this personal information is in a predetermined format. The data is normalized and registered in the personal information DB 131 (step S20).

The anonymization device 10 reads personal information from the personal information DB 131 as target data (step S30). Here, the anonymization device 10 is information for identifying an individual such as a personal ID, name, telephone number, and email address in personal information, and data that is meaningless if it is abstracted is not read out. It may be removed from the data.
Next, the anonymization device 10 determines whether or not value data exists in the search information storage DB 133 for each word in the target data, that is, whether or not value data has already been acquired (step S40). The anonymization device 10 proceeds to step S60 when the value data of all words exist in the search information storage DB 133 (step S40, Yes), and when there is insufficient value data (step S40, No), Word value data is obtained from an external device, in this example, the search engine 90 (step S50). In addition, the value information of the words that existed in the search information storage DB 133 other than the value data acquired from the search engine is acquired from the search information storage DB 133 (step S60).

  Further, the anonymization device 10 abstracts by replacing each item of the target data with an abstract word (category) to satisfy anonymity, and creates abstraction candidate data (step S70). As shown in FIGS. 12 to 14, each word is abstracted by using a dictionary in which the word before abstraction and the word after abstraction are stored in association with each other, and after wording corresponding to the word before abstraction. Replace with the word. FIG. 12 shows an example of a dictionary that is abstracted to the manufacturer name corresponding to the car name. FIG. 13 shows an example of a dictionary abstracted to a car type corresponding to a car name. FIG. 14 shows an example of a dictionary that is abstracted into vehicle classifications corresponding to vehicle names. 12 to 14 show only the item of the car name, but the words corresponding to other items such as age and address are similarly included in each dictionary. Each dictionary is assigned a dictionary ID so that it can be uniquely identified on the system 100 side. For example, the dictionary IDs of the dictionaries in FIGS. 12 to 14 are D1 to D3.

  When there are a plurality of items that can be abstracted, all patterns are created when each item is abstracted and when it is not abstracted. For example, if the target data includes three items A, B, and C and all items can be abstracted, and the abstracted items are A ′, B ′, and C ′, as shown in FIG. Seven candidate patterns can be created, such as A ′, B, C when only A is abstracted, and A ′, B ′, C when items A and B are abstracted. Moreover, you may create the candidate pattern using some items, such as A ', B, B', and C, without using all items.

  Next, the anonymization device 10 calculates the value of the abstraction candidate data of each pattern based on the value data of each word included in the abstraction candidate data (step S80), and based on the value of this abstraction candidate data. The order of testing is determined (step S90). For example, the test order is determined in descending order of the value. Although it is desirable to test all candidate patterns, abstract candidate data that is too low in value may be removed from the order based on the value of the abstract candidate data. For example, abstract candidate data less than a predetermined ratio, such as after a predetermined value or less than half, may be removed in order of value. Further, the abstraction candidate data whose value is less than a predetermined ratio with respect to the value of the target data may be excluded. This reduces the number of tests and shortens the processing time.

In accordance with the order of this test, the anonymization device 10 tests the anonymity of the abstraction candidate data (step S100). For example, in order to test k-anonymity, the number (existence number) of combinations of values of different items associated with one individual is present in the abstraction candidate data. Alternatively, in order to test 1 diversity, the number (existence number) in which the combination of values of the same item associated with one individual exists in the abstraction candidate data is obtained. Then, the smallest of the existence numbers is obtained as the minimum number of appearances (k value / l value) (step S110), and it is determined whether or not the minimum number of appearances exceeds 1 (step S120). That is, if the k value exceeds 1, k-anonymity is satisfied, and if it is 1, k-anonymity is not satisfied. Similarly, if the l value exceeds 1, l-diversity is satisfied, and if l value is 1, l-diversity is not satisfied.

  When the minimum number of appearances (k value / l value) does not exceed 1 (step S120, No), the anonymization device 10 further abstracts the value of at least one item of the abstraction candidate data, that is, Replacing with the abstracted word (step S130), the process returns to step S100.

  On the other hand, when the minimum number of appearances (k value / l value) exceeds 1 (step S120, Yes), the anonymization device 10 calculates the difference between the value of the abstraction candidate data and the value of the original target data. Obtain (Step S140), and determine the difference, a value based on the difference, for example, the ratio of the difference to the value of the target data, and the ratio of the value of the abstract candidate data to the value of the target data as the value of the abstract candidate data. (Step S150).

  Further, the anonymization device 10 determines whether there is a candidate pattern that has not been verified (step S160). If there is a candidate pattern that has not been verified (step S160, Yes), the anonymization device 10 follows the order determined in step S90. Then, the next abstraction candidate data is specified (step S170), and the process returns to step S100 to test the next abstraction candidate data.

  In this way, when the test is repeated for the abstraction candidate data of each pattern and there is no next candidate pattern (step S160, No), the anonymization device 10 is based on the value of each abstraction candidate data obtained in step S150. Abstraction candidate data to be adopted is selected (step S180) and stored as anonymous information in the anonymous information DB 145 (step S190).

In the selection of abstraction candidate data, for example, a predetermined number of abstraction candidate data is selected in descending order of value among all candidate patterns. The anonymization device 10 outputs a plurality of abstraction candidate data in descending order of value from all candidate patterns, and the abstraction candidate data that the operator thinks is appropriate from the output abstraction candidate data May be selected, and the specified abstraction candidate data may be selected.
Next, the value of data in this embodiment will be described with reference to FIGS. FIG. 16 is a diagram illustrating an example of a part of the age item in the target data. As shown in FIG. 16, the target data has the number of people ci for each age si. For example, the number of people (c1) at the age of 18 (s1) is 30, and the number of people (c2) at the age of 19 (s2) is 10.

  FIG. 17 shows an example of value data acquired for the age si. The value data in FIG. 17 has a SEM unit price ei for each age si.

  The value of this age si is a value obtained by multiplying the SEM unit price ei by the number of people ci, and is represented by Equation 1.

si = ci × ei (Formula 1)
As shown in FIG. 18, the value of the age item S (e) is the total of each age si, and is expressed by Equation 2. In FIG. 18, n is 5. Therefore, the value of the age item S (e) is 2446 yen as shown in FIG. The value of the target data is the sum of the values of all items in the target data.

On the other hand, FIG. 20 is a diagram showing an example of part of the age item in the abstraction candidate data. As shown in FIG. 20, the abstraction candidate data has the number of people ci for each age ki. For example, 10
The number of teenagers (k1) (c1) is 40 people, and the number of people in their 20s (k2) (c2) is 22 people.

  FIG. 21 shows an example of value data of each word acquired for the age ki. The value data in FIG. 21 has a SEM unit price ei for each age ki.

  The value of this age ki is a value obtained by multiplying the SEM unit price ei by the number of people ci, and is expressed by Equation 3.

ki = ci × ei (Formula 3)
Then, as shown in FIG. 22, the value of the item S (k) of the age is the total of each age ki, and is expressed by Equation 4. In FIG. 22, n is 2. Therefore, the value of the age item S (k) is 2134 yen as shown in FIG. In other words, the value was lost by 312 yen by abstracting the age item into the age. Further, the sum of the values of all items in the abstraction candidate data is the value of the abstraction candidate data.

  Then, as the value of the abstraction candidate data obtained in step S150, for example, as shown in Equation 5, an impairment rate M (k that is obtained by dividing the value of the abstraction candidate data by the sum of the value of the abstraction candidate data and the value of the target data. )

M (k) = S (k) / (S (k) + S (e)) (Formula 5)
Thus, the anonymization apparatus 10 of this embodiment can perform an appropriate anonymization process automatically by evaluating based on the value of the word which abstracted the value of each abstraction candidate data. That is, it is possible to automatically generate a large number of anonymous information with different degrees of abstraction.

  FIG. 24 is a diagram illustrating processing in which the anonymization device 10 confirms the disclosure condition of anonymous information. In step S2 for confirming the disclosure condition, as shown in FIG. 24, the anonymization device 10 reads the anonymous information for confirming the disclosure condition for the anonymous information acquired in step S1 from the storage device 14 as target data (step S210), It is determined whether there is anonymous information that has not been checked for disclosure conditions, that is, unconfirmed anonymous information (step S220). If there is no anonymous information that has not been confirmed, the process is terminated (step S220, No), and unconfirmed. If the anonymous information exists (step S220, Yes), the process proceeds to step S230.

  In step S230, the unconfirmed anonymous information is checked against the authority information in the authority setting DB 135 to determine whether authority information corresponding to the anonymous information is stored in the authority setting DB 135 (step S240).

  In step S240, the authority information corresponding to the anonymous information is not stored in the authority setting DB 135, for example, there is no information in the authority setting DB 135 that matches the source or destination of the anonymous information, and the corresponding authority information is stored. If it is determined that it is not present (step S240, No), authority information is newly added to the authority setting DB 135. When adding new authority information, the anonymization apparatus 10 acquires authority information, for example, from the apparatus of the provider of the anonymous information provider and stores the authority information in the authority setting DB 135 (step S245). The anonymization device 10 prompts the operator of the anonymization device 10 to input authority information when adding new authority information, and stores the authority information in the authority setting DB 135 when the authority information is input. May be.

  When authority information for anonymous information is stored in the authority setting DB 135 by the process of step S245, or when it is determined in step S240 that all authority information corresponding to anonymous information is stored in the authority setting DB 135 (step S240, Yes), this anonymous information is stored in the temporary process DB 134 (step S250).

  Next, the anonymization device 10 determines whether or not the anonymous information stored in the temporary process DB 134 matches the disclosure condition of the disclosure condition DB 132 (step S260). If the anonymous information does not match the disclosure condition of the disclosure condition DB 132 (step S260, No), the process returns to step S210 and proceeds to the next anonymous information process. On the other hand, if the anonymous information matches the disclosure condition of the disclosure condition DB 132 (step S260, Yes), the anonymous information is stored in the anonymous information DB 145, and the process returns to step S210 to move to the next anonymous information process.

  FIG. 25A is a diagram illustrating an example of the authority setting DB 135. The authority setting DB 135 stores authority setting information in which information such as the minimum number of appearances of anonymization information is associated with an access authority (rank). That is, the authority setting DB 135 is a form of the authority storage unit. In the example of FIG. 25A, in addition to the minimum appearance rate, information on a provider, a provider, and a usable dictionary is associated with an access authority (rank). Here, the provider is information indicating the provider who provided the anonymous information or the personal information before the anonymization, and the minimum appearance rate and usable dictionary of each rank are determined for each provider of the provider. In the authority setting DB 135 in FIG. 25A, in the case where anonymous information relating to a plurality of businesses is converted into statistical information, the type of statistical information such as average or total is stored in the item of the provider. The provision destination is information indicating a provision destination (transmission destination) of anonymous information. The minimum appearance rate is the ratio of the minimum number of appearances to the total number of data. When the minimum appearance rate is small, the ratio of individual data to the entire data is small, and it is diluted information. When the minimum appearance rate is large, the ratio of the individual data to the entire data is large, and it becomes easy to grasp the entire data from the individual data.

  For example, in the authority setting DB 135 of FIG. 25A, the minimum appearance rate is less than 0.05% when the providing source is the store P and the providing destination of the anonymous information is the same company, that is, the store P. In the case where the destination of the anonymous information is outside the business operator, the minimum appearance rate is less than 0.05% and the rank is higher than that provided in the business operator as in rank C. Is associated. Further, the providing destination may be unrestricted when there is no designation of the rank according to the providing destination. Furthermore, the provider may be a specific business name or business type. For example, if the competing business is the provider, associate it with a higher rank than that provided to other businesses (outside the business), and if the business partner with which the business is affiliated is the provider, the other business It may be associated with a lower rank than that provided to (outside the business). Similarly, it may be specified according to the type of business, such as when the providing destination is an automobile dealer or an automobile repair shop.

  Further, in the authority setting DB 135 of FIG. 25A, when the provider is the store P and the usable dictionary is D1, it is associated with any of ranks A to D, and when the usable dictionary is D2, rank E It is associated.

  In the authority setting DB 135 in FIG. 25A, the condition including the minimum appearance rate is associated with the rank, but not limited to this, as illustrated in FIG. 25B, the condition including the minimum limit number is associated with the rank. You may remember.

  For example, in the authority setting DB 135 of FIG. 25B, when the providing source is the store P and the providing destination of the anonymous information is within the same company, the minimum appearance number is 50 or more and rank A. When the provision destination of the anonymous information is outside the business, the minimum number of appearances is 50 or more and is associated with a higher rank as compared with the case where the anonymous information is provided within the business as rank C.

FIG. 26 is a diagram illustrating an example of the disclosure condition DB 132. The disclosure condition DB 132 stores attribute values of anonymous conditions and disclosure conditions in association with each other. For example, in FIG. 26, when the minimum number of appearances corresponding to the attribute value is specified and the vehicle type is included in the attribute value, the disclosure condition is that the minimum appearance rate is less than 0.05%. That is, when the vehicle type is included in the anonymous information, if the minimum appearance rate is less than 0.05%, it is stored in the anonymous information DB 145 to be disclosed, and if the minimum appearance rate is 0.05% or more, the anonymous information is anonymous. It is not stored in the information DB 145 and is not disclosed. Similarly, when the maker name is included in the attribute value, the disclosure condition is that the minimum appearance rate is less than 0.1%. Further, the disclosure conditions may be domestic manufacturers, information on domestic manufacturers may be extracted and made public, and information on foreign manufacturers may not be disclosed. In this example, for the discrimination between the domestic manufacturer and the foreign manufacturer, a table indicating whether the manufacturer is a domestic manufacturer or a foreign manufacturer is prepared in advance for each manufacturer name, and the anonymization apparatus 10 uses this table. Refer to and determine whether the manufacturer is a domestic manufacturer according to the manufacturer name. Moreover, you may determine the date and period which make public as a publication condition. In the example of FIG. 26, when the anonymous information includes a predetermined keyword “▽ Venta * all”, since the disclosure condition is “after month * day *”, the record including “▽ Venta * all” or anonymous Information is subject to disclosure after XX month and day, and is not disclosed until XX month and day. Further, in the example of FIG. 26, when the anonymous information includes the predetermined keyword “power ○ 1 la”, the disclosure condition is “January 1 to February 28”. Regarding the records or anonymous information to be included, the period from January 1 to February 28 is set as the disclosure target, and it is not disclosed outside this period.

  When the confirmation process of the disclosure condition in FIG. 24 is completed, the anonymization device 10 next sets the access authority for each anonymous information (step S3). FIG. 27 shows a specific example of processing for setting this access authority. The anonymization device 10 obtains authority information from the authority setting DB 135 (step S310), and information such as the minimum appearance rate of each anonymous information from the anonymous information DB 145, for example, information such as the minimum appearance rate, the providing source, the providing destination, and the use dictionary Are obtained from the authority setting DB 135 and stored in the anonymous information DB 145 as access authority information of the anonymous information (step S320).

  For example, the anonymization apparatus 10 refers to the authority setting DB 135, and determines the rank in which the minimum appearance rate of the anonymous information acquired in step S310, the provider, the provider, and the use dictionary all match as the access authority information of the anonymous information. To do. Note that when the condition of a lower rank is met, such as the minimum appearance rate, when the condition of a higher rank is also met, the lowest rank is determined. In the example of FIG. 25A, when the provider is the dealer P, the provider is the same company, that is, the dealer P, the usage dictionary is D1, and the minimum appearance rate is less than 0.05%, the anonymization device 10 accesses The authority is determined as rank A. Further, when the provider is the store P, the provider is outside the business operator, the usage dictionary is D1, and the minimum appearance rate is less than 0.05%, the anonymization device 10 determines the access authority to be rank C. If the provider is the store P, the provider is the same company, the dictionary used is D2, and the minimum appearance rate is 0.2%, the dictionary satisfies the rank C condition except for the usable dictionary, but is compatible with the dictionary D2. Since the usable dictionary to be used is rank E, the anonymization device 10 determines the access authority to be rank E.

  Further, the anonymization device 10 obtains statistical information such as total, average, standard deviation, etc. for these anonymous information, obtains access authority for the statistical information in the same manner as in step S320, and associates the statistical information with the access authority. And stored in the anonymous information DB 145 (step S330).

  Next, access management for anonymous information to which access authority is added as described above will be described. FIG. 28 is an explanatory diagram of an access management method in which the management server 20 manages access to the anonymous information according to the access authority of the anonymous information.

When receiving the request for access to the anonymous information from the user terminal 30, the management server 20 starts the process of FIG. 28 and first authenticates the user (step S410). In the user authentication process, the management server 20 receives authentication information such as a user ID and a password from the user terminal 30, and compares this authentication information with the registered information. The process proceeds to S430, and if they do not match, the processing of FIG. When the management server 20 has a web server function, provides information such as anonymous information as a web page, and the user terminal 30 accesses the management server 20 by a so-called web browser function, the authentication information is It may be transmitted from the user terminal 30 to the management server 20 by HTTP Cookie or the like. The authentication information may be input from an input unit such as a keyboard by a user operation and transmitted from the user terminal 30 to the management server 20.

  When the authentication is successful, the management server 20 acquires the user management information of the user from the user management DB 251 (step S420). The user management information is recorded in the user management DB 251 in association with information such as a user ID, access authority, and usable dictionary as shown in FIG. The user ID is identification information for uniquely identifying each user. The user access authority is information indicating the authority of the user, that is, the range of anonymous information that can be accessed by the user. In particular, in the example of FIG. 9, the range of access authority (accessible range) is indicated by rank. For example, when ranks A to E are assigned in order of lower authority (the accessible range is narrow), rank A is anonymous information of rank A as an access range, rank B is anonymous information of rank A and rank B as an access range, Rank E uses anonymous information from rank A to rank E as the access range. In this way, the upper authority range may be set to include the lower authority range, or each authority may be set independently. For example, a user having authority A and authority E may access only anonymous information of authorities A and E, and may not be able to access authorities B, C, and D.

  Then, the management server 20 acquires anonymous information within the authority of the user, that is, summary information of anonymous information accessible with the access authority of the user from the anonymous information DB 145 (step S430). As shown in FIG. 6, this summary information may be obtained by reading out summary information recorded in advance in the access management information of each anonymous information, or using part of the item name or anonymous information as summary information. You may read.

  The management server 20 transmits the acquired summary information to the user terminal 30 (step S440), and prompts selection of anonymous information to be provided (step S450). For example, the management server 20 provides the user terminal 30 as a web page on which summary information is displayed as a list, and displays an input field for keyword search or narrowing down to prompt selection of anonymous information.

  Then, when the user selects anonymous information from the summary information list and makes a request from the user terminal 30, and the management server 20 receives this request (step S460), the management server 20 accesses the anonymous information. The authority is compared with the access authority of the user (step S470), and it is reconfirmed whether or not the user has the authority to access the anonymous information (step S480).

  As a result, if the management server 20 determines that the user does not have the authority to access the anonymous information (No in step S480), the management server 20 ends the process of FIG. If it is determined that the user has the right to access (Yes in step S480), the use date and time and the user information (user ID, etc.) are stored in the storage unit 24 as history information (step S490). Moreover, the management server 20 acquires the anonymous information which received the request from anonymous information DB145 (step S500), transmits to the user terminal 30 of a request origin, and displays it (step S510).

Thus, since anonymous information is transmitted only to the authorized user based on the access authority, it is possible to appropriately control access to the anonymous information. In particular, according to this embodiment, the access authority of anonymous information used for access management can be obtained from information such as the minimum appearance rate, and the access authority can be automatically set. For this reason, when anonymizing and personalizing personal information, a plurality of abstraction candidates are generated and the abstraction candidate selected based on the value after the abstraction is used as anonymous information as described above. By adding access authority to the anonymous information from the information such as the minimum appearance rate, access management can be performed without requiring manpower.

<Embodiment 2>
FIG. 29 is a functional block diagram of the anonymization system according to the second embodiment. An anonymization system 200 according to the second embodiment is a system that anonymizes personal information collected from visitors by an operator at an exhibition where a plurality of operators exhibit. Or it has the management server 20 which manages the anonymous information anonymized by each provider.

In the anonymization system 200 of the second embodiment, the management server 20 acquires anonymization dictionaries from the anonymization devices 10 of the respective operators and integrates the anonymization dictionaries of the respective operators to generate an integrated anonymization dictionary. Then, each integrated anonymization dictionary is given an ID and distributed to the anonymization device 10 of each operator. And each company's anonymization device 10 anonymizes personal information using a common integrated anonymization dictionary to make anonymous information, registers it in an anonymous information DB (Data Base) 145, and the ID of the integrated anonymization dictionary Based on the minimum appearance rate, the access to the anonymous information is managed.

  As shown in FIG. 29, the management server 20 includes a request reception unit 201, an access control unit 202, an output control unit 203, a user management DB 251, a dictionary acquisition unit 211, an integration unit 212, a priority determination unit 213, and a dictionary management unit. 214, an anonymous information registration unit 215, an anonymous information control unit 216, a selection unit 217, a dictionary DB 231, and a priority DB 232. That is, the management server 20 according to the first embodiment is also a dictionary creation device including a dictionary acquisition unit 211, an integration unit 212, a priority determination unit 213, and a selection unit 217.

  The request reception unit 201 receives an access request for acquiring anonymous information from the user's terminal.

  When the access control unit 202 receives an access request from a user, the access control unit 202 permits access to anonymous information at an anonymous level corresponding to the authority level of the user.

  The output control unit 203 reads the anonymous information permitted to be accessed by the access control unit 202 from the anonymous information DB 145 and outputs it. For example, it is transmitted to the terminal 30 of the requesting user. Here, the output of anonymous information may be display output by a display device, print output by a printer, transmission to another computer, writing to a storage medium, or the like.

  In order to anonymize the word included in the target data by replacing the word included in the target data with an abstracted word, the dictionary acquiring unit 211 stores a plurality of anonymized dictionaries storing the word and the abstracted word in association with each operator. Obtained from the anonymization device 10. In this embodiment, the dictionary acquisition unit 211 receives the anonymization dictionary transmitted from the anonymization device 10 of each business operator and registers it in the dictionary DB 231.

  The integration unit 212 integrates a plurality of anonymization dictionaries acquired from each company's anonymization device 10 to create an integrated anonymization dictionary. For example, the integration unit 212 sets each word included in the plurality of anonymization dictionaries based on the correspondence relationship between the words included in the plurality of anonymization dictionaries. And the upper and lower words existing in the plurality of anonymization dictionaries, and the highest word that does not have a corresponding higher word as a root to the lowest word that does not have a corresponding lower word. A dimension of a word having a tree-like correspondence is generated for each top word and stored in the dictionary DB 231 as an integrated anonymization dictionary. The dimension of the tree-like word rooted at each uppermost word constitutes an integrated anonymization dictionary.

The priority determination unit 213 determines the priority for each dimension constituting the integrated anonymization dictionary based on the words included in the dimension. For example, the priority determination unit 213 sets at least one of the number of words included in each dimension, the number of stages having a higher and lower relationship for the words included in each dimension, and the value of the word included in each dimension. Based on the priority, the priority is determined. For example, the priority DB 232 stores a predetermined value for the word, and the priority determination unit 213 refers to the priority DB 232 to determine the priority.

  The selection unit 217 selects a dimension to be adopted as the integrated anonymization dictionary and a dimension not to be adopted among the plurality of dimensions generated by the integration unit 212 based on the priority.

  The dictionary management unit 214 manages the integrated anonymization dictionary created by the integration unit 212. For example, the dictionary management unit 214 reads the integrated anonymization dictionary from the dictionary DB 231 and distributes it to the anonymization device 10 of each operator.

  The anonymous information registration unit 215 acquires anonymous information from each company's anonymization device 10 and registers it in the common DB 233.

  The anonymous information control unit 216 controls an output process of anonymous information registered in the common DB 233 and the like. For example, when an anonymous information acquisition request is received from an information processing apparatus such as the anonymization apparatus 10, the corresponding anonymous information is distributed to the requesting information processing apparatus. In the first embodiment, the anonymous information control unit 216 is a form of an output unit.

FIG. 30 is a diagram illustrating an example of the dictionary DB 231. The dictionary DB 231 stores a word before abstraction (hereinafter also referred to as a lower word) and a word after abstraction of the word (hereinafter also referred to as an upper word) in association with each other.

  FIG. 31 is a diagram illustrating an example of the priority DB 232. The priority DB 232 stores a value (value) for determining the priority for each word. In the example of FIG. 31, for each word, the values used in the SEM, such as the number of clicks per day, the number of display times per day, the number of participating companies, the cost per day, the click rate, the SEM price (acquired price), etc. It is remembered.

  FIG. 32 is a diagram illustrating an example of the common DB 233. The common DB 233 stores anonymized information that has been anonymized using the integrated anonymization dictionary by the anonymization device 10 of each business operator. In the example of FIG. 32, data of items such as a visit booth, age, sex, affiliated company, job title, product showing interest, and status are stored. The degree of abstraction of this item and each item is determined by the integrated anonymization dictionary, the result of the test, etc. as will be described later.

  Further, as shown in FIG. 29, the anonymization device 10 of each business operator includes a data acquisition unit 101, an abstraction unit 102, a test unit 103, a selection unit 104, a value determination unit 106, a value data acquisition unit 107, a word Category analysis unit 108, word value calculation unit 109, appearance number acquisition unit 111, authority determination unit 112, output control unit 121, personal information DB 131, disclosure condition DB 132, search information storage DB 133, temporary processing DB 134, authority setting DB (authorization memory) Part) 135.

The data acquisition unit 101 acquires data including a plurality of items associated with an individual, that is, personal information as target data. For example, a questionnaire written by a visitor and personal information heard from the visitor are input from a keyboard or the like and stored in the personal information DB 131, and the data acquisition unit 101 reads the personal information from the personal information DB 131 as target data. It is also possible to read the information on the visitor's business card or questionnaire and use it as electronic data by OCR (Optical Character Recognition), or to obtain information about the visitor from the visitor's RF-ID tag or IC chip. May be.

  The abstraction unit 102 refers to the integrated anonymization dictionary including the dimensions, and generates anonymization candidate data by replacing words that are values of items in the target data with words abstracted based on the priority. .

  The test unit 103 performs test on the condition that the combination of the item values of the abstraction candidate data is not limited to one individual of the target data. For example, the test | inspection part 103 tests on condition that the combination of the value of the item of abstraction candidate data satisfy | fills k-anonymity or l-diversity.

  The selection unit 104 selects the abstraction candidate data based on the value of the abstraction candidate data that satisfies the test condition. For example, the selection unit 104 selects a predetermined number of abstraction candidate data satisfying k-anonymity and l-diversity in descending order of value. The selection unit 104 may select abstraction candidate data having the highest value among the abstraction candidate data satisfying k-anonymity and l-diversity.

  The value determination unit 106 obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data.

  The value data acquisition unit 107 acquires (receives) word value data included in the abstraction candidate data from the search information storage DB. Further, the value data acquisition unit 107 makes a request to another device when the value data of the word is not registered in the search information storage DB, and registers the acquired value data in the search information storage DB (data request ) And periodically visit other devices to acquire the latest value data and update the value data registered in the search information storage DB (data crawler). In this embodiment, the statistical information of each word is received from the search engine 90 as this value data. Here, the statistical information of each word includes, for example, an SEM advertising unit price (unit price per click), a click rate, an average ranking, the number of display times per day, the number of clicks per day, and the like. Note that the value acquisition destination is not limited to a search engine, and may be a web page, an SNS, or the like. In this case, for example, the use frequency of each word in a web page or SNS may be used as the value.

  The word category analysis unit 108 analyzes data on a website or the like to obtain a new word or a word (category) obtained by abstracting the word and registers it in the search information storage DB.

  Based on the value of the word acquired by the value data acquisition unit 107, the value calculation unit 109 obtains statistical information on the value of the word, such as an annual average, a monthly average, or a weekly average of the word value.

  The appearance number acquisition unit 111 obtains the number of appearances of words constituting the anonymous information. For example, in anonymous information, information of one individual is regarded as one data (1 record), and how many times the same information (word) appears is counted as the number of appearances. If each person's information consists of a single item, the number of occurrences is counted for each item that has the same word as the value of that item. The number of occurrences is counted for each word combination that has the same value.

  Further, the appearance number acquisition unit 111 sets the minimum number of appearances of the words constituting the anonymous information as the minimum number of appearances, and sets the ratio of the minimum number of appearances to the total number of words constituting the anonymous information as the minimum number of appearances. You may function as an appearance rate acquisition part calculated | required as a rate.

The authority determining unit 112 determines the access authority of the anonymous information based on the number of appearances of the anonymous information or a value such as the minimum appearance rate calculated based on the number of appearances, and adds it to the anonymous information DB 145 in addition to the anonymous information. Remember. The authority determining unit 112 refers to, for example, the authority determining unit that refers to the authority storage unit that stores the access authority in association with a value such as the number of appearances of anonymous information or the appearance rate calculated based on the number of appearances. Determines the access authority based on the number of appearances of the anonymous information.

  The output control unit 121 outputs the abstraction candidate data that satisfies the test condition as anonymous information. For example, the output control unit 121 transmits anonymous information to the management server 20.

  FIG. 33 is a diagram illustrating an example of the personal information DB 131. The personal information DB 131 stores personal information acquired by the data acquisition unit 101. In the example of FIG. 33, name, mail, company name, job title, interest, status, etc. are stored.

The disclosure condition DB 132 stores the condition of anonymous information that can be disclosed, for example, “can be released when the minimum number of appearances is 30 or more, but cannot be disclosed to the outside”, “when keyword = XXX is included, “Minimum number of appearances that can be disclosed, availability of disclosure outside the company, and keywords that cannot be disclosed” are stored as disclosure conditions. The disclosure condition is “When dictionary ID = D1 is used, internal disclosure is possible when the minimum number of appearances is 5 or more, public disclosure is not possible when the minimum number of appearances is less than 5, and external when the minimum number of appearances is 10 or more. It may be a condition that determines whether or not to be open according to the dictionary used for anonymization, such as “open to the public or not to be open to the public if it is less than that”.

  The anonymous information DB 145 stores anonymous information that has been anonymized by the anonymization device 10. The anonymous information DB 145 stores a plurality of anonymous information such as anonymous information with different personal information before anonymization and anonymous information with different dictionaries used for anonymization, and information for managing access to these anonymous information. Remember.

  FIG. 34 is a diagram illustrating an example of anonymous information stored in the anonymous information DB 145. Anonymous information is an abstraction of each word of personal information, and in the example of FIG. 34, age, address (prefecture name), vehicle type, and minimum number of appearances are stored in association with each other.

  FIG. 35 is a diagram illustrating an example of information for managing access to anonymous information (hereinafter also referred to as access management information). As shown in FIG. 35, this access management information includes, for example, a level, an anonymous information ID, a usage dictionary, a minimum appearance rate, an information type, and an outline. Here, the level is information indicating an authority to access the anonymous information, and is obtained based on a value such as the minimum appearance rate calculated based on the minimum appearance number or the minimum appearance number of the anonymous information as described later. ing.

  The anonymous information ID is information that uniquely identifies anonymous information. The use dictionary is information indicating a dictionary used for anonymization of the anonymous information, for example, identification information of each dictionary. The minimum appearance rate is a ratio of the minimum number of appearances to the total number of words constituting the anonymous information. Here, the minimum number of appearances is the smallest of the number of individuals (the number of appearances) for each same attribute value when the number of individuals having the same attribute value in the anonymous information, that is, the number of appearances of words constituting the anonymous information is obtained. belongs to.

  The information type indicates a type such as whether the anonymous information is statistical information based on a plurality of personal information or anonymized personal information held by a specific business operator. In the example of FIG. 35, in the case where the anonymous information is statistical information obtained by calculating the average or total of a plurality of anonymous information, this type is shown as average or total, and the personal information of a specific business operator is anonymized, The name of this company is shown. The overview is an explanation of the anonymous information, and shows items included in the anonymous information and conditions for anonymization, for example.

The anonymous information DB 145 may be stored in a storage device included in the anonymization device 10 or the management server 20, or an apparatus such as an independent file server if accessible from the anonymization device 10 and the management server 20. It may be stored in.

  FIG. 36 is a diagram illustrating a hardware configuration of the management server 20. The management server 20 is a so-called computer having a CPU 21, a memory 22, a communication control unit 23, a storage device 24, and an input / output interface 25.

  The CPU 21 executes the program expanded in the memory 22 so as to be executable, and the above-described dictionary acquisition unit 211, integration unit 212, priority determination unit 213, dictionary management unit 214, anonymous information registration unit 215, anonymous information control unit 216, a selection unit 217, a request reception unit 201, an access control unit 202, and an output control unit 203 are provided.

  The memory 22 can also be called a main storage device. The memory 22 stores, for example, a program executed by the CPU 21, data received via the communication control unit 23, data read from the storage device 24, other data, and the like.

  The communication control unit 23 is connected to another device via a network and controls communication with the device. The input / output interface 25 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 24.

The storage device 24 can also be referred to as an external storage device. The storage device 24 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 24 exchanges data with the drive device. For example, the storage device 24 stores an information processing program installed from the drive device. The storage device 24 reads out the program and delivers it to the memory 22. In the present embodiment, the storage device 24 stores the dictionary DB 231, the priority DB 232, and the common DB 233 described above.

  FIG. 37 is a diagram illustrating a hardware configuration of the anonymization device 10. The anonymization device 10 is a so-called computer having a CPU 11, a memory 12, a communication control unit 13, a storage device 14, and an input / output interface 15.

  The CPU 11 executes the program expanded in an executable manner in the memory 12 and executes the data acquisition unit 101, the abstraction unit 102, the test unit 103, the selection unit 104, the value determination unit 106, the value data acquisition unit 107, the word The functions of the category analysis unit 108, the word value calculation unit 109, the appearance number acquisition unit 111, the authority determination unit 112, and the output control unit 121 are provided.

  The memory 12 can also be called a main storage device. The memory 12 stores, for example, a program executed by the CPU 11, data received via the communication control unit 13, data read from the storage device 14, and other data.

The communication control unit 13 is connected to another device via a network and controls communication with the device. The input / output interface 15 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium is, for example, a CD (Compact Disc), a DVD (Digital Versatile Disk),
It may be a disc medium such as a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 14.

The storage device 14 can also be called an external storage device. The storage device 14 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 14 exchanges data with the drive device. For example, the storage device 14 stores a program installed from the drive device. Further, the storage device 14 reads out the program and delivers it to the memory 12. In the present embodiment, the storage device 14 stores the personal information DB 131, the disclosure condition DB 132, the search information accumulation DB 133, the temporary processing DB 134, and the authority setting DB (authority storage unit) 135 described above.

§3. Anonymization method Next, the anonymization method will be described with reference to FIGS. 38 to 45. FIG. 38 is an explanatory diagram of processing for creating an integrated anonymization dictionary executed by the management server 20 according to a program.

(3-1) Creation of Integrated Anonymization Dictionary First, the management server 20 receives each business operator's anonymization dictionary from each business operator's anonymization device 10 (step S510).

  Next, the management server 20 integrates the anonymization dictionary of each business operator (step S520). In addition, the specific process at the time of integrating an anonymization dictionary is mentioned later.

Further, the management server 20 determines priorities for the dimensions of the words constituting the integrated anonymization dictionary (step S530), and selects a dimension to be adopted for the integrated anonymization dictionary and a dimension not to be adopted based on this priority. (Step S540).
Next, the management server 20 attaches a dictionary ID to the integrated anonymization dictionary so that the created integrated anonymization dictionary can be uniquely identified (step S550). The dictionary ID is generated by combining, for example, information “D” indicating a dictionary and serial numbers “1, 2, 3,...” That are counted in the order of creation.
Further, the management server 20 registers authority information related to the created integrated anonymization dictionary in the authority setting DB 135. That is, rank A if the minimum appearance rate of anonymous information anonymized using the created integrated anonymization dictionary “D4” is 0.05% or less, rank C if the minimum appearance rate is 0.1% or less. For example, authority information for judging authority information of anonymous information anonymized using the created integrated anonymization dictionary is, for example, the provider name of the provider, the business type of the provider, the genre of the anonymization dictionary, An authority table storing the anonymization dictionary such as the importance of the anonymization dictionary and the number of integrated anonymization dictionaries and information related to the provider of the provider and the authority information is stored in the storage device 24 in advance, The management server 20 acquires authority information corresponding to the acquired anonymization dictionary and information related to the provider of the provider from the authority table and registers it in the authority setting DB 135. In step S510, the authority information such as rank and provision destination is received together with the anonymization dictionary from the anonymization device 10 of each company, and this is registered in the authority setting DB 135 as the authority information of the company. Further, the management server 20 may prompt the person in charge to input authority information and register the input authority information in the authority setting DB 135.

  And the management server 20 delivers the integrated anonymization dictionary comprised from the dimension selected by step S540 to each anonymization apparatus 10 (step S550).

FIG. 39 is an explanatory diagram of the process of integrating the anonymization dictionary in step S520. The management server 20 first extracts the lowest word from the dictionary DB 231 storing the anonymization dictionary of each business operator (step S610). For example, in each company's anonymization dictionary, as shown in FIG. 30, an abstract word of “soft A” is stored as “slip software”, and a word one level higher than “soft A” is stored. It turns out that it is "slip software". Similarly, a word that abstracts “soft Z” is “slip software”, and a word that abstracts “soft B” is “accounting software”.

  In addition, for “slip software” which is a word one level higher than “soft A” and “soft Z”, the word one level higher is stored as “business software”.

  In this way, out of the words stored in the dictionary DB 231 together with the upper / lower relationship, one word that is not associated with the lower word, that is, the lowest word is extracted.

  Next, the management server 20 obtains a word one higher than the word extracted in step S610, and sets one higher level (abstraction level) (step S620). For example, if the word extracted in step S610 is “software A”, “slip software” is extracted as a word one level higher.

  The management server 20 extracts a word at the same stage (abstraction level) as the one-lower word corresponding to the word extracted in step S620 (step S630). For example, if the word extracted in step S620 is “slip software”, “soft Z” at the same stage as “soft A” is extracted.

  Further, the management server 20 extracts the lower word corresponding to the word extracted in step S630, and repeats the extraction of the lower word until there is no corresponding lower word (step S640).

  When the lower word is exhausted in step S640, the management server 20 determines whether or not the stage set in the immediately preceding step S620 or step S660 is the highest, that is, whether or not there is a higher word. If it is not the most significant (No in step S650), the word one higher is obtained, the one higher level (abstraction level) is set, and the process returns to step 130 (step S660). For example, if the word set in step S620 is “slip software”, the word “business software” that is one higher level is obtained and set as one level higher.

  Then, after returning to step S630 and performing the processing of steps S630 and S640, if it is determined in step S650 that the stage set in the immediately preceding step S620 or step S660 is the highest (step S650, Yes), the plurality of It is determined whether or not all the words included in the anonymization dictionary have been processed (step S670), and if there are remaining words (step S670, No), the process returns to step S610 to repeat the process, and all the words If the above process is completed (step S670, Yes), the process in FIG. 39 is terminated.

(3-2) Description of Dimensions FIG. 40 is an explanatory diagram of each dimension created by the process of FIG. In the example of FIG. 40, a dimension having “IT product” as a root is shown. That is, in the dimension of FIG. 40, “IT product” is the word at the highest level.

  “IT product” is associated with “software” and “hardware” as words at the next lower level (step 4 in the example of FIG. 40). “Software” is associated with “business software” and “individual software” as a word at the next lower level (step 3 in the example of FIG. 40).

In addition, “business software” is associated with “slip software”, “accounting software”, and “customer management software” as the words of the next lower stage (stage 2 in the example of FIG. 40). “Soft A” and “Soft Z” are associated with the words at one lower level (step 1 in the example of FIG. 40, the lowest level). The “individual software” is associated with “soft V” and “soft U” as the words in the lower level, and “hard” is “server D” and “server” as the words in the lower level. E ”.

  As described above, the integration unit of the present embodiment creates a plurality of dimensions as shown in FIG. 40 based on the anonymization dictionary of each business operator. Here, the dimension is a correspondence relationship in which the highest word is rooted and associated with the lowest word in a tree form, and is generated for each highest word. That is, the integration unit integrates the anonymization dictionary by combining all words included in the anonymization dictionary of each business operator into a plurality of dimensions by associating them with a tree. The plurality of dimensions is an integrated anonymization dictionary.

  FIG. 41 is an explanatory diagram of a plurality of dimensions. As shown in FIG. 41, there can be multiple dimensions for abstracting a word. For example, in dimension a in FIG. 41, “software A” is abstracted into “accounting software” and “business software”, and in dimension c, “software A” is abstracted into “a company product” and “package”. Also, the dimension b and dimension d are abstracted into different words.

  In particular, since the integrated anonymization dictionary of this embodiment integrates anonymization dictionaries of a large number of operators, for example, it includes tens to hundreds of dimensions, and abstraction is performed using all dimensions. And the amount of data becomes enormous. For this reason, in this embodiment, the priority of the dimension employ | adopted for abstraction is determined about each dimension of an integrated anonymization dictionary.

(3-3) Description of Priority Next, details of the priority determination process in step S30 will be described with reference to FIGS. FIG. 42 is a diagram illustrating an example in which each word included in the dimension illustrated in FIG. 41 is weighted. In the example of FIG. 42, each word included in each dimension is stored in association with the stage of the word, and three types of weighting are performed. Weight 1 indicates the presence / absence of an important flag, weight 2 indicates the number of searches, and weight 3 indicates a SEM (Search Engine Marketing) price. Here, the important flag is a value input as to whether or not the user is important, and is recorded as important for an important word, that is, a word to be used for abstraction (an important flag is set).

  Moreover, the priority determination part 213 reads the value of a word from the priority DB232 shown in FIG. 31, and adds it to a corresponding word as a weight as shown in FIG.

  Then, the number of words in the dimension shown in FIG. 41, the sum of steps, and the weight of each word are totaled for each dimension to determine the priority.

  FIG. 43 is an explanatory diagram of a process for calculating the priority of each dimension by adding up the weights of the respective words. In FIG. 43, for each word of dimension a, Table 51A is a summation of the number of words, the sum of the number of steps, weight 1, weight 2, and weight 3. Similarly, a table summarizing dimension b is 51B, and a table summing dimension c is 51C.

  The number of words is the total number of words included in each dimension. In the example of FIG. 43, dimension a is 25, dimension b is 50, and dimension c is 9. If this number of words is large, there will be many variations of abstraction, and it will be difficult to satisfy 1-diversity, that is, safety will be low. Prioritize.

  The sum of the number of stages is obtained by multiplying the number of stages by the number of words belonging to the stage and obtaining a total, for example, (number of stages 5 × number of words 1) + (number of stages 4 × number of words 2). + (Number of stages 3 × number of words 2) + (number of stages 2 × number of words 3) + (number of stages 1 × number of words 9) = 34 If the sum of the number of stages is large, there are many higher-level stages, and there are many options with a high level of abstraction, which can be abstracted at an appropriate level of abstraction and is highly secure. Priority is given to those with a high sum.

  Similarly, for the weights 1 to 3, the total number of important flags, the number of searches, and the SEM price are obtained, and a higher value, that is, a higher value is given priority.

  And about these word number, the sum of the number of steps, and the weights 1-3, the whole appearance rate (ratio with respect to the whole number) is calculated | required based on following Formula.

Overall appearance rate = tf / idf
= Value of dimension a / (value of dimension a + value of dimension b + value of dimension c +...)
Table 52 shows a comparison of the overall appearance rate for each dimension. For each dimension in Table 52, the total priority is determined by summing the number of words, the sum of the number of stages, and the overall appearance rates of weights 1 to 3.

  In this way, the overall priority is obtained for each dimension, and the dimension that the selection unit 217 employs in the integrated anonymization dictionary and the dimension that is not employed are selected based on the overall priority. For example, the selection unit 217 refers to the overall priorities in Table 52, adopts a predetermined number of dimensions in descending order of overall priorities, and does not adopt other dimensions with lower overall priorities.

  The selection criteria are not only the order of the overall priority, but the dimension including the important flag is adopted, and the dimension not including the important flag is selected such that a predetermined number of dimensions are adopted in descending order of the overall priority. Conditions may be set.

  The selection target may be, for example, all dimensions included in the integrated anonymization dictionary, and a predetermined number of dimensions may be adopted based on the overall priority, or may be selected for each dimension including the same word. And a predetermined number of dimensions may be adopted based on the overall priority.

(3-4) Anonymization method Each anonymization apparatus 10 anonymizes using the integrated anonymization dictionary received from the management server (dictionary creation apparatus) 20, and transmits the anonymized anonymous information to the management server 20. . The anonymization process other than using this integrated anonymization dictionary and transmitting the created anonymous information to the management server 20 is the same as the description of FIG. 11 of the first embodiment. The anonymization device 10 selects the abstraction candidate adopted in step S180 and creates anonymous information, and then transmits the anonymous information to the management server 20 to register the anonymous information in the anonymous information DB 145 (step S190). .
As shown in FIG. 10, the management server 20 acquires anonymization information from the anonymization device 10 (step S1), determines whether or not the anonymous information satisfies the disclosure condition (step S2),
Access authority is set for anonymous information that satisfies the disclosure conditions (step S3). In other words, in the second embodiment, the management server 20 sets the access authority in the same manner as in the description of FIG. Processing (
Step S3) is performed.

  In addition, acquisition of the anonymization information in step S1 may be such that the anonymization device 10 receives the anonymization information anonymized by the business operator having the personal information from each business operator, or the anonymization device from each business operator. 10 may receive personal information and anonymize and acquire it.

§4. Specific Example of Anonymous Information Next, a specific example of anonymous information will be described with reference to FIGS. 44 and 45. 44 is a diagram showing an example of anonymization in Company A, FIG. 44 (a) shows personal information collected by Company A, and FIG. 44 (b) shows personal information in FIG. 44 (a). The figure which shows the example of the anonymous information at the time of anonymizing with an original anonymization dictionary, FIG.44 (c) is an example of the anonymous information at the time of anonymizing the personal information of Fig.44 (a) with an integrated anonymization dictionary. FIG.

  When the anonymization device 10 of company A anonymizes the personal information of FIG. 44 (a) with its own anonymization dictionary, as shown in FIG. 44 (b), the items of name and email address are deleted, and the age In the ages, the company is abstracted as a listed company or unlisted company, and the title is abstracted into a managerial position, employee, or part-time job.

  On the other hand, when the anonymization device 10 of Company A anonymizes the personal information of FIG. 44 (a) with the integrated anonymization dictionary, as shown in FIG. 44 (c), the name and e-mail address items are displayed. Delete, abstract age to age, affiliated company to listed or unlisted company, and affiliated company to industry. In addition, when an integrated anonymization dictionary is used, company A's anonymization device 10 abstracts the title of the product to the manager or staff, the product that shows interest to the slip software or the server, and adds a visit booth item. Then, a value “Company A” indicating that it is data of a person who visited Company A is input.

  On the other hand, FIG. 45 is a diagram showing an example of anonymization in company B, FIG. 45 (a) shows personal information collected by company B, and FIG. 45 (b) shows personal information in FIG. 45 (a). The figure which shows the example of the anonymized information at the time of anonymizing with B company original anonymization dictionary, FIG.45 (c) is anonymity information at the time of anonymizing the personal information of FIG.45 (a) with an integrated anonymization dictionary. It is a figure which shows an example.

  When the anonymization device 10 of company B anonymizes the personal information in FIG. 45 (a) with its own anonymization dictionary, as shown in FIG. 45 (b), the items of name and e-mail address are deleted. In the ages, the company is abstracted into the type of business, and the job type is abstracted into development and general affairs.

  On the other hand, when the anonymization device 10 of company B anonymizes the personal information of FIG. 45 (a) with the integrated anonymization dictionary, as shown in FIG. 45 (c), the name and e-mail address items are displayed. Delete, abstract age to age, affiliated company to listed or unlisted company, and affiliated company to industry. In addition, when using the integrated anonymization dictionary, company B's anonymization device 10 abstracts job types into technical positions and office work, abstracts products that show interest into accounting software and servers, and adds a visit booth item. Then, a value “Company B” indicating that it is data of a person who visited Company B is input.

  Thus, the anonymization device 10 of each business operator abstracts the items of the affiliated company in a plurality of dimensions based on the integrated anonymization dictionary. As mentioned above, the integrated anonymization dictionary uses a high-priority dimension, so it is possible to perform abstraction that is useful for each operator by abstracting the dimension that exists in this integrated anonymization dictionary. it can.

  In addition, by integrating the anonymization dictionary as described above, the correspondence relationship of words at the time of abstraction is reorganized, and unique items such as the positions of company A and company B are also abstracted in a common dimension. Therefore, it can be compared with data from other companies that have similar items.

§5. Distribution of Anonymous Information Access management for anonymous information to which access authority is added as described above will be described next. The access management procedure is the same as that described in FIG. 28 of the first embodiment, and will be described with reference to FIG.

When the management server 20 receives an access request to anonymous information from the user terminal 30 or the anonymization device 10 of each business operator (hereinafter simply referred to as the user terminal 30), the management server 20 starts the process of FIG. Authentication is performed (step S410). In the user authentication process, the management server 20 receives authentication information such as a user ID and a password from the user terminal 30, and compares this authentication information with the registered information. The process proceeds to S430, and if they do not match, the processing of FIG. When the management server 20 has a web server function, provides information such as anonymous information as a web page, and the user terminal 30 accesses the management server 20 by a so-called web browser function, the authentication information is It may be transmitted from the user terminal 30 to the management server 20 by HTTP Cookie or the like. Also,
The authentication information may be input from an input unit such as a keyboard by a user operation and transmitted from the user terminal 30 to the management server 20.

  When the authentication is successful, the management server 20 acquires the user management information of the user from the user management DB 251 (step S420). The user management information is recorded in the user management DB 251 in association with information such as a user ID, access authority, and usable dictionary as shown in FIG. The user ID is identification information for uniquely identifying each user. The user access authority is information indicating the authority of the user, that is, the range of anonymous information that can be accessed by the user. In particular, in the example of FIG. 9, the range of access authority (accessible range) is indicated by rank. For example, when ranks A to E are assigned in order of lower authority (the accessible range is narrow), rank A is anonymous information of rank A as an access range, rank B is anonymous information of rank A and rank B as an access range, Rank E uses anonymous information from rank A to rank E as the access range. In this way, the upper authority range may be set to include the lower authority range, or each authority may be set independently. For example, a user having authority A and authority E may access only anonymous information of authorities A and E, and may not be able to access authorities B, C, and D.

  Then, the management server 20 acquires anonymous information within the authority of the user, that is, summary information of anonymous information accessible with the access authority of the user from the anonymous information DB 145 (step S430). As shown in FIG. 35, this summary information may be obtained by reading out summary information recorded in advance in the access management information of each anonymous information, or by reading out some data of item names and anonymous information as summary information. May be.

  The management server 20 transmits the acquired summary information to the user terminal 30 (step S440), and prompts selection of anonymous information to be provided (step S450). For example, the management server 20 provides the user terminal 30 as a web page on which summary information is displayed as a list, and displays an input field for keyword search or narrowing down to prompt selection of anonymous information.

  Then, when the user selects anonymous information from the summary information list and makes a request from the user terminal 30, and the management server 20 receives this request (step S460), the management server 20 accesses the anonymous information. The authority is compared with the access authority of the user (step S470), and it is reconfirmed whether or not the user has the authority to access the anonymous information (step S480). The anonymous information requested at this time may be all items of anonymous information or a range specified by the item. For example, it may be a request in which necessary items are specified such as age, gender, visiting booth, and products showing interest, age is 20s, gender is male, products showing interest are hard, status May be a request in which the value of an item is specified, such as a document request or a business negotiation.

As a result, if the management server 20 determines that the user does not have the authority to access the anonymous information (No in step S480), the management server 20 ends the process of FIG. If it is determined that the user has the right to access (Yes in step S480), the use date and time and the user information (user ID, etc.) are stored in the storage unit 24 as history information (step S490). Moreover, the management server 20 acquires the anonymous information which received the request from anonymous information DB145 (step S500), transmits to the user terminal 30 of a request origin, and displays it (step S510).

  As described above, according to the second embodiment, the personal information collected by each of the plurality of companies is anonymized using a common integrated anonymization dictionary, and the anonymous information is registered in the anonymous information DB. Anonymous information can be used centrally. Even in this case, the anonymization system of the second exemplary embodiment transmits anonymous information only to authorized users based on the access authority, and thus can appropriately control access to the anonymous information. In particular, according to the second embodiment, when creating an integrated anonymization dictionary that integrates the anonymization dictionaries of each operator, authority information related to the integrated anonymization dictionary can be automatically set, Even when anonymous information based on personal information collected is shared, access management can be performed without human intervention.

<Others>
The present invention is not limited to the illustrated examples described above, and various modifications can be made without departing from the scope of the present invention.

DESCRIPTION OF SYMBOLS 10 Anonymization device 12 Memory 13 Communication control part 14 Storage device 15 Input / output interface 20 Management server 22 Memory 23 Communication control part 24 Storage device 25 Input / output interface 30 User terminal 41 Test DB
61 navigation system 100 anonymization system 101 data acquisition unit 102 abstraction unit 103 test unit 104 selection unit 105 level registration unit 106 value determination unit 107 value data acquisition unit 108 word category analysis unit 109 word value calculation unit 111 appearance number acquisition unit 112 Authority determination unit 120 Search engine 131 Personal information DB
132 release condition DB
133 Search information storage DB
134 Temporary processing DB
135 Authority setting DB
145 Anonymous Information DB
201 Request Reception Unit 202 Access Control Unit 203 Output Control Unit 251 User Management DB

Claims (8)

An anonymous information acquisition unit for acquiring anonymous information;
An appearance number obtaining unit for obtaining the number of appearances of words constituting the anonymous information;
An authority determining unit that determines the access authority of the anonymous information based on the number of appearances of the anonymous information;
An authority setting device comprising:   The minimum number of appearances of the words constituting the anonymous information is the minimum number of appearances, the ratio of the minimum number of appearances to the total number of words constituting the anonymous information is the minimum appearance rate, the authority determination unit, The authority setting device according to claim 1, wherein an access authority for the anonymous information is determined based on the minimum appearance rate.   The authority determination unit determines the access authority based on the number of appearances of the anonymous information with reference to an authority storage unit that stores the minimum appearance rate of the anonymous information and the access authority in association with each other. Authority setting device.   The authority setting device according to claim 2 or 3, wherein the authority determining unit determines a rank of the access authority according to a minimum appearance rate of the anonymous information. A data acquisition unit for acquiring anonymization target data;
An abstraction unit that abstracts at least one of a plurality of words constituting the target data to be abstraction candidate data;
A test unit that tests on condition that a combination of values of items of the abstraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data satisfying the test condition as anonymous information;
An appearance number obtaining unit for obtaining the number of appearances of words constituting the anonymous information;
An authority determining unit that determines the access authority of the anonymous information based on the number of appearances of the anonymous information;
Anonymization device comprising: A data acquisition unit for acquiring anonymization target data;
An abstraction unit that abstracts at least one of a plurality of words constituting the target data to be abstraction candidate data;
A test unit for testing on condition that the combination of the values of the items of the extraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data satisfying the test condition as anonymous information;
An appearance number obtaining unit for obtaining the number of appearances of words constituting the anonymous information;
An authority determining unit that determines the access authority of the anonymous information based on the number of appearances of the anonymous information;
When an access request to the anonymous information is received from the user's terminal, the access authority of the user is compared with the access authority of the anonymous information, and the access authority of the user is necessary for accessing the anonymous information. And an access control unit that permits access to anonymous information of the anonymous level corresponding to the level,
Anonymization system with Obtaining anonymous information;
Determining the number of occurrences of words constituting the anonymous information;
An authority setting method in which a computer executes the step of determining the access authority of the anonymous information based on the number of appearances of the anonymous information. Obtaining anonymous information;
Determining the number of occurrences of words constituting the anonymous information;
An authority setting program for causing a computer to execute an access authority for the anonymous information based on the number of appearances of the anonymous information.

Images