JP2018180600A - Privacy protection apparatus, privacy protection method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To control timing at which information is acquired by a service provider when providing the information to the service provider.SOLUTION: A privacy protection apparatus extracts information or a combination of information requested by a provider from the plurality of pieces of information sent by a terminal apparatus, determines whether or not the extracted information or the combination of information corresponds to sensitive information, determines whether or not to send the information or the combination of information determined to correspond to the sensitive information to the provider, encrypts the information or the combination of information determined to send to the provider with an encryption key based on disclosure information indicating a timing of disclosing the information or the combination of information determined to send to the provider, and send a result of encrypting the information or the combination of information determined to send to the provider to the provider.SELECTED DRAWING: Figure 3

Description

  Embodiments of the present invention relate to a privacy protection device, a privacy protection method, and a program.

Social networking service (SNS) is a service that builds a social network (social network) through exchanges on the Internet. As a function of the social network, there is known a technique of monitoring the content of sent personal information, correcting the personal information as necessary, and providing it to the outside.
For social networks, standards relating to a mechanism for providing personal data to web services are known (see, for example, Non-Patent Document 1).
There is known a technique for issuing a warning when a violating service is to be used based on the user's intention set by the user according to P3P (Platform for Privacy Preference) (for example, non- Patent Document 2).

W3C, "The platform for privacy preferences 1.0 (P3P1.0) specification", 2000. Lorrie Faith Cranor, et al. “Use of a P3P User Agent by Early Adopters”, In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES '02, pp. 1-10, 2002.

Information that you do not want others to know depends on the information provision destination and the type of information. However, there may be hundreds of types of information, and it is determined whether the user may provide information for each provision destination or information type, and the information may be provided to the granularity etc. To fix the problem would put a lot of effort on the user. For this reason, in practice, it is merely set whether to transmit information for each provision destination. Even if it is a provision destination set not to transmit information, it may be transmitted depending on the type and situation of the information, but since it is not transmitted at present, the user can provide the information. The services available are limited.
Furthermore, although it is assumed that the information (hereinafter referred to as "sensitive information") that the user does not want to be known to others may differ depending on the user's sense of values and intimacy, it is determined whether to provide information. The values and intimacy of the users are not taken into account.
Furthermore, when using a service that does not require real-time capability, immediately notifying the service provider of information such as location information may be a major privacy risk if it is normal. However, in the event of an abnormality and an emergency, there is a demand for the service provider to immediately notify information.
The present invention has been made to solve the above problems, and its object is to control the timing at which a service provider acquires information when providing information to the service provider.

(1) One aspect of the present invention is an information extraction unit for extracting information or a combination of information requested by a provision destination from a plurality of information transmitted by a terminal device, and a combination of information or information extracted by the information extraction unit Information determination unit that determines whether or not the information corresponds to sensitive information, and transfer determination that determines whether to transmit the information or information combination that the information determination unit determines to correspond to the sensitive information to the provision destination And an encryption key generation unit that generates an encryption key based on disclosure information indicating the timing at which the transfer determination unit determines to transmit to the provision destination or a combination of the information, and the transfer determination unit An encryption unit that encrypts the information determined to be transmitted to the provision destination or the combination of the information using the encryption key, and the encryption unit transmits the information to the provision destination The result of encrypting the combination of the information or the information it is determined that, and a transmitter that transmits to the providing destination is a privacy protection device.
(2) One aspect of the present invention is the privacy protection device according to (1), further including an auxiliary information generation unit that generates auxiliary information, wherein the encryption key generation unit generates the auxiliary information generated by the auxiliary information generation unit. The encryption key is generated based on the auxiliary information and the disclosure information, and the transmission unit encrypts the combination of the information determined to be transmitted to the provision destination by the encryption unit or the disclosure information. It is a privacy protection device which transmits the auxiliary information separately to the provision destination.
(3) In one aspect of the present invention, in the privacy protection device according to (1), the information or the information regarding the information determined to be transmitted to the provision destination by the transfer determination unit or a combination of the information A privacy information protection unit configured to change the granularity of the combination of the information, and the encryption unit encrypts, with the encryption key, the information whose information granularity has been changed by the information modification unit or the combination of the information It is an apparatus.
(4) One aspect of the present invention is the privacy protection device according to the above (3), further comprising: a storage unit for storing the level of protection of information to be transmitted to the provision destination; The privacy protection device changes the granularity of the information extracted by the information extracting unit or the combination of the information according to the level of protection of the stored information.
(5) In one embodiment of the present invention, in the privacy protection device according to the above (3) or (4), the information changing unit does not generate the predetermined information or the combination of the information when a predetermined event does not occur. It is a privacy protection device that changes the granularity.
(6) In one aspect of the present invention, in the privacy protection device according to any one of (3) to (5), the information changing unit is determined to correspond to sensitive information by the information determining unit. A privacy protection device that changes the resolution, accuracy or freshness of the information or the combination of the information.
(7) One aspect of the present invention is the privacy protection device according to any one of (3) to (6), further including an auxiliary information generation unit for generating auxiliary information, wherein the encryption key generation unit The encryption key is generated based on the auxiliary information generated by the auxiliary information generation unit and the disclosure information, and the encryption unit is configured to change the granularity of the information by the information change unit; The combination of information is encrypted with the encryption key, and the transmitter separates the auxiliary information and the result of the encryption of the information or combination of information in which the granularity of the information is changed. It is a privacy protection device that transmits data to a provider.
(8) One aspect of the present invention is the privacy protection device according to any one of the above (1) to (7), wherein the encryption unit encrypts by a time-limited encryption method. It is an apparatus.
(9) One aspect of the present invention is a step of extracting information or a combination of information requested by a provision destination from a plurality of pieces of information transmitted by the terminal device, and a combination of the information or information extracted in the extracting step is sensitive. Determining whether the information corresponds to the information, determining whether the information or the combination of the information determined to correspond to the sensitive information is to be transmitted to the provision destination, and determining to transmit the provision destination A step of generating an encryption key based on disclosure information indicating a timing of disclosing the combination of the information or the information, and encrypting the information or the combination of the information determined to be transmitted to the provision destination using the encryption key And a result of encrypting the combination of the information or the information determined to be transmitted to the provision destination And a step of transmitting to the providing destination is a privacy protection method.
(10) In one aspect of the present invention, the computer of the privacy protection device extracts the information or combination of information requested by the provision destination from the plurality of information transmitted by the terminal device, and the extraction step Determining whether information or a combination of information corresponds to sensitive information, and determining whether information or a combination of information determined to correspond to the sensitive information is to be transmitted to the provision destination. A step of generating an encryption key based on the information determined to be transmitted to the provision destination or disclosure information indicating timing of disclosing the combination of the information, and the information or combination of information determined to be transmitted to the provision destination Encrypting the information with the encryption key, and the information determined to be transmitted to the provision destination Is the result of encrypting the combination of said information, and a step of transmitting to the providing destination, a program.

  According to the present invention, when providing information to a service provider, the service provider can control the timing of acquiring information.

It is a figure showing a communication system concerning an embodiment. It is a figure showing a communication system for vehicles concerning an embodiment. It is a functional block diagram of the privacy protection device concerning an embodiment. It is a figure which shows an example of a privacy protection non-target object event determination table. It is a figure which shows an example of a sensitive information determination table. It is a figure which shows an example of a protection level determination table. It is a figure which shows an example of information disclosure policy DB. It is a functional block diagram of the server concerning an embodiment. It is a flowchart which shows an example of operation | movement (the 1) of the privacy protection apparatus which concerns on embodiment. It is a flow chart which shows an example of operation (the 2) of a privacy protection device concerning an embodiment. It is a flow chart which shows an example of operation of the server concerning an embodiment.

Next, an embodiment for carrying out the present invention will be described with reference to the drawings. The embodiments described below are merely examples, and the embodiments to which the present invention is applied are not limited to the following embodiments.
In all the drawings for explaining the embodiments, the same reference numerals are used for components having the same function, and the repeated description is omitted.

Embodiment
<Configuration of communication system>
FIG. 1 shows an example of a communication system to which a privacy protection apparatus according to an embodiment is applied.
The communication system comprises a privacy protection device 100 and a personal data transmission device 200. Data d01, data d02,..., Data d0 N (N is an integer of N> 2) are supplied to the personal data transmission device 200. The personal data transmission device 200 is connected to the communication network 20, and transmits data d01, data d02,..., Data d0N to the privacy protection device 100 via the communication network 20. An example of the communication network 20 is a mobile communication network. An example of the personal data transmission device 200 is a terminal device such as a smartphone, a tablet terminal, a PC, or an on-vehicle terminal.
The privacy protection device 100 is also referred to as a personal agent, and is connected to a communication network 20 and a network such as the Internet 50. In the privacy protection device 100, a privacy policy is set. The privacy policy is a standard that defines handling of data, such as whether data transmitted from the personal data transmitting apparatus 200 is transferred as it is, processed and transferred based on certain conditions, or not transferred. For example, the privacy policy is set by the user of the privacy protection device 100 that supplies data d01, data d02,..., Data d0N to the personal data transmission device 200.

The privacy protection device 100 determines how to handle the data d01, the data d02,..., The data d0N transmitted by the personal data transmission device 200 based on the privacy policy. For example, the privacy protection device 100 determines whether each of the data d01, the data d02,..., The data d0N is to be transferred to the transfer destination, and whether to process the data when transferring.
Then, when it is determined that the privacy protection device 100 transfers data to one or more of the transfer destination T01, the transfer destination T02, ..., the transfer destination T0M via the Internet 50 without processing the data. And permits the personal data transmission device 200 to transmit the data to the privacy protection device 100. The privacy protection device 100 determines whether the data may lead to a privacy risk by immediately notifying the service provider such as position information, and determines whether or not the information corresponds to information to be notified immediately in case of emergency. When it is determined that the privacy protection device 100 is applicable, the privacy protection device 100 generates an encryption key by the time-limited encryption method based on the information disclosure policy and the auxiliary information set for each transfer destination. Then, if the data includes time information, the privacy protection device 100 deletes the time information, and encrypts the data from which the time information has been deleted using the encryption key. The privacy protection device 100 transfers the encrypted result to the transfer destination. After transferring the encrypted result to the transfer destination, the privacy protection device 100 transfers the auxiliary information to the transfer destination.

When it is determined that the data is changed and transferred to the transfer destination, the privacy protection device 100 permits the personal data transmission device 200 to transmit the data to the privacy protection device 100. The privacy protection device 100 determines whether the data may lead to a privacy risk by immediately notifying the service provider such as position information, and determines whether or not the information corresponds to information to be notified immediately in case of emergency. When it is determined that the privacy protection device 100 is applicable, the privacy protection device 100 generates an encryption key by the time-limited encryption method based on the information disclosure policy and the auxiliary information set for each transfer destination. Then, if the data includes time information, the privacy protection device 100 deletes the time information, changes the data from which the time information is deleted to the appropriate information granularity, and changes the appropriate information granularity. The changed data is encrypted by the encryption key. The privacy protection apparatus 100 transfers the encrypted result to any one or a plurality of transfer destinations of the transfer destination T01, the transfer destination T02, ..., the transfer destination T0M via the Internet 50. After transferring the encrypted result to the transfer destination, the privacy protection device 100 transfers the auxiliary information to the transfer destination. The personal data transmission device 200 and the privacy protection device 100 discard data that is not transferred.
Hereinafter, as an example, the description will be continued regarding the case where the in-vehicle terminal is applied to the personal data transmission device 200. Furthermore, in the following, the case where location information is applied will be continued as an example of information which may lead to privacy risk by immediately notifying the service provider, and in the case of an emergency, information immediately notified.

FIG. 2 shows a configuration example of a vehicular communication system in the case where the on-board terminal 350 is applied to the personal data transmission device 200. As shown in FIG.
The vehicular communication system includes the privacy protection device 100 and the on-vehicle terminal 350. The on-vehicle terminal 350 is mounted on the vehicle 300, and transmits information acquired by the vehicle 300 to the privacy protection device 100. In the vehicle 300, an ECU (Electronic Control Unit) 310a, an ECU 310b, an ECU 310c, an ECU 310d, a GPS (Global Positioning System) 330, and a gateway (G / W: gateway) 320 are installed. The ECU 310a, the ECU 310b, the ECU 310c, the ECU 310d, and the G / W 320 are connected according to a standard used for data transfer between devices such as a CAN (Controller Area Network) 315 or the like.
The ECU 310a, the ECU 310b, the ECU 310c, and the ECU 310d are systems such as an engine, a motor, a meter, a transmission, a brake, an air bag, a lamp, a power steering, a power window, a car air conditioner, a vehicle side receiver of electronic keys, car audio, and car navigation Control. The ECU 310a, the ECU 310b, the ECU 310c, and the ECU 310d acquire the speed information, the traveling route information, the access operation information, the brake operation information, the steering wheel operation information, the engine speed information, the fuel consumption information, and the like, and output them to the on-vehicle terminal 350. The GPS 330 acquires position information of the vehicle 300.
Information obtained by the ECU 310 a, the ECU 310 b, the ECU 310 c, the ECU 310 d, and the GPS 330 (hereinafter referred to as “vehicle information”) is output from the G / W 320 to the data broker 340. The data broker 340 collects vehicle information and outputs it to the on-vehicle terminal 350. The on-vehicle terminal 350 transmits the vehicle information output by the data broker 340 to the privacy protection device 100. Vehicle information output by the on-vehicle terminal 350 is transmitted to the privacy protection device 100 via the communication network 20 by a personal data transmission application program (APPS # 0) 355 corresponding to the function of the personal data transmission device 200. .

The privacy protection device 100 is connected to the Internet 50. Connected to the Internet 50 are a road traffic information server 400a, a server 400b of a data center, a server 400c of an insurance company and a road service company, a server 400d of company X, a time bulletin station 500, and the like.
The road traffic information server 400 a provides road traffic information to the on-board terminal 350. The server 400 b of the data center provides various data to the on-vehicle terminal 350. The insurance company / road service company server 400 c provides the in-vehicle terminal 350 with a service related to insurance. The server 400 d of company X provides the on-board terminal 350 with a service provided by company X.
Hereinafter, as an example, the case where the user of the vehicle 300 mounted with the in-vehicle terminal 350 receives the provision of the service of the X company from the server 400 d of the X company will be described. However, the road traffic information server 400a, the server 400b of the data center, or the insurance company / load is not limited to the case where the user of the vehicle 300 equipped with the in-vehicle terminal 350 receives the service of the X company from the server 400d of the X company. The present invention can also be applied to the case where the server 400c of the service company receives the service.
When the user of the vehicle 300 equipped with the in-vehicle terminal 350 receives the provision of the service of the company X from the server 400d of the company X, the privacy protection device 100 transfers the vehicle information acquired from the vehicle 300 to the server 400d of the company X As for vehicle information determined to be transferred, it is determined whether to change the granularity of the vehicle information. Furthermore, the privacy protection device 100 deletes the time information if the vehicle information determined to be transferred is the position information and the position information includes the time information. Then, the privacy protection apparatus 100 generates an encryption key by a time-limited encryption method based on the information disclosure policy and the auxiliary information set for each transfer destination. The privacy protection apparatus 100 encrypts the position information from which the time information has been deleted using the generated encryption key. The privacy protection device 100 transfers the encrypted result to the transfer destination. After transferring the encrypted result to the transfer destination, the privacy protection device 100 transfers the auxiliary information to the transfer destination.

<Car-mounted terminal>
The on-vehicle terminal 350 includes hardware (HW) and operating system (OS) (HW + OS) 352, web runtime (Webruntime) 354, personal data transmission application program (APPS # 0) 355, APPS # 1, and APPS. # 2 and APPS # 3, ..., APPS # n (n is an integer of n> 3).
The HW includes a central processing unit (CPU), a read only memory (ROM), a random access memory (RAM), a non-volatile memory, a communication I / F unit, and an internal bus connecting the respective units. .
The CPU reads a control program or the like for controlling the operation of the on-vehicle terminal 350 from the non-volatile memory, develops it in the RAM, and executes it. The non-volatile memory is configured by a flash memory, a hard disk drive (HDD), a solid state drive (SSD), a secure digital (SD) card, or the like. The non-volatile memory stores a control program for controlling the operation of the on-vehicle terminal 350 and the like. The communication I / F unit is configured by communication modules such as a wireless LAN module and a mobile communication module. The communication I / F unit communicates with an external device such as the privacy protection device 100 by mobile communication.
The OS provides an interface that abstracts the HW for each function to application software. Webruntime 354 runs web application programs and manages their life cycle, layout and security.
APPS # 0, APPS # 1, APPS # 2, APPS # 3,..., And APPS # n are generated and output by ECU 310 a, ECU 310 b, ECU 310 c, ECU 310 d, and GPS 330 mounted on vehicle 300. The web runtime 354 is notified of a request for acquiring vehicle information.
The web runtime 354 acquires the vehicle information from the G / W 320 via the data broker 340 in response to the request of APPS # 0-APPS # n, and the acquired vehicle information is converted to APPS # 0-APPS # n) To notify.
Furthermore, the personal data transmission application program 355 of APPS # 0 transmits to the privacy protection apparatus 100 vehicle information permitted to be transmitted by the privacy protection apparatus 100.

  In the on-vehicle terminal 350 according to the embodiment, each of the plurality of APPS # 0 to APP # n does not transmit to the privacy protection device 100, but the APPS # 0 transfers to the outside from the other APPS # 1-APPS # n. Vehicle data is collected and transmitted to the privacy protection device 100. As a result, the number of times of communication between the on-board terminal 350 and the privacy protection device 100 can be reduced, so the load on the communication network 20 can be reduced. In addition, the on-vehicle terminal 350 may be provided with an imaging unit, and an image of the vehicle 300 may be captured and transmitted to the privacy protection device 100 as vehicle information. Specifically, the imaging unit captures an image capable of detecting an event occurring inside and outside the vehicle 300.

<Privacy Protection Device>
The hardware configuration of the privacy protection device 100 according to the embodiment will be described. The privacy protection device 100 includes a CPU, a memory, a non-volatile memory, a communication I / F, and an internal bus. The CPU executes, for example, a program stored in a non-volatile memory, and controls each part of the privacy protection device 100 using the memory as a work memory. The memory is configured by a RAM such as a volatile memory using a semiconductor element. The memory is used as a work memory of the CPU. The non-volatile memory is constituted by, for example, a hard disk (HD) or a ROM, and stores a program executed by the CPU. The communication I / F is an interface for communicating with an external device such as the on-vehicle terminal 350 to transmit and receive vehicle data and the like. Furthermore, the communication I / F includes a service gateway, an application store, a road traffic information server 400a, a server 400b of a data center, a server 400c of an insurance company and a load service company, a server 400d of an X company, and a server 400d of an X company via the Internet 50. It communicates with the time report station 500. The internal bus connects the CPU, the memory, the non-volatile memory, and the communication I / F to one another. Each unit connected to the internal bus can exchange data with each other via the internal bus.

<Functional Configuration of Privacy Protection Device>
FIG. 3 shows an example of a functional configuration of the privacy protection device 100.
The privacy protection device 100 includes a wireless communication unit 152, a communication unit 154, an information extraction unit 156, an event determination unit 158, an information determination unit 160, a transfer determination unit 162, an information change unit 164, a storage unit 166, an auxiliary information generation unit 168, An encryption key generation unit 170, an encryption unit 172, and a bus line 169 such as an address bus or a data bus for electrically connecting the above-described components as shown in FIG. 3 are provided. Each of these units is a function realized by any one of the components shown in FIG. 3 being operated by an instruction from the CPU that executes a program developed on the memory from the non-volatile memory.
Each functional configuration of the privacy protection device 100 will be described in detail using FIG. The wireless communication unit 152 is realized by an instruction from the CPU and a communication I / F. The wireless communication unit 152 transmits and receives various data such as vehicle information to and from other devices such as the on-vehicle terminal 350. The communication unit 154 is realized by an instruction from the CPU and a communication I / F. The communication unit 154 communicates with the road traffic information server 400a, the server 400b of the data center, the server 400c of the insurance company and the road service company, the server 400d of the X company, and the time information station 500 via the Internet 50. Send and receive various data between them.
The storage unit 166 stores a privacy protection non-target event determination table 1662, a sensitive information determination table 1664, a protection level determination table 1666, and an information disclosure policy DB 1668. Here, sensitive information (data) is information that is not desired to be known to others. Information that is not disturbed or disturbed even if it is known to others with respect to sensitive information is called non-sensitive information. Even in the case of information called non-sensitive information, there are cases where it may become sensitive information by combining a plurality of information. In the embodiment, information that becomes sensitive information by combining a plurality of information is defined as “context sensitive information”.
An event that is not subject to privacy protection is an event that is determined to be transmitted to the transfer destination without changing the granularity of the vehicle information, even if the vehicle information acquired from the in-vehicle terminal 350 is sensitive information or context sensitive information. .
The disclosure policy is associated with disclosure information indicating timing of information disclosure for each information provider.

<Privacy protected non-subject event judgment table>
FIG. 4 shows an example of the privacy protection non-target event judgment table 1662. The privacy protection non-target event determination table 1662 is a table in which the identification information of the privacy protection non-target event and the privacy protection non-target event are linked. Even if the provision of vehicle information is denied due to sensitive information, context sensitive information or Do Not Track mode etc., deletion of vehicle information or change of information granularity will be performed if an event that is not subject to privacy protection occurs. It is assumed that even if the original vehicle information is transmitted to the provision destination without protection of the information by the user etc., it is often permitted from the user individual.
The events not subject to privacy protection include “events for the purpose of protecting life, body and property” linked to identification information “#a”. "Events aimed at protecting life, body and property" includes events that are reasonably necessary to save the driver, a passenger, a pedestrian, etc., from life, or injuries. . Specifically, air bag deployment, tire burst, vehicle abnormality warning, etc. correspond. In addition, for “events aimed at protecting life, body and property”, we will specify the location of a vehicle that is reasonably identified as stolen or damaged, and grasp the situation and support discovery (in the case of theft) To include the necessary events. In addition, “events for the purpose of protecting life, body and property” include the investigation of violent crimes such as abduction, terrorism, and homicide, and rationalization within legal authority in order to assist in locating or finding vehicles. It includes necessary events. In addition, in “event for the purpose of protection of life, body and property”, in order to support identification or detection of affected vehicles and victims in bridge collapse, tunnel collapse, fallout, etc. at the time of disaster such as natural disasters, Includes events that are reasonably necessary within legal authority.

The events not subject to privacy protection include “events for the purpose of safety / benefit such as following / surrounding vehicles” linked to the identification information “#b”. The “event aimed at safety and benefit of the following and surrounding vehicles and the like” includes an event in which the host vehicle is determined to be a dangerous traveling vehicle due to a sudden change in health condition or a nap. Also, “events aimed at safety / benefits such as following / surrounding vehicles” include dangerous road surface conditions such as snow, pressure snow, freezing, half humidity, wetness, flood, etc., obstacles such as accident vehicles, falling rocks, depressions, etc. It includes events to notify the following vehicles, etc. such as objects, sudden brakes and spots (jumpers including pedestrians). In addition, “events aimed at safety and benefits such as following and surrounding vehicles” include events that notify lane regulation and large parking space.
The privacy protection non-target event includes the “event aimed at user's benefit etc.” linked to the identification information “#c”. In "event for the user's benefit etc.", one application program has a plurality of provided services and operation modes, etc., and under certain conditions, the user's information provision target, granularity Are excluded from the scope of privacy protection because they are different. For example, the “event intended for the benefit of the user” includes a wait for a car share or a ride share, that is, a waiting mode (individual action mode) and a meeting, that is, a riding mode (business mode). Furthermore, the “event intended for the benefit of the user” includes coupons and special offers etc. that you want to receive only when you are within a certain distance from a certain store.
The user of the vehicle 300 can designate any one or more pieces of identification information #a, #b and #c as privacy protection non-target events, but is not limited to this example. For example, events other than the identification information #a, #b, and #c may be registered by the user.

<Sensitive information judgment table>
FIG. 5 shows an example of the sensitive information determination table 1664. The sensitive information determination table 1664 is used to determine whether a combination of vehicle information or vehicle information corresponds to sensitive information or context sensitive information. The sensitive information determination table 1664 is a table in which information identifying sensitive information and sensitive information are linked. Sensitive data includes sensitive information and general personal information described in JIS Standard Q15001: 2006 “Personal Information Protection Management System”. Vehicles and their travel depend on individual users, but This is a representative example in which the information shown in FIG. 5 can be sensitive information.
The sensitive information includes “home, work, destination” linked to the identification information “#A”. "Home, work, destination" includes sensitive location and time and position information. The sensitive information includes “information that may be determined as a traffic violation” linked to the identification information “#B”. "Information that may be judged as a traffic violation" includes overspeeding, slowing place violation, parking / parking violation, signal ignorance, temporary stop, crossing non-stop, traffic classification / passage zone violation. Furthermore, the speeding location violation includes time and position information, speed limit information, traveling speed and the like. The parking and parking violation includes time and position information, road sign information, speed, parking brake, and ignition off. Signal neglecting includes time and position information, traffic signal, and speed. The railroad crossing non-stop includes time and position information, road sign information, speed, brakes and the like. Traffic classification / traffic zone violations include time and position information, road sign information, and speed.
The sensitive information includes “information that increases the risk of damage such as a stalker or robbery” linked to the identification information “#C”. "Information that increases the risk of damage such as stalks and robbers" includes travel routes, time and location, speed, and in particular the current location. The sensitive information includes “driving skill / skill” linked to the identification information “#D”. "Driving habit / skill" includes accelerator / brake / steering wheel operation, vehicle speed, acceleration, engine speed, fuel consumption / electricity. Furthermore, acceleration includes sudden start and sudden braking.
According to the sensitive information determination table 1664, the position information is likely to be sensitive information because it relates to the information listed in the above-mentioned JIS standard and general personal information even if the data itself is only one. However, for information other than location information, in most cases, a single piece of data is less sensitive to the individual user, and the combination (context) of the data is more sensitive.

<Protection level judgment table>
The protection level determination table 1666 is registered with the user's intention for the vehicle information. Depending on the transfer destination (the information provision destination) and the purpose of the combination of the information that the user is concerned with or the combination of the information to be sensitive information (context), it may be necessary to delete the information or change the granularity of the information. is there. For example, in the case of a traffic violation, if the vehicle is not determined to be a traffic violation, it is not necessary to change or delete vehicle information as non-sensitive information. In addition, when the traveling inspection application or the like does not require position information, it is not necessary to change or delete vehicle information.
FIG. 6 shows an example of the protection level determination table 1666. The protection level determination table 1666 is a table in which a user identification ID, information targeted for protection as privacy, a protection level, and a protection exception are linked. Each column of the protection level determination table 1666 is registered by the user of the vehicle 300. The user identification ID is information for identifying the user of the vehicle 300 that receives the service by providing vehicle information to the server 400 d of company X. As information targeted for protection as privacy, data corresponding to sensitive information is registered. That is, any one or more pieces of identification information of identification information #A, #B, #C, and #D in the sensitive information determination table 1664 of FIG. 5 are registered. The user may register information other than the identification information #A, #B, #C, and #D. In the example shown in FIG. 6, the information to be protected for protection as privacy of the user whose user identification ID is "100aa" is "#A". That is, “home, work, destination” in the sensitive information determination table 1664 of FIG. 5 is registered.
The level of protection indicates whether vehicle information corresponding to sensitive information or vehicle information corresponding to context sensitive information is to be transmitted to server 400d of company X, and information to be applied to the vehicle information when transmitted. The particle size is registered. Specifically, when the level of protection is not transmitted to the server 400 d of company X, “not available” is registered. Furthermore, if the identification information "#A" (home, work, destination) is registered in the information for which protection is requested as privacy, "original data level", "city level", " Area sizes such as "prefecture level" are registered. Further, when identification information “#A” is registered in the information for which protection is requested as privacy, the granularity of latitude and longitude may be registered as the level of protection. For example, the information resolution may be registered so as to change the position information of latitude 35.101293 degrees north and longitude 139.740 906 east and change the position 35.70 degrees north longitude and 139.74 degrees east. In addition, if identification information "#B" (information that may be determined to be a traffic violation) is registered in the information for which protection is requested as privacy, the level of "original data level" or "10 km / h" The granularity of the information such as “resolution”, “general road less than 10 km / h”, and “high road less than 30 km / h” may be registered.

If the identification information “#C” (information that increases the risk of damage such as stalking or robbery) is registered in the information for which protection is requested as privacy, “original data level” as the protection level, Area sizes such as "city level" and "prefecture level" are registered. Further, when identification information “#C” is registered in the information for which protection is requested as privacy, the granularity of latitude and longitude may be registered as the level of protection. In addition, when the identification information "#C" is registered in the information for which protection is requested as privacy, "original data level", "resolution of 10 km / h", "general road 10 km / h" as the protection level The granularity of the information such as "less than or not less than" or "whether less than 30 km / h for expressway" may be registered. In addition, when identification information "#D" (driving habit / skill) is registered in information targeted for protection as privacy, identification information "#A", "#B", and so on as protection levels. A granularity different from "#C" may be registered for each sensitive information. In the example shown in FIG. 6, when providing "home, work, destination" to server 400d of company X, changing to the granularity of "city level" is registered.
Even if the exception of the protection is vehicle information corresponding to the sensitive information, an event determined to be provided to the server 400d of company X as the original vehicle information is registered. That is, any one or more pieces of identification information of the identification information #a, #b, and #c of the privacy protection non-target object determination table 1662 of FIG. 4 are registered. Information other than the identification information #a, #b, and #c may be registered by the user. In the example shown in FIG. 6, “#a” is registered as the identification information shown in the privacy protection non-target event judgment table 1662 in FIG. 4 as an exception of the protection. That is, in the case where “event for the purpose of protecting life, body and property” occurs, the privacy protection device 100 transmits the original vehicle information to the server 400 d of company X even if the data corresponds to the sensitive information. provide.

<Information Disclosure Policy DB>
The information disclosure policy DB 1668 is for registering the timing of disclosing the provided vehicle information for each provision destination of the vehicle information. In the information disclosure policy DB 1668, when the privacy protection device 100 transmits vehicle information to the service provider, the time from when the service provider receives the vehicle information to when it can be registered is registered.
FIG. 7 shows an example of the information disclosure policy DB 1668. The information disclosure policy DB 1668 is a table in which information providing destinations and disclosure information are linked. Each column of the information disclosure policy DB 1668 is registered by the user of the vehicle 300. The information provision destination indicates the transmission destination of vehicle information such as the road traffic information server 400a, the server 400b of the data center, the server 400c of the insurance company / road service company, and the server 400d of company X. The disclosure information indicates the time when the service provider can disclose the vehicle information after receiving the vehicle information. Return to FIG. 3 and continue the explanation.

The information extraction unit 156 is realized by an instruction from the CPU and a communication I / F. Information representing the vehicle information requested by the X company is supplied from the server 400 d of the X company to the information extraction unit 156 via the Internet 50. For example, a list SP1 of vehicle information required by the X company is supplied from the server 400d of the X company. Furthermore, the information extraction unit 156 holds a collectable data table T1 in which vehicle information that can be collected by the privacy protection device 100 is registered. The information extraction unit 156 extracts the vehicle information collectable by the privacy protection device 100 from the vehicle information included in the list SP1 of vehicle information by collating the collectable data table T1 and the list SP1 of vehicle information. Information extraction unit 156 acquires the extracted vehicle information from on-vehicle terminal 350 and outputs the information to information determination unit 160.
The event determination unit 158 is realized by an instruction from the CPU. The event determination unit 158 determines whether or not a privacy protection non-target event has occurred in the vehicle 300. For example, the event determination unit 158 refers to the privacy protection non-target event determination table 1662 and the protection level determination table 1666 stored in the storage unit 166, and the vehicle information transmitted by the on-vehicle terminal 350 is the protection level determination table 1666. It is determined whether any of the identification information #a, #b and #c of the privacy protection non-target event judgment table 1662 registered in the protection exception column of # 1 corresponds. The event determination unit 158 selects one of the identification information #a, #b, and #c of the privacy protection non-target event determination table 1662 in which the vehicle information is registered in the protection exception column of the protection level determination table 1666. Information indicating the determination result of whether or not to correspond is output to the information determination unit 160.

The information determination unit 160 is realized by an instruction from the CPU. The information determination unit 160 determines whether the determination result supplied by the event determination unit 158 indicates that a privacy protection non-target event has occurred. When an event not subject to privacy protection occurs, the information determination unit 160 refers to the sensitive information determination table 1664 and the protection level determination table 1666 stored in the storage unit 166, and is supplied from the information extraction unit 156. It is determined whether vehicle information corresponds to sensitive information. Specifically, the information determination unit 160 is a sensitive information determination table 1664 in which the vehicle information supplied from the information extraction unit 156 is registered in the column of information to be protected for protection as privacy of the protection level determination table 1666. It is determined whether any of the identification information #A, #B, #C, and #D is applicable. Then, the information determining unit 160 outputs the vehicle information corresponding to the sensitive information to the transfer determining unit 162, and outputs the vehicle information other than the vehicle information corresponding to the sensitive information to the communication unit 154. That is, the information determination unit 160 outputs, to the communication unit 154, vehicle information that does not correspond to the context sensitive information or corresponds to the nonsensitive information.
Further, when the privacy protection non-target event has not occurred, the information determination unit 160 refers to the sensitive information determination table 1664 and the protection level determination table 1666 stored in the storage unit 166, and supplies the information from the information extraction unit 156. It is determined whether the received vehicle information corresponds to sensitive information or context sensitive information. Specifically, the information judgment unit 160 registers the combination of vehicle information or vehicle information supplied from the information extraction unit 156 in the column of information for which protection is sought as privacy of the protection level judgment table 1666. It is determined which one of identification information #A, #B, #C, and #D of the sensitive information determination table 1664 being processed corresponds. Then, information determination unit 160 outputs vehicle information corresponding to sensitive information or context sensitive information to transfer determination unit 162, and outputs vehicle information other than vehicle information corresponding to sensitive information or context sensitive information to communication unit 154. . That is, the information determination unit 160 outputs the vehicle information corresponding to the non-sensitive information to the communication unit 154.

The transfer determination unit 162 is realized by an instruction from the CPU. The transfer determination unit 162 determines whether to transfer the vehicle information supplied by the information determination unit 160 to the server 400 d of company X. Specifically, the transfer determination unit 162 refers to the column of the protection level in the protection level determination table 1666 stored in the storage unit 166, and determines that the transfer is not performed when it is determined that “provision is not possible”. If it is determined that it is other than "provision not available", it is determined to be transferred. The transfer determination unit 162 deletes the vehicle information supplied by the information determination unit 160 when it is determined as “not available”, and the vehicle supplied by the information determination unit 160 when it is determined other than “not available”. The information is output to the information changing unit 164.
The information change unit 164 is realized by an instruction from the CPU. The information changing unit 164 determines whether the vehicle information supplied by the transfer determining unit 162 is position information. If it is determined that the vehicle information is not position information, the information changing unit 164 changes the granularity of the vehicle information when transferring the vehicle information to the server 400 d of company X. On the other hand, when it is determined that the position information is present, the information changing unit 164 deletes the time information if the position information includes the time information, and the position information from which the time information is deleted is the server 400d of X company. In the case of transfer to the vehicle, the granularity of the vehicle information is changed as necessary. Specifically, according to the granularity of the information registered in the column of protection level of protection level determination table 1666 stored in storage unit 166, information changing unit 164 selects vehicle information or position information as necessary. change. Then, the information changing unit 164 outputs, to the encrypting unit 172, the position information in which the granularity of the information has been changed, as needed, and at the same time, the information notifying the auxiliary information generating unit 168 that the position information is to be transmitted. Output a certain location information transmission notification. Here, the information changing unit 164 may adopt one in which the protection level is higher if there are a plurality of protection levels designated for one data and the protection levels are different. For example, when the address code (prefecture, city, district, town and village code) has the highest protection level, the address code may be adopted as position information when there is an overspeed in the sensitive location area.

When the auxiliary information generation unit 168 acquires the position information transmission notification output from the information change unit 164, the auxiliary information generation unit 168 generates information to be used when the server 400d of company X decrypts the encrypted position information. Hereinafter, information used when the server 400 d of company X decrypts the encrypted position information is referred to as auxiliary information. The auxiliary information generation unit 168 outputs the generated auxiliary information to the encryption key generation unit 170 and the encryption unit 172.
When the encryption key generation unit 170 acquires the auxiliary information output from the auxiliary information generation unit 168, the encryption key generation unit 170 is associated with the server 400d of company X to which the information is provided among the disclosure information described in the information disclosure policy DB 1668. Obtain disclosure information. Here, the description will be continued in the case where the disclosure information associated with the server 400d of company X, which is the information provision destination, is disclosure after M3 time, that is, timing at which M3 time elapses disclose position information. Based on the acquired auxiliary information and the disclosure information, the encryption key generation unit 170 generates an encryption key such as a common key that encrypts the position information in a decodable manner after the elapse of M3 time by the time-limited encryption method. The encryption key generation unit 170 generates a random number r, and calculates s = e (rP, wP) based on the generated random number r, the auxiliary information w, and the disclosure information t0 (= M3). Here, e (rP, wP) is an operation called pairing and gives a bilinear mapping. P is a point on the elliptic curve, and rP and wP correspond to multiplication on the elliptic curve. Then, the encryption key generation unit 170 sets a digest value such as a hash value of the calculation result s as the encryption key of the position information. The encryption key generation unit 170 outputs the encryption key to the encryption unit 172.
The encryption unit 172 acquires the position information output by the information change unit 164 and the encryption key output by the encryption unit 172. The encryption unit 172 encrypts the position information whose granularity of the information has been changed using the encryption key. The encryption unit 172 outputs the encrypted result to the communication unit 154. The communication unit 154 transmits the encrypted result. Then, the encryption unit 172 outputs the auxiliary information to the communication unit 154 after an elapse of M2 time (M3> M2) after the communication unit 154 transmits the encrypted result. The communication unit 154 transmits the auxiliary information.

(server)
FIG. 8 is a functional block diagram showing an example of the server according to the embodiment. Here, among the functions of the server 400, the function of acquiring location information by receiving the encrypted result and the auxiliary information transmitted by the privacy protection apparatus 100 and decrypting the encrypted result will be described.
The server 400 includes a communication unit 402, a storage unit 410, and a control unit 430.
The communication unit 402 is realized by a communication module. The communication unit 402 communicates with other devices such as the privacy protection device 100 and the time signal station 500 via the Internet 50. Specifically, the communication unit 402 receives the encrypted result transmitted by the privacy protection apparatus 100, and outputs the received encrypted result to the control unit 430. Further, the communication unit 402 receives the auxiliary information w transmitted by the privacy protection device 100, and outputs the received auxiliary information w to the control unit 430. The communication unit 402 also receives the time information to which the electronic signature transmitted by the time-reporting station 500 is added after the lapse of M3 time, and outputs the time information to which the received electronic signature is added to the control unit 430.
The storage unit 410 stores the program 412. The program 412 causes the control unit 430 to function as an acquisition unit 432 and a decryption unit 434.
The control unit 430 includes, for example, an arithmetic processing unit such as a CPU, and functions as an acquisition unit 432 and a decryption unit 434 by executing the program 412 stored in the storage unit 410. The acquisition unit 432 acquires the encrypted result output from the communication unit 402, and outputs the acquired encrypted result to the decryption unit 434. In addition, the acquisition unit 432 acquires the auxiliary information w output from the communication unit 402, and outputs the acquired auxiliary information w to the decryption unit 434. Here, the acquiring unit 432 acquires the auxiliary information w after an elapse of M2 after acquiring the encrypted result, and acquires time information to which the electronic signature is added after an elapse of M3 after acquiring the encrypted result. get.
The decryption unit 434 verifies the electronic signature when acquiring the encrypted result output from the acquisition unit 432, the auxiliary information w, and the time information to which the electronic signature is added. When the verification of the electronic signature is successful, the decryption unit 434 e (r (t0 + x) P, w / (x + t0) P) = s based on the acquired auxiliary information w and the time information t0 (= M3). Calculate Then, the decryption unit 434 sets a digest value such as a hash value of the operation result s as a decryption key of the position information. The decryption unit 434 obtains the position information by decrypting the encrypted result using the decryption key.

<Operation of privacy protection device>
FIG. 9 shows an example of the operation (part 1) of the privacy protection device 100 according to the embodiment. The example shown in FIG. 9 shows an operation after the list SP1 of vehicle information requested by the company X is supplied from the server 400d of the company X to the privacy protection device 100.
(Step S102) The wireless communication unit 152 collects vehicle information transmitted by the on-board terminal 350 mounted on the vehicle 300.
(Step S104) The information extraction unit 156 extracts, from the vehicle information collected in step S102, the vehicle information requested by the information provider, that is, the company X.
(Step S106) The event determining unit 158 determines whether an event that is not subject to privacy protection has occurred. If an event not subject to privacy protection has not occurred, the process proceeds to step S108. If an event has occurred, the process proceeds to step S202 of FIG.
(Step S108) The information determination unit 160 determines whether the vehicle information extracted in step S104 is sensitive information or context sensitive information. When vehicle information is sensitive information, it transfers to step S110, and when vehicle information is not sensitive information, it transfers to step S208 of FIG.
(Step S110) The transfer determination unit 162 determines whether the vehicle information extracted in step S104 is to be provided to the server 400d of company X. If it is determined that the server 400d of company X is not provided, the process ends. If it is determined that the server 400d is provided, the process proceeds to step S112.
(Step S112) The information changing unit 164 determines whether the vehicle information is position information. If it is determined that the vehicle information is position information, the process proceeds to step S114. If it is determined that the vehicle information is not position information, the process proceeds to step S206 in FIG.

(Step S114) The information changing unit 164 deletes the time information when the time information is included in the vehicle information.
(Step S115) The information changing unit 164 changes the vehicle information as necessary according to the granularity of the information registered in the column of the protection level of the protection level determination table 1666.
(Step S116) The encryption key generation unit 170 generates an encryption key based on the auxiliary information generated by the auxiliary information generation unit 168 and the disclosure information associated with the server 400d stored in the information disclosure policy 1668. .
(Step S118) The encryption unit 172 encrypts the vehicle information with the encryption key.
(Step S120) The communication unit 154 creates a message set including the result of encrypting the vehicle information.
(Step S122) The communication unit 154 transmits the created message set to the server 400d of company X.
(Step S124) Whether or not the auxiliary time is a time to transmit is determined by determining whether the time indicated by the time-related information associated with the server 400d of company X has elapsed. Determine If it is not time to transmit the assist time, the process returns to step S124, and if it is time to transmit the assist time, the process proceeds to step S126.
(Step S126) The encryption unit 172 transmits the auxiliary information.

FIG. 10 shows an example of the operation (part 2) of the privacy protection device 100 according to the embodiment. In the example shown in FIG. 10, the operation in the case where an event that is not the target of privacy protection has occurred in step S106 of FIG. 9 is shown.
(Step S202) The information determination unit 160 determines whether the vehicle information extracted in step S104 is sensitive information. If the vehicle information is not sensitive information, the process proceeds to step S204.
(Step S204) The transfer determination unit 162 determines whether to provide the vehicle information extracted in step S104 to the information provider. If it is determined that the information provision destination is not provided, the process ends. If it is determined that the information provision destination is provided, the process proceeds to step S206.
(Step S206) The information changing unit 164 changes the vehicle information as needed according to the granularity of the information registered in the column of the protection level of the protection level determination table 1666.
(Step S208) The communication unit 154 creates a message set including the result of encrypting the vehicle information.
(Step S210) The communication unit 154 transmits the created message set to the server 400d of company X.
The flowcharts shown in FIGS. 9 to 10 are an example, and the processing may be performed in an order different from those in FIGS. 9 to 10. For example, the order of step S106, step S108, step S110, and step S112 may be reversed.

<Server operation>
FIG. 11 shows an example of the operation of the server according to the embodiment. The example shown in FIG. 11 shows the operation after the server 400 d of company X receives the encrypted result transmitted by the privacy protection apparatus 100.
(Step S302) The communication unit 402 receives the vehicle information transmitted by the privacy protection device 100. This vehicle information is encrypted.
(Step S304) Decoding unit 434 determines whether or not time M4 has elapsed since the vehicle information was received. Here, the time M4 is a time longer than the time M3. If the time M4 has not elapsed, the process proceeds to step S306, and if the time M4 has elapsed, the process ends. If it has ended, it means that the server 400d of company X could not acquire the position information.
(Step S306) The decoding unit 434 determines whether the auxiliary information has been received. Specifically, the decryption unit 434 determines whether the auxiliary information has been received after an elapse of M2 time since the reception of the vehicle information. If the auxiliary information is received, the process proceeds to step S308. If the auxiliary information is not received, the process proceeds to step S304.
(Step S308) The decrypting unit 434 acquires time information to which the electronic signature is added. Specifically, the decryption unit 434 acquires time information to which the electronic signature is added after M3 time has elapsed since the reception of the vehicle information.
(Step S310) The decryption unit 434 generates a decryption key based on the time information and the auxiliary information.
(Step S312) The decoding unit 434 decodes the vehicle information received in step S302.

(Encryption and decryption of location information)
The process of encrypting the position information performed by the privacy protection apparatus 100 described above and the process of decrypting the result of encrypting the position information performed by the server 400 of the service provider will be described. Let (G1, +) and (G2, x) be groups in which the discrete logarithm problem is difficult.
e: Let G1 × G1 → G2 be a pairing map. That is, e (nP, Q) = e (P, nQ) holds.
Also, in the pairing operation, equation (1) holds.
e (xP, yP) = e (yP, xP) = e (P, P) ^ xy (1)
The time broadcasting station 500 uses a natural number x as a secret key, selects P∈G1 (P included in G1), and publishes (P, xP) as a public key. The time report station 500 issues (t, 1 / (x + t) P) every second as a formal time signal with respect to the current time t.
If e (1 / (x + t) P, xP + tP) = e (P, P) holds, the server 400 determines that the signature is formal.
The privacy protection device 100 selects a time t0 defined by the random number r, the auxiliary information w, and the privacy requirement, and calculates s = e (rP, wP). The privacy protection apparatus 100 encrypts the hash value of the calculated result s as C = E_s (P) using an encryption method such as common key encryption as an encryption key of the position information. (T0, r (t0 + x) P) is added as a header to the encrypted position information. The privacy protection apparatus 100 sends the supplementary information w to the service provider after the lapse of M2 time.
The server 400 receives the auxiliary information w after the elapse of M2 time. Also, the server 400 can obtain, from the time report station 500, signature data 1 / (x + t0) P attached to a formal time report at time t0. Therefore, the server 400 calculates e (r (t0 + x) P, w / (x + t0) P) = e (rP, wP) ^ ((t0 + x) / (x + t0)) = e (rP, wP) = s Since the decryption key can be derived from the hash value of s obtained by calculation, the location information can be decrypted.

(Example of application)
When time and location information are included as data or data group transfer targets, privacy protection device 100 for transferring data or data groups has M1 time since the ignition key of the vehicle is turned on and travel is started. In the meantime, time and location information are excluded from transfer targets. This can prevent the location information of the departure point of the vehicle such as a house from being transmitted to the service provider, thereby avoiding privacy risk.
Furthermore, when time and position information are included as a transfer target of data or data group, it is determined that the ignition key of the vehicle is turned off and the travel is stopped in privacy protection device 100 which transfers data or data group. In this case, sending of the auxiliary information required to decrypt the encrypted result is stopped for M2 time before stopping. M1 is determined by statistics of the number of vehicles stored in the vicinity of the departure place and the number of traveling vehicles and the degree (N) that the user does not want to know. This can prevent the location information of the arrival point of a vehicle such as a house from being transmitted to the service provider, thereby avoiding privacy risk.
On the other hand, when time and location information are included as transfer targets of data or data group, the privacy protection device 100 generates an "information protection non-target event" designated in advance by the user, and a predetermined organization / group In the case of receiving a disclosure request from etc., all information is disclosed to a predetermined organization / group. This enables the service provider to be notified immediately of the information if an abnormality occurs and the situation is urgent.

In the embodiment described above, the privacy protection device 100 may store a certain number of access logs to the Internet. Then, the user may be able to delete all or part of the access log and prohibit access to a specific site. Further, the privacy protection apparatus 100 may prohibit transmission of the original data or data group to the transfer destination in a communication protocol other than the specified communication protocol. In addition, the privacy protection apparatus 100 may prohibit transmission of the original data or data group to the transfer destination in a data format other than the designated data format.
In addition, the privacy protection device 100 substitutes the user for the prior consent for the secondary use, such as providing the vehicle information collected by the provider to the third party, from the provider. You may make an answer. In this case, the privacy protection apparatus 100 may return an answer prohibiting the secondary use in the following cases (a), (b) and (c).
(B) When a third party is prohibited from secondary use by the user's intention (b) When a third party is already a transfer destination in the privacy protection device (b) Third party, privacy protection When the device is a transfer destination in the past, and the transfer period includes the target period of secondary usage data

In the embodiment described above, the case where location information is applied is described as an example of information which may lead to privacy risk by immediately notifying a service provider, and in the case of emergency, information immediately notified. It is not limited to the example. For example, the present invention can be applied to information other than position information.
In the embodiment described above, the case where the privacy protection device 100 generates the encryption key by the time-limited encryption method based on the disclosure information and the auxiliary information and encrypts the position information with the generated encryption key has been described. However, it is not limited to this example. For example, the privacy protection apparatus 100 may generate an encryption key by a time-limited encryption method based on the disclosure information, and encrypt the position information with the generated encryption key. By this configuration, the vehicle information provider can decrypt the encrypted result at the disclosed timing indicated by the disclosure information without receiving the auxiliary information.
Although the case where the granularity of information is changed for every user identification ID and the provision destination of information was demonstrated in embodiment mentioned above, it is not restricted to this example. For example, the granularity of the information may be changed for each application installed in the on-board terminal 350. Furthermore, when the privacy protection device 100 can not determine whether or not an event not subject to privacy protection has occurred, the determination may be made by the on-vehicle terminal 350 or may be determined by a device other than the on-vehicle terminal 350. Good.
In the embodiment described above, although the case where the personal data transmission device 200 is connected to the communication network 20 has been described, the present invention is not limited to the communication network 20 and may be connected to the Internet 50. Moreover, in the embodiment described above, although the case where the privacy protection device 100 is connected to the Internet 50 has been described, the present invention is not limited to the Internet and may be connected to a network other than the Internet. Furthermore, the personal data transmission device 200 may be connected to a network other than the Internet.
In the embodiment described above, M1 hour, M2 hour, and M3 hour may be expressed in seconds or minutes.

  Also, in the embodiment described above, the privacy protection device 100 transfers data to any one or more of the transfer destination T01, transfer destination T02, ..., transfer destination T0M via the Internet 50. Although it has been described that the personal data transmitting apparatus 200 is allowed to transmit the data to the privacy protection apparatus 100 when it is determined that the determination is made, the present invention is not limited to this example. For example, the personal data delivery device 200 may send all information (with no duplication) to the privacy protection device. In this case, the privacy protection device 100 performs transfer permission / change and granularity change on the data transmitted by the personal data transmission device 200. By configuring in this manner, the personal data transmission device 200 and the privacy protection device 100 can be simplified or reduced in cost.

According to the communication system according to the embodiment, the vehicle information is transmitted from the provider to the provider via the privacy protection device. The privacy protection device may collect multiple pieces of vehicle information from the provider, and the vehicle information may immediately notify the provider based on the provider's intention for each provider, which may lead to a privacy risk. In the case of an emergency, if it corresponds to the information to be notified immediately, the vehicle information can be changed or deleted, and the changed vehicle information can be encrypted and distributed.
According to the communication system according to the embodiment, by providing the privacy protection device 100 between the on-board terminal 350 and the service provider, the privacy protection device 100 can receive the service while the vehicle is traveling. Proxy the user's intention according to the policy. Therefore, data transmission between the on-board terminal 350 and the GW can be reduced.
According to the communication system according to the embodiment, the privacy protection device 100 may lead to a privacy risk by immediately notifying the provision destination of the position information etc., and when sending information to be notified immediately in case of emergency According to the disclosed information, the information is encrypted using a time-limited encryption method or the like, and the encrypted result is sent. By configuring in this way, it is possible to control the time during which the service provider can acquire location information based on the type of service and privacy requirements.

In the embodiment described above, the in-vehicle terminal is output by the in-vehicle terminal by transmitting to the privacy protection device 100 as compared with the case where the plurality of applications individually acquire the vehicle information and transfer the information to the information provision destination. The amount of data transmission can be reduced and the efficiency can be improved. Furthermore, the change of vehicle information is realized by changing the granularity of information such as resolution, accuracy, freshness and the like. The user can select the degree of abstraction of the information to be applied according to his / her situation about how to adopt the abstract concept. For example, the user may find the number of digits of latitude and longitude for the position information and the name of the city, time for hours, minutes and seconds, morning / day / night / even, etc. It can be selected according to whether it is the case.
The privacy protection device according to the embodiment is not limited to the vehicle and the vehicle information supplied from the in-vehicle terminal, and can accommodate the information supplied by any terminal device, and can provide the above-described function. This can further reduce the burden on the user for privacy protection in an environment where IoT (Internet of Things) is applied where various things are connected to the network.
In the embodiment described above, the in-vehicle terminal is an example of a terminal device, the in-vehicle information is an example of information, the server 400 d of company X is an example of a provision destination, and the context is an example of a combination of information The unit is an example of a transmission unit, and the personal data transmission device 200 is an example of an acquisition unit.
Although the present invention has been described with reference to specific embodiments and variations, each embodiment and variation are merely examples, and those skilled in the art should understand that various variations, modifications, alternatives, substitutions, etc. Will understand. Although the apparatus according to the embodiments of the present invention has been described using a functional block diagram for convenience of explanation, such an apparatus may be realized in hardware, software or a combination thereof. The present invention is not limited to the above embodiments, and includes various modifications, alterations, alternatives, and replacements without departing from the spirit of the present invention.

Reference Signs List 20 communication network 50 Internet 100 privacy protection device 152 wireless communication unit 154 communication unit 156 information extraction unit 158 event determination unit 160 information determination unit 162 transfer determination unit 164: information change unit, 166: storage unit, 168: auxiliary information generation unit, 170: encryption key generation unit, 172: encryption unit, 1662: event judgment table not subject to privacy protection, 1664: sensitive information judgment table, 1666 ... Protection level determination table, 1668 ... information disclosure policy, 200 ... personal data transmission device, 300 ... vehicle, 310a, 310b, 310c, 310d ... ECU, 315 ... CAN, 320 ... G / W, 330 ... GPS, 340 ... Data Broker , 350 ... car terminal, 352 ... HW + OS, 354 ... eb runtime 355: personal data transmission application program 400a: road traffic information server 400b: data center server 400c: insurance company / road service company server 400d: X company server 402: communication unit 410 ... storage unit 412 ... program, 430 ... control unit, 432 ... acquisition unit, 434 ... decoding unit, 500 ... time signal station

Claims (10)

An information extraction unit that extracts information or a combination of information requested by a provision destination from a plurality of pieces of information transmitted by the terminal device;
An information determination unit that determines whether the information or combination of information extracted by the information extraction unit corresponds to sensitive information;
A transfer determination unit that determines whether the information determination unit determines that information or a combination of information determined to correspond to sensitive information is to be transmitted to the provision destination;
An encryption key generation unit that generates an encryption key based on disclosure information indicating the timing of disclosing the combination of the information or the combination determined to be transmitted to the provision destination by the transfer determination unit;
An encryption unit that encrypts, with the encryption key, the information determined to be transmitted to the provision destination by the transfer determination unit or a combination of the information;
A transmitter configured to transmit, to the provision destination, a result obtained by encrypting the information determined to be sent to the provision destination by the encryption unit or a combination of the information. An auxiliary information generation unit that generates auxiliary information;
The encryption key generation unit generates the encryption key based on the auxiliary information generated by the auxiliary information generation unit and the disclosure information.
The transmission unit separately transmits the auxiliary information and the result obtained by encrypting the combination of the information or the disclosure information determined to be transmitted to the provision destination by the encryption unit to the provision destination. Privacy protection device as described in. An information changing unit that changes the granularity of the information or the combination of the information determined as the information or the combination of the information determined to be transmitted to the provision destination by the transfer determination unit;
The privacy protection device according to claim 1, wherein the encryption unit encrypts the information or the combination of the information whose granularity of information has been changed by the information change unit, using the encryption key. A storage unit for storing the level of protection of information to be sent to the provision destination;
The privacy according to claim 3, wherein the information changing unit changes the granularity of the information extracted by the information extracting unit or the combination of the information according to the protection level of the information stored in the storage unit. Protection device.   The privacy protection device according to claim 3 or 4, wherein the information changing unit changes the granularity of the information or the combination of the information when a predetermined event does not occur.   The information changing unit changes the resolution, accuracy, or freshness of the information determined to correspond to sensitive information by the information determining unit or the combination of the information, according to any one of claims 3 to 5. Privacy protection device as described. An auxiliary information generation unit that generates auxiliary information;
The encryption key generation unit generates the encryption key based on the auxiliary information generated by the auxiliary information generation unit and the disclosure information.
The encryption unit encrypts, with the encryption key, the information whose information granularity has been changed by the information change unit or a combination of the information.
The said transmission part transmits separately the result and the said auxiliary information to which the said encryption part encrypted the information or combination of information in which the granularity of the said information was changed, to the said provision destination. The privacy protection device according to any one of 6.   The privacy protection device according to any one of claims 1 to 7, wherein the encryption unit encrypts according to a timed encryption scheme. Extracting information or a combination of information requested by the provider from a plurality of pieces of information transmitted by the terminal device;
Determining whether the information or combination of information extracted in the extracting step corresponds to sensitive information;
Determining whether to transmit the information or the combination of the information determined to correspond to the sensitive information to the provision destination;
Generating an encryption key based on disclosure information indicating timing of disclosure of the information determined to be transmitted to the provision destination or a combination of the information;
Encrypting the information determined to be transmitted to the provision destination or the combination of the information with the encryption key;
Transmitting the encrypted information or the combination of the information determined to be transmitted to the provision destination to the provision destination. On the computer of the privacy protection device
Extracting information or a combination of information requested by the provider from a plurality of pieces of information transmitted by the terminal device;
Determining whether the information or combination of information extracted in the extracting step corresponds to sensitive information;
Determining whether to transmit the information or the combination of the information determined to correspond to the sensitive information to the provision destination;
Generating an encryption key based on disclosure information indicating timing of disclosure of the information determined to be transmitted to the provision destination or a combination of the information;
Encrypting the information determined to be transmitted to the provision destination or the combination of the information with the encryption key;
Transmitting the result of encrypting the combination of the information or the information determined to be transmitted to the provision destination to the provision destination.

Images