JP4430998B2 - Anonymity assurance device and system - Google Patents

Description

  The present invention relates to privacy protection for assuring personal anonymity.

  In recent years, wireless devices such as non-contact IC cards and RFID (radiofrequency identification) tags have been downsized due to advances in wireless communication technology, and have become sizes that are not difficult for individuals to carry. Accordingly, a system for receiving an ID (identifier) of a wireless device possessed by an individual with a reader and identifying the individual based on the ID is being put into practical use.

  Thus, in an environment where an individual has a wireless device, the individual may be identified by a reader installed by a malicious third party, leading to privacy infringement.

  As a countermeasure against identification of an individual by a malicious third party, there is a method of changing a wireless device ID (identifier) every time it is read by a reader and avoiding continuous tracking by the ID (Non-Patent Document 1). In this method, the wireless device has an encrypted ID, and passes the encrypted ID if requested by the reader. The reader passes the received ID to the security server and decrypts it to obtain a true ID. The security server encrypts the true ID into an ID different from the received ID, and updates the ID of the RFID tag through the RFID reader. Although the true ID is fixed, it is encrypted to a different ID every time it is read by the reader, so even if a third party installs the reader, the same person cannot be identified from the ID.

  Also, as a countermeasure against attacks in which a malicious third party assembles fragmented information generated by the use of a wireless device and attempts to identify the owner directly or indirectly, the relationship between fragmented information There is a method (Non-Patent Document 2) in which the relationship that leads to the identification of the owner is broken. In this method, a combination of two extracted from four entities such as a user, an action, a place, and a device is regarded as a piece of information. An identifier is prepared for each location and distributed to the device at each location, and the device uses the identifier as its own identifier. Therefore, the identifier for each device is hidden, and the relationship between the device and the action is cut off. Since the relationship between the user and the place and the relationship between the place and the device are cut off by the movement of the user, it is not possible to specify the user who performed the action by combining pieces of information.

Shingo Kinoshita, Literary Hoshino, Tomoyuki Komuro, Akiko Fujimura, Miyako Okubo: Variable Secret ID System for Realizing RFID Privacy Protection, Computer Security Symposium 2003, 2003, pp. 497-502 Alf Zugenmaier, Adolf Hohl: Anonymity for Users of Ubiquitous Computing, Ubicomp 2003, 2003

  For example, in an environment where security cameras and security guards exist in addition to a personal identification system using wireless devices, it is possible to identify individuals by monitoring. If there is only one person in the monitoring location and the person has a wireless device, it is possible in principle to associate an individual with the ID from the video, regardless of the wireless device ID. It is.

  The method of Non-Patent Document 1 changes the wireless device ID from time to time so that the owner is not specified from the wireless device ID. However, as described above, according to information such as a security camera, If a malicious third party learns that there is only one person at the monitoring location, the wireless device ID received during that period will be identified as the same person.

  Although the method of Non-Patent Document 2 prevents a combination of information related to the identification of the user from being created, as described above, it is a malicious matter that only one person exists at the monitoring location based on information such as a security camera. When the three parties know, it is specified that all actions performed during the period when only one person exists are by the user.

  It is an object of the present invention to identify an individual who possesses a wireless device by a malicious third party when there is another personal identification system in an environment where the system for identifying the individual using the wireless device exists. It is to resolve privacy violations in the form of

  The present invention receives a plurality of device identifiers of devices owned by an individual and stores them in a buffer, and counts the number of device identifiers stored in the buffer. An anonymity guarantee apparatus or system having means for reading a stored device identifier and sending the read device identifier to an external system is characterized.

  According to the present invention, since the device identifier is output only when the minimum number of device identifiers necessary for guaranteeing anonymity is reached, the above problem can be solved.

  According to the present invention, it is possible to prevent an individual from being identified from the ID even in a situation where there is only one individual around the reader, and there is an advantage that privacy of the individual is protected.

  The system 100 of FIG. 1 shows the basic configuration of the present invention. 101 is an input device ID stored in some device, 102 is a device ID receiving unit, 103 is an anonymous guarantee processing buffer, 104 is an anonymity determining unit, and 105 is an output device ID stored in some device.

  The input device ID 101 is a device ID input to the device ID receiving unit 102, and is an ID input from each of a plurality of devices. Here, the device ID is a number assigned to a certain device, and since each individual walks around the device, it is an identifier corresponding to each individual on a one-to-one basis. The anonymity guarantee processing buffer 103 is a buffer for storing the device ID received by the device ID receiving unit 102. The anonymity determination unit 104 monitors the number of unique device IDs stored in the anonymity guarantee processing buffer 103, and reads the device ID stored at that time when the number exceeds a predetermined number. Output.

  The output device ID 105 is a device ID output from the anonymity guarantee processing buffer 103 by the anonymity determination unit 104. Since the anonymity determination unit 104 outputs a plurality of unique device IDs from the anonymity guarantee processing buffer 103 each time, there are a plurality of output device IDs 105.

  FIG. 2 is a system configuration diagram of Embodiment 1 in which the present invention is applied to a location information system. The location information system 200 includes a wireless device 201, an ID reader 202, an ID information management system 203, and a flow line analysis system 204. The wireless device 201 includes a device ID transmission unit 205 and a device ID database 206. The ID reader 202 includes a device ID receiving unit 102, anonymity determining unit 104, anonymity guarantee processing buffer 103, reader ID adding unit 208, and reader ID database 209. The ID information management system 203 includes an ID information recording unit 210, a location information database 211, and an ID information database 212.

  The wireless device 201 is a device such as a wireless IC tag or a portable terminal held by an individual to be identified, and wirelessly transmits a wireless device ID to the ID reader 202 to notify its presence. The device ID transmission unit 205 includes dedicated hardware, hardware / software mounted on an IC chip, communication control hardware mounted on a computer including a CPU and a memory, a program executed by the CPU, and the like. . The device ID database 206 is stored in a nonvolatile storage device such as a nonvolatile memory or a disk storage device mounted on the IC chip.

  The ID reader 202 receives the wireless device ID transmitted from the wireless device 201, accumulates a predetermined number or more so as to guarantee its anonymity, and then adds the reader ID to each wireless device ID to provide the ID information management system 203. It is the device which outputs to. The ID reader 202 may be incorporated into various devices as a device that receives a wireless device ID and outputs it to the ID information management system 203. The device ID receiving unit 102, the anonymity determining unit 104, and the reader ID adding unit 208 are dedicated hardware, communication control hardware mounted on a computer including a CPU and a memory, a program executed by the CPU, and the like. . The anonymity guarantee processing buffer 103 is provided on a storage device such as a memory or a disk. The reader ID database 209 is stored in a nonvolatile storage device.

  The ID information management system 203 receives the reader ID and the wireless device ID from the ID reader 202, refers to the correspondence information between the ID reader stored in the position information database 211 and its installation position, and stores the wireless device ID in the ID information database 212. And the position where the wireless device 201 is captured. The ID information recording unit 210 includes dedicated hardware, communication control hardware mounted on a computer having a CPU and a memory, a program executed by the CPU, and the like. The position information database 211 and the ID information database 212 are stored in a storage device such as a memory or a disk.

  The flow line analysis system 204 uses the wireless device ID and position information collected by the ID information management system 203 to reproduce and display the movement of a specific wireless device 201, or the ID reader 202 in which the wireless devices 201 are crowded. Or a flow line such as a typical movement pattern of the wireless device 201 is analyzed.

  FIG. 3 is a diagram illustrating an example of data stored in the database and buffer of the position information system 200. The wireless device ID 401 is an example of data stored in the device ID database 206. The wireless device ID 401 is an ID assigned to the wireless device 201.

  Data stored in the anonymity guarantee processing buffer 103 includes a plurality of wireless device IDs 401. The wireless device ID 401 is an ID of the wireless device 201 received by the ID reader 202.

  The reader ID 421 is an example of data stored in the reader ID database 209. The reader ID 421 is an ID assigned to the ID reader 202.

  Each record stored in the position information database 211 includes a reader ID 421 and a position 431, and stores correspondence information between the ID of the ID reader 202 and its installation location.

  Each record stored in the ID information database 212 includes a wireless device ID 401 and a position 431, and stores the ID of the wireless device 201 and the captured location.

  FIG. 4 shows a processing sequence of the position information system 200. Processes 601 to 605 represent a process flow from when the wireless device ID of the wireless device 201 is collected by the ID reader 202 and stored in the ID information management system 203 as ID information. FIG. 5 is a flowchart showing details of the anonymity guarantee process 603. FIG. 6 shows the flow of processing for using the stored ID information in the flow line analysis system 204.

  Hereinafter, a processing sequence when the position information system according to the first embodiment collects wireless device IDs will be described with reference to FIG. In process 601, the device ID transmission unit 205 of the wireless device 201 reads the wireless device ID 401 stored in the device ID database 206. In process 602, the device ID transmission unit 205 transmits the wireless device ID read in process 601 to the device ID reception unit 102 in the ID reader 202.

  The process 603 will be described using a flowchart showing the flow of the anonymity guarantee process in FIG. In step 901, the device ID receiving unit 102 receives the wireless device ID transmitted by the device ID transmitting unit 205. In step 902, the device ID receiving unit 102 stores the received device ID in the anonymity guarantee processing buffer 103. In step 903, the anonymity determination unit 104 counts the number of unique wireless device IDs stored in the anonymity guarantee processing buffer 103. In step 904, the anonymity determination unit 104 proceeds to step 905 if the number of wireless device IDs counted in step 903 is equal to or greater than a predetermined number, and if not, the anonymity is determined. End the warranty process.

  As a result of this processing, the number of wireless device IDs passed to the ID information recording unit 210 is equal to or greater than a certain number each time. Can be prevented.

  In step 905, the anonymity determination unit 104 reads the wireless device ID stored in the anonymity guarantee processing buffer 103 and passes it to the reader ID adding unit 208. At this time, the anonymity determination unit 104 may randomly change the order of the plurality of wireless device IDs so that the owner of the wireless device ID cannot be specified by the order. In step 906, the anonymity determination unit 104 clears the wireless device ID stored in the anonymity guarantee processing buffer 103. The details of the processing 603 have been described above.

  Subsequently, in process 604, the reader ID adding unit 208 reads the reader ID 421 from the reader ID database 209, adds it to each wireless device ID passed from the anonymity determining unit 104 in step 905, and sets the ID information management system 203. The information is output to the ID information recording unit 210.

  In process 605, the ID information recording unit 210 searches the reader ID 421 in the position information database 211 using the reader ID received from the reader ID adding unit 208 as a key, reads the corresponding position 431, and receives it from the reader ID adding unit 208. Together with the wireless device ID stored in the ID information database 212. The above is the processing sequence when collecting the wireless device ID.

  Hereinafter, a processing sequence when the position information system of the first embodiment analyzes a flow line of an individual holding the wireless device 201 will be described with reference to FIG. In process 801, the flow line analysis system 204 accesses the ID information database 212 of the ID information management system 203. In process 802, the flow line analysis system 204 reads the wireless device ID 401 and the position 431 from the position information database 212 of the ID information management system 203. In process 803, the flow line analysis system 204 performs flow line analysis using the position information of the wireless device read from the ID information management system 203. Details of the flow line analysis are not described because they are not within the scope of the present invention. The above is the processing sequence at the time of flow line analysis.

  FIG. 7 is a system configuration diagram of the second embodiment in which the present invention is applied to a position information system different from the first embodiment. The location information system 300 includes a wireless device 201, an ID reader 301, an anonymity guarantee processing system 302, an ID information management system 203, and a flow line analysis system 204. The ID reader 301 includes a device ID receiving unit 303, a received ID output unit 304, and a reader ID database 209. The anonymity guarantee processing system 302 includes a device ID collection unit 305, an anonymity determination unit 307, and an anonymity guarantee processing buffer 306.

  The ID reader 301 is a system that receives the wireless device ID transmitted from the wireless device 201, adds the reader ID, and outputs the ID to the anonymity guarantee processing system 302. Which ID reader 301 has captured the wireless device 201? The ID information management system 203 can discriminate. The device ID reception unit 303 and the reception ID output unit 304 are dedicated hardware, communication control hardware mounted on a computer having a CPU and a memory, a program executed by the CPU, and the like.

  The anonymity guarantee processing system 302 is a system that receives a reader ID and a wireless device ID from the ID reader 301, accumulates a predetermined number or more so that the anonymity can be guaranteed, and outputs it to the ID information management system 203. The device ID collection unit 305 and the anonymity determination unit 307 are dedicated hardware, communication control hardware mounted on a computer having a CPU and a memory, a program executed by the CPU, and the like. The anonymity guarantee processing buffer 306 is provided on a storage device such as a memory or a disk.

  FIG. 8 is an example of data stored in the anonymity guarantee processing buffer 306 of the anonymity guarantee processing system 302. Each record stored in the anonymity guarantee processing buffer 306 includes a wireless device ID 401 and a reader ID 421. The wireless device ID 401 is the wireless device ID of the wireless device 201 received by the ID reader 301, and the reader ID 421 is an ID assigned to the ID reader 301.

  FIG. 9 shows a processing sequence of the position information system 300. Processing 601, processing 602, processing 701, processing 702, processing 703, processing 704, and processing 605 is performed until the wireless device ID of the wireless device 201 is collected by the ID reader 301 and stored as ID information in the ID information management system 203. This shows the flow of processing. FIG. 10 is a flowchart showing details of the anonymity guarantee process 703.

  Hereinafter, a processing sequence when the position information system according to the second embodiment collects wireless device IDs will be described with reference to FIG. In process 701, the device ID reception unit 303 receives the wireless device ID transmitted by the device ID transmission unit 205 and passes it to the reception ID output unit 304. In process 702, the reception ID output unit 304 reads the reader ID 421 from the reader ID database 209, adds it to the wireless device ID received from the device ID reception unit 303 in process 701, and collects the device ID of the anonymity guarantee processing system 302. Output to the unit 305.

  The process 703 will be described using a flowchart showing the flow of the anonymity guarantee process in FIG. In step 1001, the device ID collection unit 305 receives the wireless device ID and reader ID output from the reception ID output unit 304. In step 1002, the device ID collection unit 305 stores the reader ID and wireless device ID received from the reception ID output unit 304 in step 1001 in the anonymity guarantee processing buffer 306. In step 1003, the anonymity determination unit 307 searches the anonymity guarantee processing buffer 306 using the reader ID stored in step 1002 as a key, and counts the number of unique wireless device IDs having the same value for the reader ID 421. . In step 1004, the anonymity determination unit 307 proceeds to step 1005 when the number of wireless device IDs counted in step 1003 is a predetermined number or more, and proceeds to step 1005 when the number is less than the predetermined number. End the warranty process.

  In step 1005, the anonymity determination unit 307 searches the anonymity guarantee processing buffer 306 using the reader ID stored in step 1002 as a key, and reads a wireless device ID having the same value for the reader ID 421. In step 1006, the anonymity determination unit 307 clears the wireless device ID stored in the anonymity guarantee processing buffer 306 and having the same value as the reader ID stored in step 1002. The details of the processing 703 have been described above.

  Subsequently, in process 704, the anonymity determination unit 307 outputs the wireless device ID read in step 1005 together with the reader ID stored in step 1002 to the ID information recording unit 210 of the ID information management system 203.

  In this process, the anonymity guarantee processing system 302 acts as a filter for preventing the correspondence between the wireless device ID and the owner or the action of the owner between the ID reader 301 and the ID information management system 203. Since the number of wireless device IDs passed to the ID information recording unit 210 is a certain number or more each time, even if there is a system for identifying an individual other than the position information system, the individual is identified from the wireless device ID. Can be prevented. The above is the processing sequence when collecting the wireless device ID.

  FIG. 11 is a system configuration diagram of the third embodiment in which a processing unit that acquires the date and time when the wireless device ID is received by the ID reader is added to the position information system of the first embodiment. The difference from the first embodiment in the system configuration is that a date acquisition unit 1101 is provided in the ID reader 202. The date acquisition unit 1101 is a dedicated hardware for holding date information, a dedicated hardware for acquiring date information, a program executed by a CPU of a computer having a CPU and a memory, and the like. In addition, the anonymity determination unit 104 and the anonymity guarantee processing buffer 103 of the first embodiment are used as the anonymity determination unit 1102 and the anonymity guarantee processing buffer 1103 of the third embodiment, respectively.

FIG. 12 shows an example of data stored in the anonymity guarantee processing buffer 1103 of the ID reader 202,
It is an example of data stored in the ID information database 1104 of the ID information management system 203.

  Each record stored in the anonymity guarantee processing buffer 1103 includes a wireless device ID 401 and a date 1201. The wireless device ID 401 is the wireless device ID of the wireless device 201 received by the ID reader 202, and the date and time 1201 is the date and time when this wireless device ID is received.

  Each record stored in the ID information database 1104 includes a wireless device ID 401, a position 431, and a common date and time 1211, and is shared by the wireless device 201 ID, the location where the wireless device ID is captured, and the anonymity determination unit 1102. Stored date and time.

  FIG. 13 shows a processing sequence of the position information system 1100. Processing 601, processing 602, and processing 1301 to 1303 represent a processing flow from when the wireless device ID of the wireless device 201 is collected by the ID reader 202 and stored in the ID collection management system 203 as ID information. FIG. 14 is a flowchart showing details of the anonymity guarantee process 1301.

  Hereinafter, a processing sequence when the position information system according to the third embodiment collects wireless device IDs will be described with reference to FIG.

  The process 1301 will be described with reference to the flowchart showing the flow of the anonymity guarantee process in FIG. In step 1401, the device ID receiving unit 102 acquires the date and time from the date and time acquisition unit 1101. In step 1402, the device ID receiving unit 102 stores the wireless device ID received in step 901 and the date and time acquired in step 1401 in the anonymity guarantee processing buffer 1103.

  In step 1403, the anonymity determination unit 1102 proceeds to step 1404 if the number of wireless device IDs counted in step 903 is equal to or larger than a predetermined number, and if not, the anonymity is determined. End the warranty process.

  In step 1404, the anonymity determination unit 1102 reads the date and time stored in the anonymity guarantee processing buffer 1103, extracts a character string portion common to the date and time, and represents that the non-common part is a non-common part. Fill with any character string and standardize the date and time. For example, if the date and time stored in the anonymity guarantee processing buffer 1103 is in the format of “year / month / day hour: minute” as in records 1202 and 1203, “2004/4/1 12: “2004” is extracted as the common part of “00” and “2004/4/1 12:10”, the non-common part is filled with “-”, and “2004/4/1 12:- -"Is the common date and time.

  In step 1404, when the date and time stored in the anonymity guarantee processing buffer 1103 is expressed by a numerical value, the anonymity determination unit 1102 reads the date and time stored in the anonymity guarantee processing buffer 1103, Compare each digit from the first digit to the lower digit in order, extract up to the digit before the digit with a different value, and fill the remaining digits with any character that represents a non-common part. It is good as date and time.

  In step 1404, the anonymity determination unit 1102 reads the date and time stored in the anonymity guarantee processing buffer 1103, extracts the earliest date and the latest date and time from them, and sets the symbol representing the time interval as the common date and time. It is also good.

  With these processes, since there are always a plurality of wireless device IDs received at the same date and time, the wireless device ID can be prevented from being identified from the date and time.

  In step 1405, the anonymity determination unit 1102 reads the wireless device ID stored in the anonymity guarantee processing buffer 1103, adds the date and time of sharing in step 1404, and passes it to the reader ID addition unit 208. At this time, the anonymity determination unit 1102 may randomly change the order of the plurality of wireless device IDs so that the owner of the wireless device ID cannot be specified by the order. The details of the process 1301 have been described above.

  Subsequently, in process 1302, the reader ID adding unit 208 reads the reader ID 421 from the reader ID database 209, adds it to the wireless device ID and date and time passed from the anonymity determining unit 1102 in step 1405, and the ID information management system 203. The information is output to the ID information recording unit 210.

  In processing 1303, the ID information recording unit 210 searches the reader ID 421 in the position information database 211 using the reader ID received from the reader ID adding unit 208 as a key, reads the corresponding position 431, and receives it from the reader ID adding unit 208. The wireless device ID and date / time are stored in the ID information database 1104. The above is the processing sequence when collecting wireless device IDs.

  According to the third embodiment, since the date and time when the wireless device ID is captured is made common to the plurality of wireless device IDs, the owner of the wireless device ID is witnessed by another means such as human eyes or a security camera. Even if the date and order of sightings are known, it is difficult to associate the wireless device ID of the owner with the owner or the actions of the owner.

  As the third embodiment can be realized by adding the date and time acquisition unit 1101 in the ID reader 202 of the first embodiment, the third embodiment can be realized by adding the date and time acquisition unit 1101 to the anonymity guarantee processing system of the second embodiment. This basic principle can also be applied to the second embodiment. The date acquisition unit 1101 according to the second embodiment is connected to the device ID collection unit 305.

It is a figure which shows schematic structure of an anonymity guarantee system. It is a figure which shows the structure of the positional information system of Example 1. FIG. It is a figure which shows the example of data of the positional information system of an Example. It is a figure which shows the operation | movement sequence of the positional information system of Example 1. FIG. It is a figure which shows the flow of the anonymity guarantee process of the positional information system of Example 1. FIG. It is a figure which shows the operation | movement sequence of the flow line analysis of an Example. It is a figure which shows the structure of the positional information system of Example 2. FIG. It is a figure which shows the example of a data of the positional infomation system of Example 2. FIG. It is a figure which shows the operation | movement sequence of the positional information system of Example 2. FIG. It is a figure which shows the flow of the anonymity guarantee process of the positional information system of Example 2. FIG. It is a figure which shows the structure of the positional information system of Example 3. FIG. It is a figure which shows the example of data of the positional information system of Example 3. FIG. It is a figure which shows the operation | movement sequence of the positional information system of Example 3. FIG. It is a figure which shows the flow of the anonymity guarantee process of the positional information system of Example 3. FIG.

Explanation of symbols

102: Device ID receiving unit, 103, 306, 1103: Anonymity guarantee processing buffer, 104, 307, 1102: Anonymity determining unit, 201: Wireless device, 202: ID reader, 203: ID information management system, 208: Reader ID adding unit, 305: Device ID collecting unit

Claims (4)

Means for reading and sending a device identifier of a device owned by an individual; means for obtaining date information; receiving a plurality of the device identifiers; and adding the date information indicating the received date to each of the device identifiers Means, a means for storing a plurality of the device identifiers to which the date and time information indicating the date and time are added, and the number of the device identifiers stored in the buffer, and if the number is a predetermined number or more means for reading said device identifier stored in the buffer, and means for time shared by extracting a common part over the date and time information to the plurality of device identifier appended to the device identifier, the read anonymity of you; and a means for delivering the device identifier and time information thereof is time shared in the system of external Proof system. An anonymity guarantee system having a wireless device that reads a device ID of a device owned by an individual from a storage device and wirelessly transmits the device ID, an ID reader, and an ID information management system,
The ID reader receives a date and time acquisition unit that acquires date and time information, a device ID that receives a plurality of the device IDs, adds the date and time information indicating the received date and time to each of the received device IDs, and stores the device ID in a buffer The receiving unit counts the number of device IDs stored in the buffer, and if the number is equal to or greater than a predetermined number, reads the device ID stored in the buffer and reads the device ID read from the buffer reader ID granted and anonymity determination unit, to the ID reader to each of the device ID which is read to date common to extract the common portions throughout the appended the date and time information to the plurality of device ID was added and transmits the device ID and time information thereof is time shared to appended the reader ID to the ID information management system Li And a dust ID adding unit,
The ID information management system includes a position information database that stores correspondence between the reader ID and its position information, an ID information database that stores correspondence between the device ID and the position information, and the reader ID. ID information that receives the device ID, acquires the position information corresponding to the reader ID with reference to the position information database, and stores the correspondence between the device ID and the acquired position information in the ID information database anonymity assurance systems that; and a recording unit. An anonymity guarantee system having a wireless device that reads a device ID of a device owned by an individual from a storage device and wirelessly transmits the ID, an ID reader, an anonymity guarantee processing system, and an ID information management system,
The ID reader receives a plurality of device IDs, and a device ID receiving unit that receives each of the received device IDs and adds a reader ID assigned to the ID reader to the anonymity guarantee processing system. An ID output unit,
The anonymity assurance processing system, said indicating the date and time acquisition section which acquires the date and time information, receives the added the device ID of the reader ID from the ID reader, the date and time received in each of the device ID received A device ID collection unit that adds date / time information and stores the device ID in the buffer, and counts the number of the device IDs stored in the buffer. If the number is equal to or greater than a predetermined number, the reader ID stored in the buffer is stored. read the added the device ID, and extracts a common portion over said time information added to the device ID read from the buffer to the plurality of device ID and time shared, is added in the reader ID An anonymity determining unit that transmits the device ID and date and time information common to the device ID to the ID information management system ,
The ID information management system includes a position information database that stores correspondence between the reader ID and its position information, an ID information database that stores correspondence between the device ID and the position information, and the reader ID. ID information that receives the device ID, acquires the position information corresponding to the reader ID with reference to the position information database, and stores the correspondence between the device ID and the acquired position information in the ID information database anonymity assurance systems that; and a recording unit. Date and time acquisition section which acquires the date-time information, the device that stores the device ID of the device that individuals possess plurality received into a buffer by adding the date and time information indicating the date and time received in each of the device ID received Count the number of device IDs stored in the buffer with the ID receiving unit, and if the number is equal to or greater than a predetermined number, read the device ID stored in the buffer and read the device from the buffer and anonymity determination unit for time shared over the time information added to the ID to a plurality of devices ID by extracting a common portion, read the reader that is given to the ID reader to each of the device ID reader ID to adding ID, and transmits the device ID and time information thereof is time shared to appended the reader ID of external to the system I D reader you characterized by having Kabe Prefecture.

Images