JP4813278B2 - TERMINAL DEVICE, HISTORY SERVICE USING METHOD, HISTORY SERVICE USING PROGRAM, SERVER DEVICE, AND HISTORY SERVICE PROVIDING SYSTEM - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To utilize history service while securing a user's anonymity. <P>SOLUTION: A service providing device 810 stores utilization record information 620 not specifying users who used service. A user terminal unit 100 receives the utilization record information 620 from the service providing device 810 and acquires the tendency of users' utilization of service. Based on this, the user terminal unit 100 determines anonymity of information which records service used by himself or herself, and generates anonymous history information 63 from highly anonymous information. The service providing device 810 receives the anonymous history information 630 from the user terminal 100 and provides history service based on this. <P>COPYRIGHT: (C)2008,JPO&amp;INPIT

Description

  The present invention relates to a technique for using a history service without giving a clue for specifying a user.

The history service is based on the contents of the service used by the user of the service in the past (for example, the purchased product) to understand the preferences and trends of the user, predict the service that the user is likely to use, It provides services such as providing useful information for the user.
A conventional history service is provided after a service provider saves a user's service usage history and identifies who the user is.

In addition, when a user saves a service usage history and uses the service, the user may be provided with a history service without specifying the user by teaching the service usage history to the service provider.
JP 2001-256395 A JP-A-2005-05671 Toshie Shigefumi, Satoshi Otsuka, Keith Martin, Hideki Imai “Refreshable Tokens with Partial Linkability” Information Processing Society of Japan, 2004-CSEC-26 (52), pages 359-366 A. J. et al. Menezes, Paul C.M. Van Oorschot, Scott A. Vanstone “Handbook of Applied Cryptography” CRC Press, page 405

The method in which the service provider specifies the user and saves the service usage history of the user can specify the user, so that the user who wants to use the service while maintaining anonymity cannot use it There is.
In the case of the method in which the user saves the service usage history, there is a problem that the user is specified by collating with the service usage history saved on the service provider side.
In addition, with the development of data mining technology, even if only part of the service usage history is taught to the service provider, the relationship between the usage history of individual users is grasped and the entire picture of the user's service usage is revealed. You may be able to.

  The present invention has been made, for example, in order to solve the above-described problems, and an object thereof is to allow a user to use a history service while maintaining anonymity.

The terminal device according to the present invention is
A storage device for storing information;
A processing device for processing information;
A communication device that communicates with a server device that stores a plurality of usage record information in which used service content is recorded;
Of the use record information stored by the server device using the storage device, a use history storage unit that stores use record information about the service content used by a predetermined user as use history information;
A plurality of usage record information received from the server device using the communication device, and a plurality of usage record information received using the processing device;
Using the processing device, the plurality of usage record information output from the usage record receiving unit and the usage history information stored in the usage history storage unit are input, and the plurality of input information is input using the processing device. Based on the usage record information, the information on the input usage history information that is difficult to identify the predetermined user even if transmitted to the server device is determined, and the determined information is determined using the processing device. Anonymity history discriminating section for outputting as anonymous history information,
Anonymous history transmission unit that inputs the anonymous history information output by the anonymous history determination unit using the processing device and transmits the input anonymous history information to the server device using the communication device. It is characterized by having.

  According to the user terminal device 100 in this embodiment, the anonymous history discriminating unit 130 discriminates information that is difficult to identify the user as the anonymous history information 630, and the anonymous history transmitting unit 141 services the discriminated anonymous history information 630. Since it transmits with respect to the provision apparatus 810, there exists an effect that the service provision apparatus 810 cannot identify a user by this information transmission.

Embodiment 1 FIG.
The first embodiment will be described with reference to FIGS.

FIG. 1 is a system configuration diagram showing an example of the overall configuration of a history service providing system 800 in this embodiment.
The history service providing system 800 is a system that predicts a service that the user will use based on the contents of the service that the user has used in the past, and provides the user with useful information for the user. is there.
For example, in a store, a product that the customer is likely to purchase is predicted from information about a product that the customer has purchased in the past, and discount information about the product is provided to the customer.

The service providing apparatus 810 stores information (hereinafter referred to as “usage record information”) in which contents of services used in the past by a plurality of users who use the service are recorded. However, in order to protect personal information, information that can identify the user who uses the service is not recorded.
The service providing device 810 is an example of a server device.

The user terminal device 100 is a device possessed by each user who uses the service. The user terminal device 100 stores information (hereinafter referred to as “use history information”) in which the contents of services used by the user in the past are recorded.
The user terminal device 100 is an example of a terminal device.

The user terminal device 100 transmits usage history information to the service providing device 810. However, the user terminal device 100 does not transmit information that can identify the user.
The service providing device 810 receives the usage history information transmitted from the user terminal device 100, and analyzes the user's preferences and the like based on the received usage history information. The service providing apparatus 810 determines information that may be useful by the user based on the analysis result, and transmits the information to the user terminal apparatus 100.
The user terminal device 100 receives the information transmitted by the service providing device 810 and notifies the user by displaying the received information on a screen.

Since the service providing device 810 stores the usage record information, there is a risk that the user can be identified by comparing the usage history information transmitted by the user terminal device 100 with the usage record information.
Therefore, the user terminal device 100 according to this embodiment discriminates information (hereinafter referred to as “anonymous history information”) that cannot easily identify the user even after collating with the usage record information among the usage history information. Only the anonymous history information is transmitted to the service providing apparatus 810.

FIG. 2 is a diagram showing an example of the appearance of the service providing apparatus 810 in this embodiment.
The service providing apparatus 810 includes a system unit 910, a display apparatus 901 having a CRT (Cathode / Ray / Tube) or LCD (liquid crystal) display screen, a keyboard 902 (Key / Board: K / B), a mouse 903, an FDD 904 (Flexible). (Disk / Drive), compact disk device 905 (CDD), printer device 906, scanner device 907, and other hardware resources, which are connected by a cable or a signal line.
The system unit 910 is a computer, and is connected to the facsimile machine 932 and the telephone 931 via a cable, and is connected to the Internet 940 via a local area network 942 (LAN) and a gateway 941.

FIG. 3 is a diagram illustrating an example of hardware resources of the service providing apparatus 810 according to this embodiment.
The service providing apparatus 810 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program. The CPU 911 is connected to the ROM 913, the RAM 914, the communication device 915, the display device 901, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, the printer device 906, the scanner device 907, and the magnetic disk device 920 via the bus 912, and the hardware. Control the device. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of a storage device or a storage unit.
A communication device 915, a keyboard 902, a scanner device 907, an FDD 904, and the like are examples of an input unit and an input device.
Further, the communication device 915, the display device 901, the printer device 906, and the like are examples of an output unit and an output device.

The communication device 915 is connected to a facsimile machine 932, a telephone 931, a LAN 942, and the like. The communication device 915 is not limited to the LAN 942, and may be connected to the Internet 940, a WAN (wide area network) such as ISDN, or the like. When connected to a WAN such as the Internet 940 or ISDN, the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs for executing functions described as “˜unit” and “˜means” in the description of the embodiments described below. The program is read and executed by the CPU 911.
The file group 924 includes information, data, signal values, variable values, and parameters that are described as “determination results of”, “calculation results of”, and “processing results of” in the description of the embodiments described below. Are stored as items of “˜file” and “˜database”. The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, Used for CPU operations such as calculation, calculation, processing, output, printing, and display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the CPU operations of extraction, search, reference, comparison, operation, calculation, processing, output, printing, and display. Is remembered.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, and DVDs (Digital / Versatile / Disc). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, in the description of the embodiments described below, what is described as “to part” and “to means” may be “to circuit”, “to device”, and “to device”. It may be “step”, “˜procedure”, “˜processing”. That is, what is described as “˜unit” and “˜means” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” and “to means” described below. Alternatively, the procedure or method of “˜unit” and “˜means” described below is executed by a computer.

  FIG. 4 is a hardware configuration diagram illustrating an example of a hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment.

The user terminal device 100 is, for example, a mobile phone, and is possessed by a user who visits a store.
The user terminal device 100 includes a communication device 915, a display device 901, an input device such as a keyboard 902, a processing device such as a CPU 911, a storage device such as a RAM 914, a card unit 200, and the like.
The communication device 915 communicates with other devices using wireless communication, infrared communication, or the like.
The display device 901 displays information sent from a processing device such as the CPU 911 on the screen.
An input device such as a keyboard 902 is used by a user to input information using operation buttons, a touch panel, or the like.
A processing device such as the CPU 911 controls processing of the user terminal device 100.
A storage device such as the RAM 914 stores programs and data necessary for processing of the user terminal device 100.
The card unit 200 has a UIM 210 (User Identity Module) installed therein.
The UIM 210 includes a communication device 915, a processing device such as a CPU 911, and a storage device such as a RAM 914.
The communication device 915 communicates with other devices using wireless communication or other communication means.
A processing device such as the CPU 911 controls processing of the UIM 210.
A storage device such as the RAM 914 stores programs and data necessary for processing of the UIM 210.
Before using the service, the user uses the user terminal device 100 to store programs and data required for using the history service in the user terminal device 100.
As a storage method, the user terminal device 100 is connected to a dedicated terminal and downloaded, or an external storage medium such as a CD-ROM is installed in the user's computer and the user terminal device 101 is connected and downloaded. To do.

In addition, said structure is an example and a user terminal device is not restricted to a mobile telephone, A portable information terminal may be sufficient and another apparatus may be sufficient.
In addition, when the service used by the user is not provided by an actual store, for example, a service such as a virtual store provided via the Internet, the user terminal device is a user May be a device such as a computer that uses the service by connecting to the Internet.

The service providing device 810 is, for example, a server device held by a store, and provides a history service such as holding user purchase information together with an ID, or providing optimal product information to a user from a purchase history. Device.
The service providing device 810 includes a communication device 915, a display device 901, an input device such as a keyboard 902, a processing device such as a CPU 911, and a storage device such as a magnetic disk device 920.
The communication device 915 communicates with the user terminal device 100 and other devices using Internet communication, wireless communication, infrared communication, or the like.
The display device 901 displays information sent from a processing device such as the CPU 911 on the screen.
As for input devices, such as a keyboard 902, a store clerk inputs information using a keyboard, a touch panel, etc.
A processing device such as the CPU 911 controls processing of the service providing device 810.
A storage device such as the magnetic disk device 920 stores programs and data necessary for processing of the service providing device 810.
When the clerk constructs the history service, the store clerk stores programs and data necessary for providing the service in the service providing apparatus 810.
As a storage method, the service providing apparatus 810 is connected to the management server and downloaded, or an external storage device such as the CDD 905 is installed in the service providing apparatus 810 and installed.

FIG. 5 is a block configuration diagram showing an example of a functional block configuration of the user terminal device 100 in this embodiment.
The user terminal device 100 includes a usage record reception unit 111, a usage history reception unit 112, a usage history storage unit 121, an anonymous history determination unit 130, an anonymous history transmission unit 141, and the like.

The usage record receiving unit 111 receives the usage record information transmitted from the service providing apparatus 810 using the communication device 915. The usage record receiving unit 111 outputs the received usage record information using a processing device such as the CPU 911.
Since the service providing apparatus 810 does not record information that can identify the user, the service providing apparatus 810 does not know which user the usage record information is for. The service providing apparatus 810 transmits not only the usage record information about the user who owns the user terminal device 100 but also the usage record information about other users. The usage record receiver 111 receives and outputs not only usage record information about the user who is processing the user terminal device 100 but also usage record information about other users.

The usage history receiving unit 112 uses the communication device 915 to receive usage history information transmitted from the service providing device 810. The usage history receiving unit 112 outputs the received usage history information using a processing device such as the CPU 911.
The usage history information transmitted by the service providing apparatus 810 is for the service used by the user this time. Although the service providing apparatus 810 does not record information that can identify the user, but has just provided the service, the service providing apparatus 810 can determine which user terminal apparatus 100 should transmit the usage history information. The usage history receiving unit 112 receives and outputs usage history information about the service used this time by the user who owns the user terminal device 100.

The usage history storage unit 121 inputs the usage history information output by the usage history reception unit 112 using a processing device such as the CPU 911.
The usage history storage unit 121 stores input usage history information using a storage device such as a memory.

  The usage history information stored in the usage history storage unit 121 is used when the service is used next time. The usage history storage unit 121 stores usage history information every time a service is used, and the usage history information stored in the usage history storage unit 121 increases.

The anonymous history discriminating unit 130 inputs the usage record information output by the usage record receiving unit 111 using a processing device such as the CPU 911.
The anonymous history discriminating unit 130 inputs the usage history information (up to the previous time) stored in the usage history storage unit 121 using a processing device such as the CPU 911.
The anonymous history discriminating unit 130 possesses the user terminal device 100 even if it is transmitted to the service providing device 810 among the input usage history information based on the input usage record information using a processing device such as the CPU 911. The information (anonymity history information) that is difficult to identify the user is identified.
The anonymous history determination unit 130 outputs the determined anonymous history information using a processing device such as the CPU 911.

The anonymous history transmission unit 141 inputs the anonymous history information output by the anonymous history determination unit 130 using a processing device such as the CPU 911.
The anonymous history transmission unit 141 transmits the input anonymous history information to the service providing device 810 using the communication device 915.

The service providing device 810 receives the anonymous history information transmitted by the user terminal device 100, analyzes this information, grasps the preferences of the user who owns the user terminal device 100, and the like for the user. Information that may be useful is determined and transmitted to the user terminal device 100.
The user terminal device 100 receives this and displays it on the display device 901 to notify the user. The user can obtain information according to his / her preference.

  Thereafter, when the user uses the service, the usage history receiving unit 112 receives the usage history information and the usage history storage unit 121 stores it.

  The service providing apparatus 810 does not record information that can identify the user, but may attempt to identify the user by comparing the anonymous history information transmitted by the user terminal apparatus 100 with the stored use record information. Absent. However, since the anonymous history information transmitted by the user terminal device 100 is information determined by the anonymous history determination unit 130 when it is difficult to specify the user, the service providing device 810 cannot specify the user.

The anonymous history determination unit 130 includes an anonymity determination unit 131.
The anonymity determination unit 131 uses a processing device such as the CPU 911 to determine whether it is difficult to identify a user even if information about the service content recorded in the usage history information is transmitted to the service providing device 810. .

  Next, a determination method for determining whether or not the anonymity determination unit 131 easily identifies a user will be described.

The anonymity determination unit 131 analyzes the usage record information input by the anonymous history determination unit 130 using a processing device such as the CPU 911 to determine the content of the service recorded by the usage record information.
The anonymity determining unit 131 uses a processing device such as the CPU 911 to calculate the number of times of using the service content for each of the determined service content.
The anonymity determination unit 131 uses a processing device such as the CPU 911 to compare the calculated number of usages with a predetermined number of times, and when the calculated number of usages is larger, information on the service content is given to the service providing device 810. It is determined that it is difficult to identify the user even if it is transmitted.

The usage record information received by the usage record receiving unit 111 includes not only the service used by the user but also the service used by other users.
Therefore, the anonymity determining unit 131 analyzes the usage record information and calculates the number of times the service is used by the service users including other users.

If no one else has used a service that has been used by the user who owns the user terminal device 100, the service providing device 810 transmits information that the service has been used to provide the service. The device 810 can link two pieces of usage record information as being from the same user.
There is a risk that the service providing apparatus 810 collects a large number of such associations and can grasp an overall picture of service use by a single user.
Therefore, when such information is transmitted to the service providing apparatus 810, the user is easily identified.

Even if other users have used a service that the user who owns the user terminal device 100 has used, if the number of times is small, the service providing device 810 is not 100% reliable. Although there is no information, two pieces of usage record information can be linked as having a high possibility of being from the same user.
Therefore, it can be said that the user can be easily identified although the risk of identifying the user is small compared to the case where no one else has used it.

The greater the number of times other users have used the service, the smaller the risk that the user will be identified.
Even if the service is used only by the user, if the number of times is large, the service providing apparatus 810 does not know whether the service is provided by the same user or a different user. The risk of identifying users is small.
Hereinafter, the degree of difficulty in identifying the user is referred to as “anonymity”.

Here, “user identification rate” is defined as an index representing anonymity. The user identification rate is defined as (user identification rate) = 1 / (number of times the same service has been used) × 100 (%).
The “same service” is, for example, a service for selling products at a store, and “same service” is defined when the product purchased by the user is the same. The anonymity determination unit 131 analyzes the usage record information, obtains a product purchased by the user of the service, and obtains the same product as the product that the owner of the user terminal device 100 has purchased in the past. Calculate the number of purchases made by users.
The anonymity determination unit 131 compares the calculated “number of times the same product has been purchased” with a predetermined threshold, and if the “number of times the same product has been purchased” is greater, the anonymity is higher (the user is identified). Difficult).
Alternatively, the anonymity determination unit 131 calculates the above-described “user specification rate” based on the calculated “number of times the same product has been purchased”, and compares the calculated “user specification rate” with a predetermined threshold value. If the “user identification rate” is smaller, the anonymity may be determined to be higher.
As the threshold value to be compared, a predetermined threshold value may be stored using a storage device such as a memory, or an input device such as a keyboard 902 of the user terminal device 100 may be used by the user. The set threshold value may be input by the user terminal device 100 and stored using a storage device such as a memory.
If the threshold value is set so as to increase safety (large if the threshold is the number of times of use and small if the threshold is the user identification rate), it becomes difficult to identify the user, but the service providing apparatus 810 as anonymous history information Since the amount of information that can be transmitted to the service is reduced, it becomes difficult for the service providing apparatus 810 to determine useful information for the user, and as a result, the user may fail to receive useful information or may display unnecessary information. there's a possibility that. On the other hand, if the threshold value is set so as to reduce the safety, the risk of specifying the user increases instead of allowing the user to be notified of perfect information.

The anonymous history information that the anonymous history transmission unit 141 transmits to the service providing apparatus 810 may include not only “a product that has been purchased in the past” but also information indicating “the number of purchased products”, for example. .
In that case, the anonymity determination unit 131 calculates the number of times of use and determines anonymity, assuming that the same service is purchased when the same number of the same products are purchased.

In addition, the anonymous history information transmitted by the anonymous history transmission unit 141 is a service providing device that provides information useful to the user in the history service, such as “time period when the product was purchased” and “other products purchased at the same time as the product”. Various information that can be used by 810 for determination may be included.
In this case, the service having the same content as the “service content” that can be specified by the anonymous history information is set to “the same service”, and the anonymity determination unit 131 calculates the number of uses and determines anonymity.

FIG. 6 is a diagram showing an example of usage history information 610 in this embodiment.
When a user possessing the user terminal device 100 uses a service, the service providing device 810 transmits usage history information 610 to the user terminal device 100.
The usage history receiving unit 112 receives the usage history information 610 transmitted from the service providing device 810 using the communication device 915.
The usage history information 610 includes, for example, a product code 611, a purchase quantity 612, a purchase date and time 613, and the like.
The product code 611 is information indicating the product code of the product purchased by the user.
The purchased number 612 is information indicating the number of products purchased by the user.
The purchase date and time 613 is information indicating the date and time when the user purchased the product.
In this example, the usage history receiving unit 112 receives usage history information 610 indicating that the user purchased two products A and two products B at 15:21 on January 18.

Usage history information 610 received by the usage history receiving unit 112 is stored by the usage history storage unit 121 using a storage device such as a memory. The usage history storage unit 121 stores new usage history information 610 in addition to the usage history information 610 stored so far.
In this example, the usage history storage unit 121 has already stored the usage history information 610 for the past three times. The usage history storage unit 121 adds the usage history information 610 newly received by the usage history reception unit 112 and stores a total of four usage history information 610.

  Note that the product code 611 may use information indicated by a barcode attached to the product, or may use private information generated uniquely by the service providing apparatus 810.

FIG. 7 is a diagram showing an example of the usage record information 620 in this embodiment.
When the service user visits the service, the service providing apparatus 810 transmits the usage record information 620 to the user terminal apparatus 100 possessed by the user.
The usage record receiving unit 111 receives the usage record information 620 transmitted by the service providing apparatus 810 using the communication device 915.
The usage record information 620 includes, for example, a product code 621, a purchase quantity 622, and the like.
The product code 621 is information indicating the product code of the product purchased by the user, like the product code 611.
The purchased number 622 is information indicating the number of products purchased by the user at that time, as with the purchased number 612.
In this example, eight usage record information 620 are transmitted from the service providing apparatus 810 and received by the usage record receiving unit 111.
The first usage record information 620 indicates that there was a user who purchased “one product A, two products B, and two products D”. When compared with the usage history information 610 stored in the usage history storage unit 121 illustrated in FIG. 6, the usage history storage unit 121 stores the usage history information 610 having the same content as the usage record information 620. This usage record information 620 shows that the service usage of the user who owns the user terminal device 100 is recorded. However, since the service providing apparatus 810 does not record information that can identify the user, the service providing apparatus 810 cannot determine this.
The second usage record information 620 indicates that there was a user who purchased “three products A and one product B”. When compared with the usage history information 610 stored in the usage history storage unit 121 illustrated in FIG. 6, the usage history storage unit 121 does not store the usage history information 610 that matches the usage record information 620. This usage record information 620 shows that service usage of other users other than the user who owns the user terminal device 100 is recorded. However, since the service providing apparatus 810 does not record information that can identify the user, the service providing apparatus 810 cannot determine this.
Therefore, the service providing apparatus 810 transmits the service use record information 620 used by the user and the service use record information 620 used by other users without distinction.

The anonymity determination unit 131 calculates the service usage count based on the usage record information 620 received by the usage record reception unit 111 using a processing device such as the CPU 911.
In this example, the case where the purchased product is the same is counted as “the same service”, and the anonymity determination unit 131 uses the product A for the number of uses (purchase count) 6 times, the product B 5 times, and the product C It asks for the goods D to be 3 times once.
In the usage record information 620 received by the usage record receiving unit 111, the service usage for the product E is also recorded, but the usage history information 610 stored in the usage history storage unit 121 shown in FIG. According to this, the user having the user terminal device 100 has never purchased the product E, and the anonymous history transmitting unit 141 transmits the anonymous history information with the content that “the product E has been purchased”. Since there is no possibility, the number of uses for the product E is not calculated.
The anonymity determination unit 131 uses a processing device such as the CPU 911 to calculate a user identification rate based on the calculated number of uses.

The anonymity determination unit 131 determines the anonymity by using the processing device such as the CPU 911 and comparing the calculated use frequency or the user specifying rate with a predetermined threshold.
In this example, the anonymity determination unit 131 compares the number of uses with the threshold “4 times”, or compares the user identification rate with the threshold “25%”, and purchase history of the products A and B is as follows: Judge that anonymity is high. In addition, the purchase history of the product C and the product D is low in anonymity, and if transmitted to the service providing apparatus 810, it is determined that there is a risk of specifying the user.

The anonymity history determination unit 130 generates anonymity history information 630 based on the determination result determined by the anonymity determination unit 131 using a processing device such as the CPU 911.
The anonymous history information 630 includes, for example, a product code 631.
The product code 631 is information indicating a product code of a product that the user has purchased.
In this example, since the anonymity determination unit 131 determines that it is difficult to identify the user even if the service providing apparatus 810 is notified that the product A and the product B have been purchased, the anonymous history determination unit 130 , Anonymous history information 630 indicating that “product A has been purchased” and anonymous history information 630 indicating that “product B has been purchased” are generated.

The anonymous history discriminating unit 130 outputs the generated anonymous history information 630 using a processing device such as the CPU 911.
The anonymous history transmission unit 141 inputs the anonymous history information 630 output by the anonymous history determination unit 130 using a processing device such as the CPU 911.
The anonymous history transmitting unit 141 transmits the input anonymous history information 630 to the service providing device 810 using the communication device 915.

FIG. 8 is a flowchart showing an example of the entire flow of the history service providing process in which the history service providing system 800 in this embodiment provides a history service.
The history service providing process is an example of a history service utilization method.

In S11, the service providing apparatus 810 reads the usage record information 620 stored using a storage device such as the magnetic disk device 920.
The service providing apparatus 810 transmits the read usage record information 620 to the user terminal apparatus 100 using the communication apparatus 915.

In S21 (use record receiving step), the use record receiving unit 111 uses the communication device 915 to receive the use record information 620 transmitted by the service providing device 810 in S11.
The usage record receiving unit 111 outputs the received usage record information 620 using a processing device such as the CPU 911.

In S22 (anonymity history determination step), the anonymous history determination unit 130 uses the processing device such as the CPU 911 and the usage record information 620 output by the usage record reception unit 111 in S21 and the usage history storage unit 121 stores the usage history. The history information 610 is input.
Anonymity history discriminating unit 130 uses a processing device such as CPU 911, and based on input usage record information 620, information that is difficult to identify a user even if transmitted to service providing device 810 among input usage history information 610. Is determined.
The anonymous history determination unit 130 generates anonymous history information 630 based on the determined information using a processing device such as the CPU 911.
The anonymous history discriminating unit 130 outputs the generated anonymous history information 630 using a processing device such as the CPU 911.

In S23 (anonymous history transmission step), the anonymous history transmission unit 141 inputs the anonymous history information 630 output by the anonymous history determination unit 130 in S22 using a processing device such as the CPU 911.
The anonymous history transmitting unit 141 transmits the input anonymous history information 630 to the service providing device 810 using the communication device 915.
When there is no anonymous history information 630 to be transmitted, the anonymous history transmission unit 141 transmits empty information to the service providing apparatus 810 in order to advance the process of the history service providing system 800 first. The case where there is no anonymous history information 630 to be transmitted is, for example, the case where the user uses the service for the first time.

  In S12, the service providing apparatus 810 uses the communication apparatus 915 to receive the anonymous history information 630 transmitted by the user terminal apparatus 100 in S23.

  In step S13, the service providing apparatus 810 uses a processing apparatus such as the CPU 911 to determine information that is likely to be useful to the user based on the anonymous history information 630 received in step S12, and provides history service information to be notified to the user. Generate.

In S14, the service providing apparatus 810 transmits the history service information generated in S13 to the user terminal apparatus 100 using the communication apparatus 915.
The service providing apparatus 810 may notify the user by, for example, displaying the generated history service information on the display screen installed in the store instead of transmitting the generated history service information to the user terminal apparatus 100.

  In S24, the user terminal device 100 receives the history service information transmitted from the service providing device 810 in S14 using the communication device 915.

  In S25, the user terminal device 100 displays the history service information received in S24 using the display device 901 and notifies the user.

  In S31, the user views the history service information displayed on the display device 901 of the user terminal device 100, and acquires information.

  In S32, the user uses the service with reference to the information acquired in S31.

  In S15, the service providing apparatus 810 uses the processing apparatus such as the CPU 911 to generate usage history information 610 that records the contents of the service used by the user in S32.

  In S <b> 16, the service providing apparatus 810 transmits the usage history information 610 generated in S <b> 15 to the user terminal apparatus 100 using the communication apparatus 915.

In S <b> 17, the service providing apparatus 810 stores the usage history information 610 generated in S <b> 15 as usage record information 620 using a storage device such as the magnetic disk device 920.
The service providing apparatus 810 can obtain information such as the usage tendency of the service user by analyzing the stored usage record information 620. However, since a plurality of usage record information 620 cannot be linked, the user cannot be specified thereby.

In S <b> 26, the usage history receiving unit 112 receives the usage history information 610 transmitted from the service providing apparatus 810 in S <b> 16 using the communication device 915.
The usage history receiving unit 112 outputs the received usage history information 610 using a processing device such as the CPU 911.

In S27, the usage history storage unit 121 inputs the usage history information 610 output by the usage history reception unit 112 in S26 using a processing device such as the CPU 911.
The usage history storage unit 121 stores the input usage history information 610 using a storage device such as a memory.

FIG. 9 is a flowchart showing an example of a flow of anonymous history determination processing in which the anonymous history determination unit 130 determines anonymous history information in this embodiment.
The anonymous history determination process is a process corresponding to S22 (anonymous history determination step) in FIG.

In S <b> 41, the anonymous history determination unit 130 inputs the usage history information 610 stored in the usage history storage unit 121 using a processing device such as the CPU 911.
The anonymous history determination unit 130 determines a product that has been purchased based on the input usage history information 610 using a processing device such as the CPU 911.

In S <b> 42, the anonymity determination unit 131 inputs the usage record information 620 output by the usage record reception unit 111 using a processing device such as the CPU 911.
The anonymity determination unit 131 uses a processing device such as the CPU 911 to determine a product purchased by a user of a service including other users based on the input record information 620.
The anonymity determination unit 131 uses a processing device such as the CPU 911 to count the number of appearances of purchase records (the number of purchases) for the products included in the product list determined in S41 among the determined products.

In S43, the anonymity determination unit 131 uses a processing device such as the CPU 911 to compare the number of purchases counted in S42 with a predetermined threshold value stored in advance using a storage device such as a memory, and about the product. Determine the anonymity of your purchase information.
For products determined to have high anonymity, the process proceeds to S44.
For the product determined to be low in anonymity, the anonymous history determination process is terminated.

In S <b> 44, the anonymous history determination unit 130 generates anonymous history information 630 using a processing device such as the CPU 911. Anonymity history information 630 is information indicating that a product that has been determined to have high anonymity in S43 has been purchased.
The anonymous history discriminating unit 130 outputs the generated anonymous history information 630 using a processing device such as the CPU 911.

As described above, based on the usage record information 620 in which the users of the service including other users recorded the contents of using the service in the past, the anonymous history determination unit 130 determines the anonymity of the usage history information 610, Anonymity history information 630 composed only of highly anonymous information is generated.
The anonymous history transmission unit 141 transmits anonymous history information 630 composed only of highly anonymous information to the service providing apparatus 810, so that the user receives a history service.
Thereby, the user can receive the history service without specifying the user.

The user terminal device 100 (terminal device) in this embodiment is
A storage device such as a memory for storing information;
A processing device such as a CPU 911 for processing information;
A communication device 915 that communicates with a service providing device 810 (server device) that stores a plurality of usage record information 620 that records the service content used;
Of the usage record information 620 stored by the service providing device 810 using a storage device such as a memory, the usage record information 620 about the service content used by the user who owns the user terminal device 100 is used as the usage history information 610. A usage history storage unit 121 for storing;
A usage record receiving unit 111 that receives a plurality of usage record information 620 from the service providing device 810 using the communication device 915 and outputs the received plurality of usage record information 620 using a processing device such as the CPU 911;
Using a processing device such as the CPU 911, a plurality of usage record information 620 output from the usage record receiving unit 111 and usage history information 610 stored in the usage history storage unit 121 are input, and the processing device such as the CPU 911 is used. Based on a plurality of input usage record information 620, information that is difficult to identify a user even if transmitted to the service providing apparatus 810 from the input usage history information 610 is determined, and using a processing device such as the CPU 911, Anonymous history discriminating unit 130 that outputs the discriminated information as anonymous history information 630;
Anonymity history information 630 output by the anonymous history determination unit 130 is input using a processing device such as the CPU 911, and the anonymous history information 630 is transmitted to the service providing device 810 using the communication device 915. And a history transmission unit 141.

  According to the user terminal device 100 in this embodiment, the anonymous history discriminating unit 130 discriminates information that is difficult to identify the user as the anonymous history information 630, and the anonymous history transmitting unit 141 services the discriminated anonymous history information 630. Since it transmits with respect to the provision apparatus 810, there exists an effect that the service provision apparatus 810 cannot identify a user by this information transmission.

The user terminal device 100 (terminal device) in this embodiment is
Anonymity history determination unit 130
Using the processing device such as the CPU 911, the service content recorded by the usage record information 620 is determined for each of the plurality of input usage record information 620, and the determined service content is determined using the processing device such as the CPU 911. Then, the number of times of using the service content is calculated, and when the calculated number of times of use is greater than a predetermined number using a processing device such as the CPU 911, information about the service content is transmitted to the service providing device 810. However, it is characterized by having an anonymity determination unit 131 that determines that the user is difficult to identify.

  According to the user terminal device 100 in this embodiment, the anonymity determining unit 131 transmits information about the service content to the service providing device 810 when the service having the same content is frequently used. Since it is determined that the user is difficult to be identified, the anonymity of the information can be accurately determined.

The history service using method in which the user terminal device 100 in this embodiment uses the history service is:
A communication device that communicates with a storage device such as a memory that stores information, a processing device such as a CPU 911 that processes information, and a service providing device 810 (server device) that stores a plurality of usage record information 620 that records used service contents In the history service use method in which the user terminal device 100 (terminal device) having 915 uses the history service provided by the service providing device 810,
A usage history storage step in which a storage device such as a memory stores usage record information 620 on service contents used by a predetermined user as usage history information 610 among usage record information 620 stored by the service providing device 810;
A communication device 915 receives a plurality of usage record information 620 from the service providing device 810, and a processing device such as the CPU 911 outputs a plurality of usage record information 620 received;
A processing device such as the CPU 911 inputs a plurality of usage record information 620 output from the processing device such as the CPU 911 in the usage record receiving step and usage history information 610 stored in a storage device such as a memory in the usage history storage step. Using a processing device such as the CPU 911, based on the plurality of input usage record information 620, information that is difficult to identify a user even if transmitted to the service providing device 810 is determined from the input usage history information 610. An anonymous history determination step for outputting the determined information as anonymous history information 630 by a processing device such as
The processing device such as the CPU 911 inputs the anonymous history information 630 output from the processing device such as the CPU 911 in the anonymous history determination step, and the communication device 915 transmits the input anonymous history information 630 to the service providing device 810. An anonymous history transmitting step.

  According to the history service utilization method in this embodiment, the processing device determines information that is difficult to identify a user as anonymous history information 630 in the anonymous history determination step, and communicates the determined anonymous history information 630 in the anonymous history transmission step. Since the apparatus 915 transmits to the service providing apparatus 810, this information transmission has an effect that the service providing apparatus 810 cannot identify the user.

  The user terminal device 100 (terminal device) in this embodiment includes a storage device such as a memory for storing information, a processing device such as a CPU 911 for processing information, and usage record information 620 in which used service content is recorded. Causing a computer having a communication device 915 that communicates with a plurality of service providing devices 810 (server devices) to execute a history service utilization program that causes the computer to function as the user terminal device 100 (terminal device) in this embodiment. Can be realized.

  According to the history service use program in this embodiment, the anonymous history discriminating unit 130 discriminates information that is difficult to identify the user as the anonymous history information 630, and the anonymous history transmitting unit 141 provides the discriminated anonymous history information 630 as a service. Since it transmits to the apparatus 810, there exists an effect that the user provision apparatus 100 which the service provision apparatus 810 cannot identify a user by this information transmission can be implement | achieved easily.

  The history service providing system 800 according to this embodiment has the user terminal device 100 according to this embodiment.

  According to the history service providing system 800 in this embodiment, there is an effect that the user can use the history service without worrying about identifying the user.

  The user terminal device 100 in this embodiment obtains service usage record information (usage record information 620) held by the service providing device 810 before transmitting the service usage history to the service providing device 810. Then, based on the information, it is determined whether or not a user is easily specified by information included in the history, and a history (anonymous history information 630) is created so as not to include information that is highly likely to be specified. It is characterized by that.

  Thus, before the user transmits the history, information on the history is obtained from the store in advance, and using the information, the user creates a purchase history from purchase information that is not specified by the store and transmits the purchase history to the store. Thus, the user can use the history service anonymously with privacy protected.

Embodiment 2. FIG.
The second embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.

FIG. 10 is a block configuration diagram illustrating an example of a functional block configuration of the user terminal device 100 according to this embodiment.
Note that blocks that are the same as the blocks described in the first embodiment are denoted by the same reference numerals, and description thereof is omitted here.

The user terminal device 100 further includes a reliability determination unit 151.
The reliability determination unit 151 inputs the usage record information 620 output from the usage record reception unit 111 and the usage history information 610 stored in the usage history storage unit 121 using a processing device such as the CPU 911.
The reliability determination unit 151 determines whether the usage record information 620 is reliable based on the input usage record information 620 and the input usage history information 610 using a processing device such as the CPU 911.
The reliability determination unit 151 outputs information indicating the determination result using a processing device such as the CPU 911.

The anonymous history determination unit 130 inputs information indicating the determination result output by the reliability determination unit 151 using a processing device such as the CPU 911.
The anonymous history determination unit 130 uses the processing device such as the CPU 911 and the processing described in the first embodiment when the reliability determination unit 151 determines that the usage record information 620 is reliable based on the input information. And anonymous history information 630 is output.

  Therefore, when the reliability determination unit 151 determines that the usage record information 620 is not reliable, no processing is performed and the anonymous history information 630 is not transmitted to the service providing apparatus 810.

  In the first embodiment, on the assumption that the usage record information 620 transmitted from the service providing apparatus 810 is reliable, the anonymous history information 630 is determined based on the received usage record information 620, and the service providing apparatus 810 is notified. Send.

However, the service providing apparatus 810 may attempt to identify the user by transmitting the “lie” usage record information 620 and tricking the user terminal apparatus 100.
For example, it is assumed that the usage record information 620 stored in the service providing apparatus 810 is as shown in FIG. 7, and the service providing apparatus 810 wants to specify the user who purchased the product C.
When the usage record information 620 stored in the service providing apparatus 810 is honestly transmitted to the user terminal apparatus 100, the information that the product C has been purchased is anonymous as described in the first embodiment. If the property is low, the anonymity determination unit 131 determines. Therefore, the anonymous history information 630 transmitted to the service providing apparatus 810 by the anonymous history transmitting unit 141 does not include information indicating that the product C has been purchased, and the service providing apparatus 810 purchases the product C. The user who made it cannot be specified.

  Therefore, the service providing apparatus 810 transmits information indicating that the product C has been purchased by modifying the usage record information 620 and transmitting the “lie” usage record information 620, and the usage of the product C purchased. Attempt to identify the person.

FIG. 11 is a diagram illustrating a case where the service providing apparatus 810 transmits lie usage record information 620.
The usage record receiving unit 111 receives the “lie” usage record information 620 transmitted by the service providing apparatus 810 using the communication device 915.
In this figure, the part in which the usage record information 620 is modified is indicated by a thick frame.

The anonymity determination unit 131 inputs the usage record information 620 received by the usage record reception unit 111 using a processing device such as the CPU 911, and counts the usage records of the service that the product C has been purchased. to decide. Since this is more than the threshold (4 times) of the number of uses, the anonymity determination unit 131 determines that the information about the product C (has been deceived) has high anonymity.
Based on this determination, the anonymous history determination unit 130 generates anonymous history information 630 indicating that the product C has been purchased using a processing device such as the CPU 911. The anonymous history transmission unit 141 transmits the generated anonymous history information 630 to the service providing device 810 using the communication device 915.
The service providing device 810 receives the anonymous history information 630 transmitted by the user terminal device 100, and identifies the user who has previously purchased the product C.

  As described above, the service providing apparatus 810 provides the user terminal apparatus 100 with the “lie” usage record information 620 that is modified so as to make it appear as if many services that have not been used are actually used. By transmitting to the user, it is possible to specify the user who uses the service.

  The user terminal device 100 in this embodiment is configured not to transmit information with low anonymity by overlooking such a modification.

  FIG. 12 is a flowchart showing an example of the flow of the reliability determination process in which the reliability determination unit 151 determines the reliability of the usage record information 620 in this embodiment.

In S <b> 51, the reliability determination unit 151 inputs the usage history information 610 stored in the usage history storage unit 121 and the usage record information 620 output from the usage record reception unit 111 using a processing device such as the CPU 911.
The reliability determination unit 151 determines whether or not usage record information 620 indicating the same content exists for all the input usage history information 610 using a processing device such as the CPU 911.
If it is determined that there is usage record information 620 having the same contents for all the usage history information 610, the process proceeds to S52.
When it is determined that there is no usage record information 620 having the same contents in the usage history information 610, the process proceeds to S53.

In S <b> 52, the reliability determination unit 151 determines that the usage record information 620 is reliable using a processing device such as the CPU 911.
Thereafter, the process proceeds to S54.

  In S53, the reliability determination unit 151 determines that the usage record information 620 is unreliable using a processing device such as the CPU 911.

  In S <b> 54, the reliability determination unit 151 notifies the determination result to the anonymous history determination unit 130 using a processing device such as the CPU 911.

  The anonymous history discriminating unit 130 receives this notification and performs processing only when the reliability determining unit 151 determines that the usage record information 620 is reliable, and outputs the anonymous history information 630. When the reliability determination unit 151 determines that the usage record information 620 is not reliable, the anonymous history determination unit 130 stops processing and does not output the anonymous history information 630.

  For example, the usage record information 620 illustrated in FIG. 11 is transmitted from the service providing apparatus 810 to the user terminal device 100 in which the usage history storage unit 121 stores the usage history information 610 illustrated in FIG. An example will be described.

The reliability determination unit 151 purchases the content “one product A, two products B, and two products D” recorded in the first usage history information 610 of FIG. 6 (January 5). It is determined whether there is usage record information 620 having the same content. Since the first usage record information 620 in FIG. 11 corresponds to this, it is understood that this information is not altered.
Similarly, the reliability determination unit 151 uses the same content as the content “purchased 1 product B” recorded in the second usage history information 610 in FIG. 6 (January 10). It is determined whether there is recorded information 620. The usage record information 620 in FIG. 11 does not have the corresponding usage record information 620. Therefore, it can be seen that this information has been altered.
When even one piece of information that has been modified is found, the reliability determination unit 151 determines that the entire usage record information 620 is not reliable.

  Thereby, the anonymous history discriminating unit 130 stops the process and does not output the anonymous history information 630. Therefore, it is possible to prevent the anonymous history information 630 indicating that “the product C has been purchased” from being transmitted to the service providing apparatus 810, and the user is not identified in the service providing apparatus 810. It will end.

If the service providing apparatus 810 knows that the transmitted usage record information 620 has not been trusted, it can be seen that the usage record information 620 for the user is present in the modified usage record information 620, and the user is identified. May be a clue to identify.
Therefore, if the reliability determination unit 151 determines that the usage record information 620 is not reliable and the anonymous history determination unit 130 does not output the anonymous history information 630, the anonymous history transmission unit 141 determines that the usage record information 620 is not reliable. Send empty information.
Since this is the same procedure as when the user uses the service for the first time, the service providing apparatus 810 cannot distinguish whether the usage record information 620 is not trusted or whether the user uses the service for the first time. This eliminates the need to give the service providing apparatus 810 a clue to identify the user.

The user terminal device 100 in this embodiment further includes:
Using the processing device such as the CPU 911, the usage history information 610 stored in the usage history storage unit 121 and the usage record information 620 output from the usage record receiving unit 111 are input and input using the processing device such as the CPU 911. In the usage record information 620, it is determined whether there is usage record information 620 that records the service content that matches the service content recorded by the input usage history information 610, and the usage record that records the service content that matches. A reliability determination unit 151 that determines that the usage record information 620 is reliable when it is determined that the information 620 exists;
The anonymous history determination unit 130 outputs the anonymous history information 630 when the reliability determination unit 151 determines that the usage record information 620 is reliable using a processing device such as the CPU 911.

  According to the user terminal device 100 in this embodiment, when the reliability judgment unit 151 has overlooked the modification of the usage record information 620 and the usage record information 620 has been altered, the anonymous history determination unit 130 Since the information 630 is not output, the anonymous history transmitting unit 141 does not transmit the anonymous history information 630 to the service providing apparatus 810, and it is possible to prevent the user from being specified by information having low anonymity. Play.

In order to prevent the user terminal device 100 having such a configuration from seeing the alteration of the usage record information 620, the service providing device 810 does not alter the usage record information 620 for the user, It is necessary to modify only the usage record information 620 for the user.
However, since the service providing apparatus 810 does not record information that can identify the user, the service providing apparatus 810 cannot determine which user the usage record information 620 belongs to, and only modifies the usage record information 620 for other users. I can't do it.

  In this way, the user can verify any of the information regarding the history obtained from the store, but the store cannot specify the information to be verified by the store, so the store alters the information to a convenient value. Can be prevented.

If the service providing apparatus 810 modifies only a part of the stored usage record information 620, the modification cannot be detected by a user other than the user of the service recorded by the modified usage record information 620.
However, if such a modification is detected even once, the customer's trust is lost and the customer is lost, so even if it is unlikely that it can actually be seen, the effect of suppressing such modification Can be expected.

In the case where the modification is confirmed even once, the user terminal device 100 stores the information using a storage device such as a memory, and thereafter, the information from the same service providing device 810 is not trusted. Also good.
Alternatively, the user terminal device 100 may use the display device 901 to display a warning that the user may have collected personal information after leaving the store and warn the user ( The reason we don't warn on the spot is that the store doesn't realize that we have seen it.)

Embodiment 3 FIG.
The third embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.
In addition, since the functional block configuration of the user terminal device 100 in this embodiment is the same as that described in the second embodiment, the description thereof is omitted here.

FIG. 13 is a diagram showing an example of the usage history information 610 received by the usage history receiving unit 112 and stored in the usage history storage unit 121 in this embodiment.
Note that portions common to the usage history information 610 described with reference to FIG. 6 in Embodiment 1 are denoted by the same reference numerals, and description thereof is omitted here.

The usage history receiving unit 112 receives the usage history information 610 transmitted from the service providing device 810 using the communication device 915.
The usage history information 610 received by the usage history receiving unit 112 includes history identification information 614.
The usage history receiving unit 112 outputs the received usage history information 610 using a processing device such as the CPU 911. The usage history information 610 output by the usage history receiving unit 112 includes the received history identification information 614. The usage history receiving unit 112 outputs the received history identification information 614 together with the usage history information 610.

  The history identification information 614 is information for identifying the usage history information 610. The history identification information 614 differs for each usage history information 610.

The usage history storage unit 121 inputs the usage history information 610 and the history identification information 614 output from the usage history reception unit 112 using a processing device such as the CPU 911.
The usage history storage unit 121 stores input usage history information 610 and history identification information 614 using a storage device such as a memory.

FIG. 14 is a diagram showing an example of usage record information 620 received by the usage record receiver 111 in this embodiment.
Note that portions common to the usage record information 620 described with reference to FIG. 7 in Embodiment 1 are denoted by the same reference numerals, and description thereof is omitted here.

The usage record receiving unit 111 receives the usage record information 620 transmitted by the service providing apparatus 810 using the communication device 915.
The usage record information 620 received by the usage record receiver 111 includes record identification information 624.
The usage record receiving unit 111 outputs the received usage record information 620 using a processing device such as the CPU 911. The usage record information 620 output by the usage record receiving unit 111 includes the received record identification information 624. The usage record receiver 111 outputs the received record identification information 624 together with the usage record information 620.

  The record identification information 624 is information for identifying the usage record information 620. The record identification information 624 is different for each use record information 620.

The service providing apparatus 810 includes the history identification information 614 in the usage history information 610 that records that the user has used the service, and transmits it to the user terminal device 100. When the service providing apparatus 810 stores the usage history information 610 as usage record information 620, the history identification information 614 transmitted to the user terminal device 100 is included in the usage record information 620 as record identification information 624. Remember.
When transmitting the usage record information 620 to the user terminal device 100, the service providing apparatus 810 transmits the record identification information 624 of the usage record information 620 together.

In the second embodiment, the reliability determination unit 151 determines whether or not the usage record information 620 is reliable based on whether or not the usage record information 620 showing the same content as the usage history information 610 exists.
However, if there is usage record information 620 showing exactly the same contents in the usage record information 620 for other users, the usage record information 620 cannot be detected unless the two can be distinguished.

  The user terminal device 100 of this embodiment uses the record identification information 624 for identifying the usage record information 620 so that the usage record information 620 having the same service content can be distinguished.

FIG. 15 is a flowchart showing an example of the flow of the reliability determination process in which the reliability determination unit 151 determines the reliability of the usage record information 620 in this embodiment.
In addition, the same code | symbol is attached | subjected about the process which is common in the process demonstrated using FIG. 12 in Embodiment 2, and description is abbreviate | omitted here.

In S55, the reliability determination unit 151 inputs the history identification information 614 stored in the usage history storage unit 121 and the record identification information 624 output from the usage record reception unit 111 using a processing device such as the CPU 911.
The reliability determination unit 151 uses the processing history information 610 recorded by the usage history storage unit 121 for the input history identification information 614 and the input record identification information 624 that match using a processing device such as the CPU 911, and the like. The usage record information 620 output by the usage record receiver 111 is input.
That is, the reliability determination unit 151 uses the processing device such as the CPU 911 to identify the history identification information of the usage history information 610 stored in the usage history storage unit 121 from the usage record information 620 output from the usage record reception unit 111. Usage record information 620 having record identification information 624 that matches 614 is extracted.
If there is no usage record information 620 having the record identification information 624 that matches the history identification information 614 in the input usage record information 620, the process proceeds to S53 and it is determined that the usage record information 620 is not reliable.
If there is usage record information 620 having record identification information 624 that matches all the history identification information 614 input, the process proceeds to S56.

In S56, the reliability determination unit 151 uses the processing device such as the CPU 911 to record the usage history information 610 and the usage record information 620 in which the history identification information 614 and the recording identification information 624 match. It is determined whether or not the service content recorded matches the service content recorded by the usage record information 620.
If the service contents match, the process proceeds to S52, and it is determined that the usage record information 620 is reliable.
If the service contents do not match, the process proceeds to S53, and it is determined that the usage record information 620 is not reliable.

  As described above, the reliability determination unit 151 determines whether or not the recorded service contents match between the use history information 610 and the use record information 620 in which the history identification information 614 and the record identification information 624 match. Since it is determined whether or not the usage record information 620 is reliable, even when there is another usage record information 620 that records the same service content, the alteration of the usage record information 620 can be detected.

  In addition, the service providing apparatus 810 does not modify the contents of the usage record information 620 and does not intentionally transmit a part of the usage record information 620 to the user terminal device 100, so that the anonymity determination unit 131 makes a basis for the determination. There is a possibility that the information is biased and the anonymity determination unit 131 tries to make a mistake.

  The user terminal device 100 according to this embodiment determines whether or not all the usage record information 620 having the record identification information 624 that matches the history identification information 614 of the recorded usage history information 610 is transmitted. Such intentional non-transmission can be detected.

If the usage record information 620 is altered or intentionally untransmitted, the reliability determination unit 151 determines that the usage record information 620 is not reliable, and the anonymous history determination unit 130 does not output the anonymous history information 630.
Therefore, the anonymous history transmitting unit 141 can prevent the anonymous history information 630 from being transmitted to the service providing apparatus 810 and prevent the user from being specified by information having low anonymity.

The user terminal device 100 (terminal device) in this embodiment is
Usage history storage unit 121
Using a storage device such as a memory, the usage history information 610 and the history identification information 614 for identifying the usage history information 610 are stored,
Usage record receiver 111
The communication device 915 is used to receive the plurality of usage record information 620 and the plurality of record identification information 624 for identifying the plurality of usage record information 620, and the received plurality of usage records using the processing device such as the CPU 911. Output information 620 and a plurality of received record identification information 624;
The user terminal device 100 further includes
The history identification information 614 stored in the usage history storage unit 121 and the plurality of record identification information 624 output from the usage record reception unit 111 are input using a processing device such as the CPU 911, and the processing device such as the CPU 911 is used. The usage history information 610 identified by the history identification information 614 among the usage history information 610 stored by the usage history storage unit 121 for the input history identification information 614 that matches the input record identification information 624, The usage record information 620 identified by the record identification information 624 is input from the usage history information 610 output by the usage record receiving unit 111, and the input usage history information 610 is recorded using a processing device such as the CPU 911. It is determined whether or not the service content matches the service content recorded by the input usage record information 620. , Using the processing device, such as a CPU 911, when it is determined that the service content is matched, has the reliability determination unit 151 determines that the usage record information 620 is reliable,
Anonymity history determination unit 130
When the reliability determination unit 151 determines that the usage record information 620 is reliable using a processing device such as the CPU 911, the anonymous history information 630 is output.

  According to the user terminal device 100 in this embodiment, the service content indicated by the usage history information 610 and the service content indicated by the usage record information 620 are the same for the history identification information 614 and the record identification information 624 that match. Since the reliability determination unit 151 determines whether or not they match, the reliability of the usage record information 620 is determined. Therefore, even if there is another usage record information 620 for a service having the same content, the usage record information 620 There is an effect that it is possible to see through the alteration.

The user terminal device 100 in this embodiment is
The reliability determination unit 151 further includes:
Use when there is no use record information 620 including record identification information 624 that matches the history identification information 614 stored in the use history storage unit 121 in the input use record information 620 using a processing device such as the CPU 911. The record information 620 is determined to be unreliable.

According to the user terminal device 100 in this embodiment,
If the service providing apparatus 810 does not transmit a part of the usage record information 620 and misleads the user terminal apparatus 100 to transmit information with low anonymity, it can be detected. As a result, it is possible to prevent the user from being specified by information having low anonymity.

  The history identification information 614 (and the record identification information 624) is generated by the service providing apparatus 810 and transmitted to the user terminal apparatus 100. However, the user terminal apparatus 100 generates the service identification information 614 It is good also as transmitting with respect to the provision apparatus 810. FIG. This is preferable because the service providing apparatus 810 can prevent the history identification information 614 from having a certain regularity as a clue to identify the user.

Embodiment 4 FIG.
The fourth embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.

FIG. 16 is a block configuration diagram illustrating an example of a functional block configuration of the user terminal device 100 according to this embodiment.
Note that blocks common to the functional blocks described in the second embodiment are denoted by the same reference numerals, and description thereof is omitted here.

  The user terminal device 100 further includes a record identification receiving unit 113, a record identification selecting unit 152, and a selection identification transmitting unit 142.

The record identification receiving unit 113 uses the communication device 915 to receive a list of record identification information 624 transmitted by the service providing device 810.
The record identification receiving unit 113 outputs a list of received record identification information 624 using a processing device such as the CPU 911.

The record identification selection unit 152 inputs a list of the record identification information 624 output from the record identification reception unit 113 using a processing device such as the CPU 911.
The recording identification selection unit 152 selects an appropriate number of recording identification information 624 from the input list of recording identification information 624 using a processing device such as the CPU 911.
The record identification selection unit 152 outputs the selected record identification information 624 using a processing device such as the CPU 911.

The selection identification transmission unit 142 inputs the record identification information 624 output from the recording identification selection unit 152 using a processing device such as the CPU 911.
The selection identification transmission unit 142 transmits the input record identification information 624 to the service providing apparatus 810 using the communication apparatus 915.

The service providing apparatus 810 uses a processing device such as the CPU 911 to generate a list of all record identification information 624 identifying the use record information 620 for the stored use record information 620, and uses the communication apparatus 915 to create a user. It transmits with respect to the terminal device 100.
The service providing apparatus 810 uses the communication apparatus 915 to receive the record identification information 624 selected by the user terminal apparatus 100.
Using the communication device 915, the service providing device 810 transmits usage record information 620 corresponding to the received record identification information 624 to the user terminal device 100.

  The usage record reception unit 111 receives the usage record information 620 identified by the record identification information 624 transmitted by the selection identification transmission unit 142 from the service providing apparatus 810 using the communication device 915.

  In the third embodiment, in order to prevent the service providing apparatus 810 from arbitrarily selecting the usage record information 620 transmitted to the user terminal apparatus 100, the usage record information 620 stored in the service providing apparatus 810 is stored. All are sent.

  However, the number of usage record information 620 may be enormous, and all the usage record information 620 is limited by restrictions on the processing capability of the processing device such as the CPU 911 of the user terminal device 100 and the communication capability of the communication device 915. It may be impractical to have

  The user terminal device 100 according to this embodiment causes the usage record information 620 identified by the record identification information 624 selected by the record identification selection unit 152 to be transmitted among the usage record information 620 stored by the service providing device 810. This prevents the service providing apparatus 810 from arbitrarily selecting the usage record information 620.

  FIG. 17 is a flowchart showing an example of the entire flow of the history service providing process in which the history service providing system 800 provides the history service in this embodiment.

In S <b> 18, the service providing apparatus 810 reads out the record identification information 624 identifying the use record information 620 for all the stored use record information 620 using a processing device such as the CPU 911, and stores all the record identification information 624. Generate a list.
Using the communication device 915, the service providing device 810 transmits a list of all the generated record identification information 624 to the user terminal device 100.

In S28, the record identification receiving unit 113 uses the communication device 915 to receive the list of record identification information 624 transmitted by the service providing apparatus 810 in S18.
The record identification receiving unit 113 outputs a list of received record identification information 624 using a processing device such as the CPU 911.

In S29, the record identification selection unit 152 inputs a list of the record identification information 624 output by the record identification reception unit 113 in S28 using a processing device such as the CPU 911.
The recording identification selection unit 152 selects a plurality of recording identification information 624 from the input list of recording identification information 624 using a processing device such as the CPU 911.
The record identification selection unit 152 outputs a plurality of selected record identification information 624 using a processing device such as the CPU 911.

In S <b> 20, the selection identification transmission unit 142 inputs a plurality of pieces of recording identification information 624 output by the recording identification selection unit 152 in S <b> 29 using a processing device such as the CPU 911.
The selection identification transmission unit 142 transmits a plurality of input record identification information 624 to the service providing apparatus 810 using the communication apparatus 915.

  In S19, the service providing apparatus 810 uses the communication apparatus 915 to receive the plurality of record identification information 624 transmitted by the selection identification transmission unit 142 in S20.

  In S <b> 11, the service providing apparatus 810 uses the communication apparatus 915 to transmit a plurality of usage record information 620 identified by the received plurality of record identification information 624 to the user terminal apparatus 100.

In S21, the usage record reception unit 111 receives the usage record information 620 transmitted from the service providing apparatus 810 in S11 using the communication device 915.
The usage record receiving unit 111 outputs the received usage record information 620 using a processing device such as the CPU 911.

  The subsequent processing flow is the same as that described with reference to FIG. 8 in the first embodiment.

  FIG. 18 is a flowchart showing an example of the flow of the record identification selection process in which the record identification selection unit 152 selects the record identification information 624 in this embodiment.

In S <b> 61, the recording identification selection unit 152 inputs the history identification information 614 stored in the usage history storage unit 121 and the list of recording identification information 624 output from the recording identification reception unit 113 using a processing device such as the CPU 911. To do.
The record identification selection unit 152 uses a processing device such as the CPU 911 to determine whether or not all the record identification information 624 that matches the input history identification information 614 is included in the list of the input record identification information 624. to decide.
If all the record identification information 624 that matches the history identification information 614 is included, the process proceeds to S63.
When the record identification information 624 that matches the history identification information 614 is not included, the process proceeds to S62.

In S62, the record identification selection unit 152 determines that the list of the record identification information 624 is unreliable using a processing device such as the CPU 911.
The record identification selection unit 152 stores information indicating the determination result using a storage device such as a memory.

  If the list of record identification information 624 does not include all the record identification information 624 that matches the history identification information 614, it can be seen that the service providing apparatus 810 has not transmitted all the record identification information 624. At this point, the process may be stopped, but in this case, the service providing apparatus 810 uses the record identification information 624 that has not been transmitted to the use record information about the user who owns the user terminal apparatus 100. It can be seen that there is record identification information 624 identifying 620, which is a clue for identifying the user.

Therefore, only the fact that it is unreliable at this point is stored, and later, when the reliability determination unit 151 determines the reliability of the usage record information 620, it is determined that the usage record information 620 is not reliable. To do.
Thereby, since the anonymous history discriminating unit 130 does not output the anonymous history information 630 and the anonymous history transmitting unit 141 does not transmit the anonymous history information 630, it is possible to prevent the user from being specified by information with low anonymity. it can.
In addition, as described in the second embodiment, even if the anonymous history transmission unit 141 does not transmit the anonymous history information 630, the service providing apparatus 810 cannot determine that it has been detected, and thus provides a clue to identify the user. You do n’t have to.

In S63, the record identification selection unit 152 uses a processing device such as the CPU 911 to select the record identification information 624 that matches the history identification information 614 input in S61 from the list of the record identification information 624 input in S61. To do.
At this time, the record identification selection unit 152 may select all the record identification information 624 that matches the history identification information 614, or may select a part of the record identification information 624 that matches the history identification information 614. However, it is assumed that the reliability determination unit 151 selects a sufficient number of record identification information 624 for verifying the reliability of the usage record information 620.

  In addition, when all the record identification information 624 that matches the history identification information 614 is selected, it is preferable that a part of the record identification information 624 may not be selected with a certain probability. If all the items are selected, the service providing apparatus 810 can determine that the record identification information 624 that has not been selected is not the use record information 620 for the user, which is a clue for identifying the user. Because there are cases.

In S64, the record identification selection unit 152 uses a processing device such as the CPU 911 to randomly select the record identification information 624 that does not match the history identification information 614 input in S61 from the list of the record identification information 624 input in S61. Select
At this time, the record identification selection unit 152 selects a sufficient number of record identification information 624 for the anonymity determination unit 131 to determine the anonymity of the information. This is because anonymity of information cannot be correctly determined unless a sufficient number of usage record information 620 for other users can be obtained.
The number of record identification information 624 that does not match the history identification information 614 is preferably at least as large as the number of record identification information 624 that matches the history identification information 614.
If possible, it is more preferable that the number of the record identification information 624 that matches the history identification information 614 is 10 times or more.

  Further, by selecting a sufficient number of record identification information 624 that does not match the history identification information 614, the service providing apparatus 810 links the user and the usage record information 620 based on the selection of the record identification information 624, This can prevent a user from being identified as a clue.

  In S65, the record identification selection unit 152 outputs the selected record identification information 624 using a processing device such as the CPU 911.

Accordingly, the user terminal device 100 can cause the service providing device 810 to transmit usage record information 620 in an amount commensurate with the processing capability of the processing device such as the CPU 911 and the communication capability of the communication device 915.
Also, since the usage record information 620 to be transmitted is selected by the user terminal device 100, the usage record information 620 that is arbitrarily transmitted by the service providing device 810 is selected, and the determination of the reliability determination unit 151 is distorted. I can't.

The user terminal device 100 (terminal device) in this embodiment further includes:
The communication device 915 is used to receive a list of record identification information 624 for identifying the usage record information 620 stored by the service providing device 810 (server device), and the received record identification information 624 is received using a processing device such as the CPU 911. A record identification receiving unit 113 that outputs a list of
A plurality of record identification information 624 is selected from the list of record identification information 624 output by the record identification receiving unit 113 using a processing device such as the CPU 911, and a plurality of selected items are selected using the processing device such as the CPU 911. A record identification selection unit 152 that outputs record identification information 624;
A plurality of record identification information 624 output from the record identification selection unit 152 is input using a processing device such as the CPU 911, and a plurality of input record identification information 624 is input to the service providing device 810 using the communication device 915. A selection identification transmission unit 142 for transmitting
Usage record receiver 111
A plurality of usage record information 620 identified by the plurality of record identification information 624 transmitted by the selection identification transmission unit 142 is received from the service providing apparatus 810 using the communication device 915.

According to the user terminal device 100 in this embodiment, the service providing device 810 transmits the same number of usage record information 620 as the number of the record identification information 624 selected by the record identification selection unit 152, so that the user terminal There is an effect that the usage record receiving unit 111 can receive the usage record information 620 corresponding to the processing capability of the processing device such as the CPU 911 of the device 100 and the communication capability of the communication device 915.
That is, if the user terminal device 100 has a low processing capability of a processing device such as the CPU 911, the amount of usage record information 620 to be received can be reduced and the processing can proceed smoothly, and the processing device such as the CPU 911 is highly utilized. If it is person terminal device 100, the quantity of usage record information 620 to be received can be increased, and anonymity judgment part 131 can judge anonymity more correctly.
In addition, since the usage record information 620 transmitted by the service providing apparatus 810 cannot be arbitrarily selected, there is no risk that the determination of the anonymity determination unit 131 may be upset.

The user terminal device 100 (terminal device) in this embodiment is
The record identification selection unit 152 further
Using the processing device such as the CPU 911, the history identification information 614 stored in the usage history storage unit 121 is input,
Using a processing device such as the CPU 911, select the record identification information 624 that matches the input history identification information 614,
The recording identification information 624 that does not match the input history identification information 614 is selected at random using a processing device such as the CPU 911.

According to the user terminal device 100 in this embodiment, the record identification selection unit 152 selects the record identification information 624 that matches the history identification information 614 and the record identification information 624 that does not match the history identification information 614 in a balanced manner. Therefore, the usage record information 620 identified by the record identification information 624 that matches the history identification information 614 among the usage record information 620 received by the usage record reception unit 111 from the service providing apparatus 810 is displayed by the reliability determination unit 151. The usage record information 620 that is used to verify the reliability of the usage record information 620 and is identified by the record identification information 624 that does not match the history identification information 614 is used by the anonymity determination unit 131 to determine anonymity. There is an effect that can be done.
In addition, there is an effect that the service providing apparatus 810 cannot obtain a clue for identifying the user from the record identification information 624 selected by the record identification selection unit 152.

  Thereby, since the information amount regarding the history which the user obtains from the store can be controlled by the user, the optimum information amount can be adjusted according to the performance of the user's mobile terminal.

Embodiment 5 FIG.
The fifth embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.
In addition, since the functional block configuration of the user terminal device 100 in this embodiment is the same as that described in the fourth embodiment, description thereof is omitted here.

FIG. 19 is a diagram showing an example of the usage record information 620 received by the usage record receiver 111 in this embodiment.
Note that portions common to the usage record information 620 described with reference to FIG. 7 in Embodiment 1 are denoted by the same reference numerals, and description thereof is omitted here.

The usage record receiving unit 111 receives the usage record information 620 transmitted by the service providing apparatus 810 using the communication device 915.
The usage record information 620 received by the usage record reception unit 111 includes a hash value 625.
The usage record receiving unit 111 outputs the received usage record information 620 using a processing device such as the CPU 911. The usage record information 620 output by the usage record receiving unit 111 includes the received hash value 625. The usage record receiver 111 also outputs the received hash value 625 together with the usage record information 620.

In general, the “hash value” is a value generated by converting predetermined data.
Since the hash value usually has a smaller amount of information than the original data, the original data cannot be restored from the hash value.
The hash value is also called a summary of the original data. If the original data is different, the hash value is usually different.
Since hash values usually have less information than the original data, hash values generated from different data may be the same (this is called hash value collision), but the same hash value is generated. It is very difficult to predict other data.
Since the hash value has such a property, it is used for verifying whether the original data has not been altered in, for example, an electronic signature.

In this embodiment, the hash value 625 is obtained by the service providing apparatus 810 using the processing device such as the CPU 911 and the record identification information 624 of the usage record information 620 and the contents of the usage record information 620 (the product code 621 and the number of purchases 622). Etc.).
The hash value 625 is used instead of the record identification information 624 described in the third embodiment, and is used to identify the use record information 620.

  In addition, the usage record information 620 in this embodiment has a random order in which the service providing apparatus 810 transmits to the user terminal apparatus 100, and the order of the record identification information 624 transmitted by the selection identification transmission unit 142. Is irrelevant. Therefore, the corresponding usage record information 620 cannot be determined from the order of the transmitted record identification information 624.

In the third embodiment and the fourth embodiment, the service providing apparatus 810 transmits usage record information 620 including the record identification information 624 to the user terminal apparatus 100.
Therefore, if the user can know the record identification information 624 of the usage record information 620 that records the service used by another user by some method, the contents of the service used by the other user can be known. .

  The history service providing system 800 according to this embodiment prevents the leakage of personal information in this way by concealing the record identification information 624 from other users.

  FIG. 20 is a flowchart showing an example of the flow of the reliability determination process in which the reliability determination unit 151 in this embodiment determines the reliability of the usage record information 620.

In S57, the reliability determination unit 151 uses a processing device such as the CPU 911 to match the record identification information 624 selected by the record identification selection unit 152 among the use history information 610 stored by the use history storage unit 121. The usage history information 610 identified by the identification information 614 is input.
The reliability determination unit 151 uses a processing device such as the CPU 911 to calculate a hash value from the record identification information 624 of the input usage history information 610 and the contents of the usage history information 610 (product code 611, purchased quantity 612, etc.). Is generated.

In S55 ′, the reliability determination unit 151 inputs the hash value 625 output from the usage record reception unit 111 using a processing device such as the CPU 911.
The reliability determination unit 151 uses the processing device such as the CPU 911 to input the usage record information 620 output from the usage record reception unit 111 for the input hash value 625 that matches the hash value generated in S57. .
That is, the reliability determination unit 151 uses the processing device such as the CPU 911 to identify the history identification information of the usage history information 610 stored in the usage history storage unit 121 from the usage record information 620 output from the usage record reception unit 111. Usage record information 620 having record identification information 624 that matches 614 is extracted.
If there is no usage record information 620 having a hash value 625 that matches the calculated hash value in the input usage record information 620, the process proceeds to S53, and it is determined that the usage record information 620 is not reliable.
If there is usage record information 620 having record identification information 624 that matches all the history identification information 614 input, the process proceeds to S56.

In this way, instead of identifying the usage record information 620 by the record identification information 624, the usage record information 620 is identified by the hash value 625, and whether the contents are correct is verified.
The same hash value calculation method (hash function) is used by the user terminal device 100 and the service providing device 810. Therefore, if the original data is equal, the calculated hash values are also equal.

The service providing apparatus 810 transmits a hash value 625 calculated based on the recording identification information 624 to the user terminal apparatus 100 instead of transmitting the recording identification information 624.
The user terminal device 100 compares the record identification information 624 not received with the history identification information 614 by comparing the hash value calculated based on the history identification information 614 with the received hash value 625. To get the same effect.
The reliability determination unit 151 compares the contents of the usage record information 620 with the matching hash value with the contents of the usage history information 610 to check whether the contents have been altered, and the received usage record information 620 can be trusted. Determine whether or not.

  Further, since the original data for calculating the hash value includes the usage record information 620 (or usage history information 610), the usage record information 620 and the usage history information 610 are obtained by comparing the hash values. You get the same effect as comparing. Therefore, if the usage record information 620 and the usage history information 610 are compared with respect to those having the same hash value, a double check is performed.

  In addition, a plurality of usage record information 620 having the same hash value 625 may be transmitted due to a hash value collision. In that case, by comparing the usage history information 610 and the usage record information 620, it can be determined which usage record information 620 and the usage history information 610 match.

  Other users cannot know the record identification information 624 of the use record information 620 since the original data cannot be restored from the hash value 625. Therefore, even if the user knows the record identification information 624 of the usage record information 620 that records the service content used by a certain user, it cannot determine which usage record information 620 corresponds to it, and the service content used by the user. I can't know.

Note that the usage record information 620 received by the usage record receiving unit 111 is for the record identification information 624 transmitted by the selection identification transmitting unit 142, and thus the transmitted record identification information 624 and the received usage record information 620 are included. If the hash value is calculated by combining the contents with the brute force and compared with the received hash value 625, the correspondence between the record identification information 624 and the use record information 620 may be determined.
Therefore, the service providing apparatus 810 may reject the transmission of the usage record information 620 when the number of the record identification information 624 transmitted by the selection identification transmission unit 142 is small.

In addition, the data that is the basis for calculating the hash value 625 includes information that is included in the usage history information 610 but is not included in the usage record information 620 transmitted by the service providing apparatus 810 (for example, purchase date and time 613). It is good also as a structure.
Then, since the other users do not know the purchase date and time 613, the hash value cannot be calculated, and the correspondence between the record identification information 624 and the use record information 620 cannot be determined.

The user terminal device 100 (terminal device) in this embodiment is
Usage history storage unit 121
Using a storage device such as a memory, the usage history information 610 and the history identification information 614 for identifying the usage history information 610 are stored,
Usage record receiver 111
The communication device 915 is used to receive a plurality of hash values 625 and a plurality of usage record information 620 corresponding to each of the plurality of hash values 625, and the received plurality of hash values 625 using a processing device such as the CPU 911. And a plurality of usage record information 620 received,
The user terminal device 100 further includes:
Using the processing device such as the CPU 911, the history identification information 614 and the usage history information 610 stored in the usage history storage unit 121 and the plurality of hash values 625 output from the usage record reception unit 111 are input, and the processing such as the CPU 911 is performed. A hash value is calculated based on the input history identification information 614 and the input usage history information 610 using a device, and the input hash value 625 and the calculated hash value are calculated using a processing device such as the CPU 911. Of the usage record information 620 output by the usage record receiving unit 111, the usage record information 620 corresponding to the hash value 625 is input, and the input usage history information 610 is input using a processing device such as the CPU 911. Is the service content recorded by the user and the service content recorded by the input usage record information 620 match? Determine, using the processing device, such as a CPU 911, when it is determined that the service content is matched, has the reliability determination unit 151 determines that the usage record information 620 is reliable,
Anonymity history determination unit 130
When the reliability determination unit 151 determines that the usage record information 620 is reliable using a processing device such as the CPU 911, the anonymous history information 630 is output.

  According to the user terminal device 100 in this embodiment, the content and usage of the service indicated by the usage history information 610 for the hash value calculated based on the history identification information 614 and the received hash value 625 match. Since the reliability determination unit 151 determines whether or not the content of the service indicated by the record information 620 matches, other users do not know the correspondence between the record identification information 624 and the use record information 620. The personal information can be protected.

Embodiment 6 FIG.
The sixth embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.
In addition, since the functional block configuration of the user terminal device 100 in this embodiment is the same as that described in the fourth embodiment, description thereof is omitted here.

FIG. 21 is a diagram illustrating an example of the usage history information 610 received by the usage history reception unit 112 and stored in the usage history storage unit 121 in this embodiment.
Note that portions common to the usage record information 620 described with reference to FIG. 13 in Embodiment 3 are denoted by the same reference numerals, and description thereof is omitted here.

The usage history receiving unit 112 receives the usage history information 610 transmitted from the service providing device 810 using the communication device 915.
The use history information 610 received by the use history receiving unit 112 includes a service encryption key 616.
The usage history receiving unit 112 outputs the received usage history information 610 using a processing device such as the CPU 911. The usage history information 610 output from the usage history receiving unit 112 includes the received service encryption key 616. The usage history receiving unit 112 outputs the received service encryption key 616 together with the usage history information 610.

  The service encryption key 616 is different for each type of service content used. In this example, the type of service content is different for each purchased product, and the service encryption key 616 is different for each product. For example, the service encryption key 616 of “product A” is “3565”, and the service encryption key 616 of “product B” is “8431”.

The usage history storage unit 121 inputs the usage history information 610 and the service encryption key 616 output from the usage history reception unit 112 using a processing device such as the CPU 911.
The usage history storage unit 121 stores the input usage history information 610 and the service encryption key 616 using a storage device such as a memory.
In this example, the usage history storage unit 121 stores the usage history information 610 and the service encryption key 616 separately. However, the usage history information may be stored together in the format of the received usage history information 610.

The service encryption key 616 differs depending on the type of service content. When a service is used, the service providing apparatus 810 transmits the service used to the user terminal apparatus 100 together with usage history information 610 that records the used service.
In this example, since the user has purchased “product A”, “product B”, “product C”, and “product D”, the usage history storage unit 121 stores the service encryption key 616 for these products. ing. Since the user has not purchased any other products, the usage history storage unit 121 does not store the service encryption key 616 for the other products.

  FIG. 22 is a diagram showing an example of the encrypted record information 640 received by the usage record receiving unit 111 in this embodiment.

The usage record receiving unit 111 receives the encrypted record information 640 transmitted by the service providing apparatus 810 using the communication apparatus 915.
The encrypted record information 640 is obtained by encrypting the use record information 620 by the service providing apparatus 810.
In this example, of the usage record information 620, the purchase quantity 622 is encrypted to be the encrypted purchase quantity 642, and the encrypted record information 640 is obtained, and the other parts are not encrypted. However, other parts may be encrypted.

The service providing apparatus 810 uses a processing device such as the CPU 911 to encrypt the usage record information 620 with the service encryption key 616 corresponding to the type of service content recorded by the usage record information 620.
In this example, since the type of service content is different for each purchased product, a plurality of types of services are recorded in one usage record information 620. Therefore, encryption is performed with a different service encryption key 616 for each service type to obtain encrypted recording information 640.
That is, the purchase number 622 of “product A” is encrypted with the service encryption key 616 of “product A” to be an encrypted purchase number 642, and the purchase number 622 of “product B” is the service encryption key 616 of “product B”. Encryption is performed to obtain an encryption purchase number 642.

In this example, the service providing device 810 calculates the encrypted purchase number 642 by using a processing device such as the CPU 911 and multiplying the service encryption key 616 by a random integer and adding the purchase number 622. For example, the service providing apparatus 810 uses a processing apparatus such as the CPU 911 to multiply the service encryption key 616 “3563” of “product A” by a random integer “267”, add the purchased number 622 “1”, and The number of purchases 642 “951322” is calculated.
The encryption method is not as simple as this, and a more advanced method may be used.

The usage record receiving unit 111 inputs the service encryption key 616 stored in the usage history storage unit 121 using a processing device such as the CPU 911.
The usage record receiving unit 111 uses the processing device such as the CPU 911 to decrypt the received encrypted recording information 640 with the input service encryption key 616 to obtain the usage recording information 620.
The usage record receiving unit 111 outputs the acquired usage record information 620 using a processing device such as the CPU 911.

  In this example, the usage record receiving unit 111 calculates the purchase number 622 by obtaining a remainder obtained by dividing the encrypted purchase number 642 by the service encryption key 616 using a processing device such as the CPU 911. For example, the usage record receiving unit 111 uses a processing device such as the CPU 911 to input the service encryption key 616 “3563” for “product A” stored in the usage history storage unit 121, and the encryption for “product A”. The remainder obtained by dividing the total purchase quantity 642 “951322” by “3463” is calculated, and the purchase quantity 622 “1” is acquired.

  Among the usage record information 620 received by the usage record receiving unit 111, there is information about “product E”. However, since the user possessing the user terminal device 100 has never purchased “product E”, the usage history storage unit 121 does not store the service encryption key 616 for “product E”. Therefore, the usage record receiver 111 cannot decrypt the encrypted purchase quantity 642 for “product E”.

  The user terminal device 100 uses the usage record information 620 output from the usage record reception unit 111 so that the anonymous history determination unit 130 determines the anonymity of the information. Further, the reliability determination unit 151 is also used for verifying the reliability of the usage record information 620.

Anonymity history discriminating unit 130 determines the anonymity of information, for example, is it difficult to identify a user even if information about a product that the user has purchased is transmitted to service providing device 810? This is for making determination and generating anonymous history information 630.
Therefore, it is not necessary to determine anonymity for services that have not been used by the user. For example, even if the information about “product E” that has not been purchased by the user can be acquired, the anonymous history determination unit 130 can generate the anonymous history information 630.

When the reliability judgment unit 151 verifies the reliability of the usage record information 620, the usage record information 620 is compared with the user's own usage history information 610 stored in the usage history storage unit 121 to determine whether the usage record information 620 has been altered. Investigate.
The usage record information 620 including information about services that the user has not used cannot be the user's own usage history information 610. Therefore, even if the usage record information 620 cannot be obtained, the reliability determination unit 151 can verify the reliability of the usage record information 620.

  That is, the usage record information 620 for services that have not been used by the user is essentially unnecessary. However, since the service providing apparatus 810 cannot identify the user and does not know that the user has never used the service, the service providing apparatus 810 also transmits unnecessary information.

For example, if there is a rival store clerk among users, if the usage record information 620 for all products is known, the best-selling products of the store can be known, which may be disadvantageous in terms of business.
According to the history service providing system 800 in this embodiment, the usage record information 620 for a service that has not been used by the user cannot be acquired by the user terminal device 100. To avoid leakage of trade secrets.

FIG. 23 is a diagram showing another example of the usage record information 620 received by the usage record receiver 111 in this embodiment.
In this example, the encrypted record information 640 includes the encrypted purchase quantity 642 for all products. The encrypted purchase quantity 642 is, for example, arranged in the order of product codes, and is “Product A”, “Product B”, “Product C”, “Product D”, and “Product E” in order from the left.

The service providing apparatus 810 encrypts the usage record information 620 using a processing device such as the CPU 911 to generate the encrypted record information 640. For a service that is not used in the usage record information 620, information indicating that the service is not used is encrypted and included in the encrypted record information 640. For example, if “Product A” has not been purchased, the purchase quantity 622 is set to “0”, and this is encrypted to obtain an encrypted purchase quantity 642.
Thus, if the encrypted purchase number 642 cannot be decrypted, it is not only possible to know whether the product has been sold, or whether it has been sold or not.

  The service providing apparatus 810 generates encrypted recording information 640 of such a format and transmits it to the user terminal apparatus 100, so that the trade secret can be more strongly protected, which is preferable.

The user terminal device 100 (terminal device) in this embodiment further includes:
When the user possessing the user terminal device 100 uses the communication device 915 to use the service content, the service providing device 810 (server device) records usage record information 620 that records the service content used. The encryption key corresponding to the type of service content is received, the received usage record information 620 is output as usage history information 610 using a processing device such as the CPU 911, and the received encryption key is output as the service encryption key 616. Use history receiving unit 112,
Usage history storage unit 121
The usage history information 610 and the service encryption key 616 output from the usage history receiving unit 112 are input using a processing device such as the CPU 911, and the input usage history information 610 and the service encryption key are input using a storage device such as a memory. 616,
Usage record receiver 111
Using the communication device 915, a plurality of encrypted record information 640 obtained by encrypting a plurality of usage record information 620 from the service providing device 810 with a different encryption key for each type of service content recorded by the usage record information 620. The service encryption key 616 received by the usage history storage unit 121 is input using a processing device such as the CPU 911, and a plurality of received encrypted recording information 640 is input using the processing device such as the CPU 911. A plurality of usage record information 620 is obtained by decryption with each of the service encryption keys 616, and the obtained plurality of usage record information 620 is output using a processing device such as a CPU 911.

  According to the user terminal device 100 in this embodiment, the usage history storage unit 121 stores the service encryption key 616 for the type of service content that has been used, and the type of service content that has not been used. Since the service encryption key 616 is not stored, the usage record reception unit 111 can obtain only the usage record information 620 by decrypting only the encrypted record information 640 for the type of service content that has been used. In addition, since the user terminal device 100 cannot obtain information unnecessary for the reliability determination / anonymity determination, there is an effect that unnecessary leakage of the usage record information 620 can be prevented.

  Thereby, the information which the user can know among the information regarding the history acquired from the store is only the information regarding the product purchased by the user in the past, and the purchase information of other users is protected.

  In this embodiment, the record identification information 624 is used as information for identifying the encrypted record information 640. However, the hash value 625 described in the fifth embodiment may be used.

Embodiment 7 FIG.
A seventh embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.
In addition, since the functional block configuration of the user terminal device 100 in this embodiment is the same as that described in the fourth embodiment, description thereof is omitted here.

FIG. 24 is a diagram illustrating an example of the usage history information 610 received by the usage history receiving unit 112 and stored in the usage history storage unit 121 in this embodiment.
Note that portions common to the usage history information 610 described with reference to FIG. 13 in Embodiment 3 are denoted by the same reference numerals, and description thereof is omitted here.

The usage history receiving unit 112 receives the usage history information 610 transmitted from the service providing device 810 using the communication device 915.
The usage history information 610 received by the usage history receiving unit 112 includes a history encryption key 617.
The usage history receiving unit 112 outputs the received usage history information 610 using a processing device such as the CPU 911. The usage history information 610 output by the usage history receiving unit 112 includes the received history encryption key 617. The usage history receiving unit 112 outputs the received history encryption key 617 together with the usage history information 610.

  The history encryption key 617 is an encryption key corresponding to the usage history information 610. The history encryption key 617 differs for each usage history information 610.

The usage history storage unit 121 inputs the usage history information 610 and the history encryption key 617 output by the usage history reception unit 112 using a processing device such as the CPU 911.
The usage history storage unit 121 stores the input usage history information 610 and the history encryption key 617 using a storage device such as a memory.

When the user uses the service, the service providing apparatus 810 uses the processing apparatus such as the CPU 911 to generate usage history information 610 that records the contents of the used service. The service providing apparatus 810 transmits the generated usage history information 610 to the user terminal apparatus 100 using the communication apparatus 915.
The service providing apparatus 810 further generates a history encryption key 617 corresponding to the usage history information 610 using a processing device such as the CPU 911. The service providing device 810 transmits the generated history encryption key 617 together with the usage history information 610 to the user terminal device 100 using the communication device 915.
The service providing apparatus 810 stores the use history information 610 and the history encryption key 617 as the use record information 620 and the record encryption key 627 using a storage device such as the magnetic disk device 920.

  The history encryption key 617 (recording encryption key 627) is not generated by the service providing device 810 and transmitted to the user terminal device 100 together with the usage history information 610 in this way. It is good also as producing | generating and transmitting with respect to the service provision apparatus 810. FIG. Alternatively, the encryption key used for communication between the user terminal device 100 and the service providing device 810 with the use of this service is reused as the history encryption key 617 (recording encryption key 627), and the user The terminal device 100 and the service providing device 810 may store them.

FIG. 25 is a diagram showing an example of the encrypted record information 640 and the encrypted encryption key 650 received by the usage record receiver 111 in this embodiment.
Note that portions common to the encrypted recording information 640 described with reference to FIG. 23 in Embodiment 6 are denoted by the same reference numerals, and description thereof is omitted here.

The encrypted record information 640 is substantially the same as the encrypted record information 640 described with reference to FIG. 23 in the sixth embodiment. The difference is that the order of the encrypted purchase number 642 is not in the order of the product code.
The service providing device 810 uses a processing device such as the CPU 911 to generate a random order, and arranges the encrypted purchase quantity 642 in the generated order as the encrypted recording information 640.
The order of the encryption purchase number 642 is the same order among the encrypted record information 640 transmitted at a time. When it is transmitted next time or transmitted to another user terminal device 100, the order is different.

In addition to the encrypted record information 640, the service providing apparatus 810 transmits a list composed of pairs of the record identification information 624 and the encrypted encryption key 650 to the user terminal device 100.
The encryption encryption key 650 is the encryption key 627 corresponding to the use record information 620 for the encryption record information 640 obtained by encrypting the use record information 620 identified by each record identification information 624. It is encrypted.
The service providing apparatus 810 transmits the same number of encrypted encryption keys 650 as the encrypted record information 640 transmitted to the user terminal apparatus 100 to the user terminal apparatus 100. Each encryption encryption key 650 corresponds to each encryption record information 640.

  In this example, the record identification information 624 is attached to both the encrypted record information 640 and the encrypted encryption key 650 to clarify the correspondence, but the hash value 625 described in the fifth embodiment is used. May be added instead of the record identification information 624. In that case, either the encrypted record information 640 or the encrypted encryption key 650 is attached with the record identification information 624, and the other is attached with the hash value 625, so that the encrypted record information 640 and the encrypted encryption key 650 are It is preferable not to know the correspondence. Further, the order of the encryption record information 640 and the order of the encryption encryption key 650 are made random and different orders. In addition, when the hash value 625 is attached to the encrypted record information 640 and the encrypted encryption key 650, a different hash function 625 is used so that a different hash value 625 is attached. And the encryption encryption key 650 are not understood.

The usage record reception unit 111 receives the encrypted record information 640 and the encrypted encryption key 650 transmitted from the service providing apparatus 810 using the communication apparatus 915.
The usage record receiving unit 111 inputs the history encryption key 617 stored in the usage history storage unit 121 using a processing device such as the CPU 911.
Using the processing device such as the CPU 911, the usage record receiving unit 111 uses the encryption encryption key 650 attached with the record identification information 624 that matches the history identification information 614 of the usage history information 610 to which the history encryption key 617 corresponds, Decrypt with the history encryption key 617.

  The usage history storage unit 121 stores a recording encryption key 627 corresponding to the usage record information 620 that records the service used by the user who owns the user terminal device 100 as the history encryption key 617. The encrypted encryption key 650 to which the record identification information 624 that matches the history identification information 614 of the usage history information 610 can be decrypted. However, since the recording encryption key 627 for the usage record information 620 recording the service used by another user is not stored, the other encryption encryption key 650 cannot be decrypted.

The usage record receiving unit 111 uses a processing device such as the CPU 911 to decrypt the encryption encryption key 650 with the history encryption key 617 and obtain a list including the product code 651, the position 652, and the service encryption key 656.
The product code 651 is the same as the product code 621 recorded in the corresponding usage record information 620.
The position 652 is information indicating the position of the encrypted purchase number 642 corresponding to the product code 651 in the encrypted record information 640.
The service encryption key 656 is an encryption key necessary for decrypting the encryption purchase number 642.

  In addition, it is preferable to use information uniquely generated by the service providing apparatus 810 instead of information that is disclosed as information indicated by a barcode attached to the product as the product code. Then, the user terminal device 100 can know the product code of the product that has been purchased based on the usage history information 610, but cannot know the product code of the product that has not been purchased.

In this example, the encrypted purchase number 642 for “product A” is positioned at the “third” in the encrypted record information 640, and the encryption key for decrypting it is “3563”. .
The usage record information 620 identified by the record identification information 624 “0576” stores that the user has purchased “product A”, “product B”, and “product D”, so the record identification information 624 “0576” is stored. When the encrypted encryption key 650 corresponding to “product A” is decrypted, the usage record receiver 111 can obtain the position 652 and the service encryption key 656 for “product A”, “product B”, and “product D”.
When the encrypted encryption key 650 corresponding to the record identification information 624 “1085” is decrypted, the usage record receiver 111 can obtain the position 652 and the service encryption key 656 for “product A” and “product C”.

  In this way, the usage record receiver 111 acquires the position 652 and the service encryption key 656 for all the products that have been purchased. However, since the encryption encryption key 650 cannot be decrypted for a product that has not been purchased, the position 652 and the service encryption key 656 cannot be acquired.

The usage record receiving unit 111 uses the processing device such as the CPU 911 to decrypt the encrypted purchase number 642 with the acquired service encryption key 656 and obtain the purchase number 622.
The usage record receiving unit 111 outputs the usage record information 620 obtained by decoding using a processing device such as the CPU 911.

In the sixth embodiment, one service content type is always encrypted with the same service encryption key.
However, it is preferable to change the encryption key frequently because it becomes difficult to decrypt.
In this embodiment, the service encryption key 656 is changed every time the encrypted record information 640 is transmitted, thereby making it difficult to decrypt the encryption.

FIG. 26 is a flowchart showing an example of the flow of usage record transmission processing in which the service providing apparatus 810 in this embodiment transmits encrypted record information 640.
The usage record transmission process is a process corresponding to S11 of FIG.

In S <b> 71, the service providing apparatus 810 generates a service encryption key 656 for each product at random using a processing apparatus such as the CPU 911.
In addition, the service providing apparatus 810 randomly generates an order in which the encrypted purchase number 642 is arranged in the usage record information 620 using a processing apparatus such as the CPU 911.

In step S <b> 72, the service providing apparatus 810 reads the usage record information 620 identified by the record identification information 624 received from the user terminal apparatus 100 from the storage device such as the magnetic disk device 920 using a processing device such as the CPU 911. .
Using the processing device such as the CPU 911, the service providing apparatus 810 encrypts the purchase quantity 622 included in the read usage record information 620 with the service encryption key 656 generated in S71 for the product, and obtains the encrypted purchase quantity 642. Generate.
The service providing apparatus 810 uses the processing apparatus such as the CPU 911 to arrange the generated encrypted purchase quantity 642 in the order generated in S71 and generate the encrypted record information 640.

In S73, the service providing apparatus 810 reads the recording encryption key 627 corresponding to the usage record information 620 read in S72 from a storage device such as the magnetic disk device 920 using a processing device such as the CPU 911.
The service providing apparatus 810 uses the processing apparatus such as the CPU 911 to read the service encryption key 656 generated in S71 for the product recorded as purchased in the usage record information 620 read in S72, and the read record encryption key 627. To generate an encrypted encryption key 650.

  In S74, the service providing apparatus 810 uses the communication apparatus 915 to transmit the encrypted recording information 640 generated in S72 and the encrypted encryption key 650 generated in S73 to the user terminal apparatus 100.

  FIG. 27 is a flowchart showing an example of the flow of usage record reception processing in which the usage record receiving unit 111 in this embodiment receives and decrypts the encrypted record information 640.

  In step S <b> 81, the usage record receiving unit 111 receives the encrypted record information 640 and the encrypted encryption key 650 transmitted from the service providing apparatus 810 using the communication apparatus 915.

In S <b> 82, the usage record receiving unit 111 uses a processing device such as the CPU 911 to select the history encryption key corresponding to the encrypted encryption key 650 received in S <b> 81 from the history encryption key 617 stored in the usage history storage unit 121. 617 is extracted.
The usage record receiving unit 111 uses a processing device such as the CPU 911 to decrypt the encrypted encryption key 650 received in S81 with the extracted history encryption key 617, and obtains the product code 651, the position 652, and the service encryption key 656. To do.

In S83, the usage record receiving unit 111 uses the processing device such as the CPU 911, and out of the encrypted purchase number 642 included in the usage record information 620 received in S81, the encrypted purchase number at the position 652 acquired in S82. 642 is decrypted with the service encryption key 656 acquired in S82, and the purchase quantity 622 is acquired.
The usage record receiving unit 111 generates usage record information 620 from the product code 651 acquired in S82 and the acquired purchase quantity 622 using a processing device such as the CPU 911.

  In S <b> 84, the usage record receiving unit 111 outputs the usage record information 620 generated in S <b> 83 using a processing device such as the CPU 911.

In this way, by performing the two-stage encryption process, the service encryption key 656 can be changed every time, and the encryption can be made difficult to be decrypted.
Further, by changing the position of the encryption purchase number 642 in the encryption record information 640 every time, it is possible to make the encryption more difficult to decipher.

The user terminal device 100 (terminal device) in this embodiment further includes:
When the user possessing the user terminal device 100 uses the communication device 915 to use the service content, the service providing device 810 (server device) records usage record information 620 that records the service content used. The encryption key corresponding to the usage record information 620 is received, the received usage record information 620 is output as the usage history information 610 using a processing device such as the CPU 911, and the received encryption key is output as the history encryption key 617. A usage history receiver 112;
Usage history storage unit 121
The usage history information 610 and the history encryption key 617 output from the usage history receiving unit 112 are input using a processing device such as the CPU 911, and the input usage history information 610 and the history encryption key are input using a storage device such as a memory. 617,
Usage record receiver 111
Using the communication device 915, a plurality of encrypted record information obtained by encrypting a plurality of usage record information 620 from the service providing device 810 with different service encryption keys 656 for each type of service content recorded by the usage record information 620. 640 and a plurality of encrypted encryption keys 650 obtained by encrypting the service encryption key 656 corresponding to the type of service content recorded in the usage record information 620 with the recording encryption key 627 corresponding to the usage record information 620, respectively. The history encryption key 617 stored in the usage history storage unit 121 is input using a processing device such as the CPU 911, and at least one of the received plurality of encrypted encryption keys 650 is processed using the processing device such as the CPU 911. The service encryption key 656 is obtained by decrypting with the input history encryption key 617, and a processing device such as the CPU 911 is installed. The plurality of received encrypted record information 640 is decrypted with the acquired service encryption key 656, respectively, and a plurality of usage record information 620 is acquired. Using the processing device such as the CPU 911, the plurality of acquired usage records are acquired. Information 620 is output.

  According to the user terminal device 100 in this embodiment, the encrypted record received by the usage record receiving unit 111 with the service encryption key 656 obtained by decrypting the encrypted encryption key 650 received by the usage record receiving unit 111. Since the information 640 is decrypted, the service encryption key 656 can be changed every time, and the encryption can be made difficult to be decrypted.

Embodiment 8 FIG.
The eighth embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.
In addition, since the functional block configuration of the user terminal device 100 in this embodiment is the same as that described in the fourth embodiment, description thereof is omitted here.

  The storage device of the user terminal device 100 stores a program such as a service use program. The service use program is a program that performs processing for using the history service. The processing device such as the CPU 911 of the user terminal device 100 executes the service use program, whereby the functional blocks of the user terminal device 100 are realized.

The storage device of the UIM 210 of the user terminal device 100 stores data such as a service usage record group and user specific rate setting information.
The service usage record group is usage history information 610 stored in the usage history storage unit 121. The service usage record group is a collection of purchase information of products purchased by the user, and is added each time the user purchases a product.
The user identification rate setting information is information indicating a threshold value to be compared with the user identification rate so that the anonymity determination unit 131 determines anonymity. The user identification rate setting information is information describing the probability (user identification rate) that the store can identify the user from the purchase information included in the history. It is determined using this value whether information is included in the history (anonymous history information 630).

FIG. 28 is a block configuration diagram showing an example of a functional block configuration of the service providing apparatus 810 in this embodiment.
The service providing apparatus 810 includes a usage history generation unit 821, a usage history transmission unit 822, a usage record storage unit 823, a record identification transmission unit 824, a selection identification reception unit 825, a transmission usage record generation unit 826, a usage record transmission unit 827, and an anonymity. A history receiving unit 831, a service information storage unit 832, a service information selection unit 833, a service information transmission unit 834, a secret key storage unit 841, a certificate storage unit 842 are included.
The functional blocks of the service providing apparatus 810 described below are realized by a processing apparatus such as the CPU 911 of the service providing apparatus 810 executing a service providing program stored in a storage device such as the magnetic disk device 920 of the service providing apparatus 810. To do.
The service providing program is a program that performs processing for providing a history service.

When the user uses the service, the usage history generation unit 821 uses the processing device such as the CPU 911 to input information about the service used by the user and records usage history information 610 for recording as a history. Generate.
The usage history generation unit 821 outputs the generated usage history information 610 using a processing device such as the CPU 911.
For example, the usage history generation unit 821 inputs information by communicating with a cash register in a store, and generates usage history information 610.

The usage history transmission unit 822 inputs the usage history information 610 output from the usage history generation unit 821 using a processing device such as the CPU 911.
The usage history transmission unit 822 uses the communication device 915 to transmit the input usage history information 610 to the user terminal device 100 possessed by the user.

The usage record storage unit 823 receives the usage history information 610 output from the usage history generation unit 821 using a processing device such as the CPU 911.
The usage record storage unit 823 stores the input usage history information 610 as usage record information 620 using a storage device such as the magnetic disk device 920.

The usage history information 610 generated by the usage history generation unit 821 does not include information (such as a user fixed ID (Identifier) or the device number of the user terminal device 100) that can identify the user.
The usage history information 610 is individually generated every time the user uses the service, and the usage record storage unit 823 accumulates it as the usage record information 620. The usage record information 620 stored in the usage record storage unit 823 is added and increased every time the user uses the service.

  Since the usage record information 620 does not include information that can identify the user, the service providing apparatus 810 is the usage record information 620 stored in the usage record storage unit 823, which is the same user. Yes, it is not possible to determine which one belongs to a different user.

  Hereinafter, each of the usage record information 620 stored in the usage record storage unit 823 is referred to as service usage record information, and the entire usage record information 620 stored in the usage record storage unit 823 is referred to as a service usage record information group.

The record identification transmission unit 824 inputs record identification information 624 for identifying the usage record information 620 for all the usage record information 620 stored by the usage record storage unit 823 using a processing device such as the CPU 911.
The record identification transmitting unit 824 transmits the input record identification information 624 to the user terminal device 100 using the communication device 915.
In this example, the ID number included in the service use record information is used as the record identification information 624.

The selection identification receiving unit 825 receives the selection identification information transmitted from the user terminal device 100 using the communication device 915.
The selection identification receiving unit 825 outputs the received selection identification information using a processing device such as the CPU 911.
The selection identification information is information indicating the record identification information 624 selected by the user terminal device 100 from the record identification information 624 transmitted by the record identification transmission unit 824.

The transmission use record generation unit 826 inputs the selection identification information output by the selection identification reception unit 825 using a processing device such as the CPU 911.
The transmission use record generation unit 826 uses a processing device such as the CPU 911 to record the record selected by the user terminal device 100 based on the input selection identification information among the use record information 620 stored by the use record storage unit 823. The usage record information 620 identified by the identification information 624 is input.
The transmission usage record generation unit 826 generates a transmission usage record information by performing processing such as encryption on the input usage record information 620 using a processing device such as the CPU 911.
The transmission usage record generation unit 826 outputs the generated transmission usage record information using a processing device such as the CPU 911.

In addition, when the user terminal device 100 selects too much record identification information 624, the user terminal device 100 acquires information more than information necessary for generating the anonymous history information 630 from the transmission use record information. There is a possibility.
Therefore, for example, an upper limit may be provided for the number of record identification information 624 that can be selected. That is, the transmission use record generation unit 826 counts the number of record identification information 624 selected by the user terminal device 100 using a processing device such as the CPU 911. Using the processing device such as the CPU 911, the transmission usage record generation unit 826 compares the number of the recorded identification information 624 with a predetermined threshold, and the number of the recording identification information 624 selected by the user terminal device 100 is appropriate. It is judged whether it is (it is not too much). Only when it is determined that the number of record identification information 624 selected by the user terminal device 100 is appropriate, the transmission usage record generation unit 826 generates transmission usage record information using a processing device such as the CPU 911 and uses it. If it is determined that the number of record identification information 624 selected by the person terminal device 100 is not appropriate (too many), the transmission usage record generation unit 826 does not generate transmission usage record information.
Thereby, for example, when a salesclerk of a rival store searches for a hot selling product and tries to obtain usage record information for a purpose other than using the history service, it is possible to prevent the information from leaking.

The usage record transmission unit 827 inputs the transmission usage record information output by the transmission usage record generation unit 826 using a processing device such as the CPU 911.
The usage record transmission unit 827 transmits the input transmission usage record information to the user terminal device 100 using the communication device 915.

The anonymous history receiving unit 831 receives the anonymous history information 630 transmitted by the user terminal device 100 using the communication device 915.
The anonymous history receiving unit 831 outputs the received anonymous history information 630 using a processing device such as the CPU 911.
The anonymous history information 630 is information indicating a history of a user's use of the service in the past, and is generated and transmitted by the user terminal device 100. The user terminal device 100 receives and stores the usage history information 610 transmitted by the usage history transmission unit 822, whereby the usage history information on the use of the service by the user who owns the user terminal device 100 is stored. All 610 are stored. Based on the transmission usage record information transmitted by the usage record transmission unit 827, the user terminal device 100 discriminates information that is difficult to identify the user from the stored usage history information 610 and generates anonymous history information 630. .

The service information storage unit 832 stores service information using a storage device such as the magnetic disk device 920.
Service information is information about services to be provided to users. For example, product discount information.

The service information selection unit 833 inputs the anonymous history information 630 output by the anonymous history reception unit 831 using a processing device such as the CPU 911.
The service information selection unit 833 uses a processing device such as the CPU 911 to select service information that would be useful to the user based on the input anonymous history information 630 among the service information stored in the service information storage unit 832. Select and enter.
The service information selection unit 833 outputs the input service information using a processing device such as the CPU 911.

The service information transmission unit 834 receives the service information output from the service information selection unit 833 using a processing device such as the CPU 911.
The service information transmission unit 834 transmits the input service information to the user terminal device 100 using the communication device 915.
The user terminal device 100 receives the service information transmitted by the service information transmission unit 834 and displays it on the display device 901 to notify the user.

  The service information includes information about each of a large number of products handled by the store. Since the user is not necessarily interested in all the products handled by the store, it is annoying even if all service information is transmitted. Even if there is discount information about a product you want to buy, there is a risk that it will be buried in other unnecessary information and missed.

Therefore, the service information selection unit 833 determines, for example, a product that the user has purchased in the past based on the anonymous history information 630, and selects service information about the product or a product related to the product. To do.
Thereby, the user can see only carefully selected information, and there is no worry of missing useful information.

The secret key storage unit 841 stores the secret key of the service provider using a storage device such as the magnetic disk device 920.
The service provider's private key is a secret key in the public key cryptosystem used for the service providing apparatus 810 to communicate with the user terminal apparatus 100, and is stored so that the service providing apparatus 810 is not known to others. It is what.

The certificate storage unit 842 stores the public key certificate using a storage device such as the magnetic disk device 920.
The public key certificate is a public key encryption method used for the service providing apparatus 810 to communicate with the user terminal apparatus 100, and the public key paired with the private key stored in the private key storage unit 841 is really the service. This is information that proves that it is paired with the secret key of the providing apparatus 810.
The public key certificate includes information indicating a public key paired with the private key of the service providing apparatus 810, and is issued by the certificate issuing organization or the store itself.

FIG. 29 is a diagram showing an example of the service use record information group 710 stored in the use record storage unit 823 in this embodiment.
The service usage record information group 710 includes one or more service usage record information 711.
The service usage record information 711 includes an ID number 712, a common key 713, a service usage record 714, and the like.
The ID number 712 is information indicating a variable anonymous ID used by the user when using a service such as product purchase. The ID number 712 is an example of the record identification information 624.
The common key 713 is information indicating a common key encryption key used for encrypting communication with the user when using a service such as product purchase.
The service usage record 714 is information that records service usage such as product purchase, and includes a product code, the number, the purchase time, and the like.
For example, in the service use record information of ID number 712 “ID1”, the common key used for the communication at that time is “common key 1”, and the product purchased at that time is “product 3”, “ It is recorded that “Product B is 1” and the purchase time is “January 15 10:30”.
Similarly, in the service use record information of ID number 712 “ID2”, the common key is “common key 2”, the purchased product is “two products A”, “one product C”, “two products D”. ", The purchase time is recorded as" January 15 14:15 ".

  The ID number 712 is used when the service is used only once, and a different ID number 712 is used when the service is used next time. Therefore, the service providing apparatus 810 cannot identify the user from the ID number 712.

  Note that the product code included in the service usage record 714 is not publicly disclosed information such as the information indicated by the barcode attached to the product, but private information generated by the service providing apparatus 810 independently.

The service providing apparatus 810 may analyze the service usage record information 711 to determine the best selling product for each time zone or season, or may determine the purchase tendency of the user from the products purchased by the user at the same time. Can be used for management strategy.
In addition, since the service providing apparatus 810 cannot identify the user from the service use record information 711, the user can use the service with peace of mind.

  FIG. 30 is a flowchart showing the overall flow of the history service providing process in which the history service providing system 800 in this embodiment provides the history service.

  First, the user registers to use the history service. For example, the user downloads a service use program and stores it in the user terminal device 100. Thus, preparation for using the history service is completed.

Next, the user visits the store with the user terminal device 100 storing the service use program.
The history service providing system 800 detects the visit of the user by a sensor terminal installed at the entrance of the store.
The service providing device 810 establishes communication with the user terminal device 100 (communication establishment process).

Service information is sent to the user terminal device 100 by communication between the service providing device 810 and the user terminal device 100. The service information is provided to the user by the user terminal device 100 displaying the service information on the display device 901 (information providing process).
The user purchases a product with reference to the provided service information.
The service providing apparatus 810 generates and stores service usage record information indicating products purchased by the user. The service providing apparatus 810 transmits the generated service use record information to the user terminal apparatus 100, and the user terminal apparatus 100 also stores the service use record information (use record process).

  When the user returns, the service providing apparatus 810 disconnects the communication with the user terminal apparatus 100, and one use ends (communication disconnection process).

  The same processing is performed when the user next visits the store. Since the service providing apparatus 810 does not have information that can identify the user, it cannot be distinguished whether the same user has visited the store again or a different user has visited the store.

  Next, details of each process will be described.

  FIG. 31 is a flowchart showing an example of the flow of communication establishment processing in which the history service providing system 800 in this embodiment establishes communication between the user terminal device 100 and the service providing device 810.

  When the service providing device 810 detects the visit of the user at T11, the service providing device 810 uses the communication device 915 to store the public key certificate stored in the certificate storage unit 842 with respect to the user terminal device 100. Send.

In T <b> 12, the user terminal device 100 receives the public key certificate transmitted from the service providing device 810 using the communication device 915.
The user terminal device 100 verifies the received public key certificate using a processing device such as the CPU 911 and authenticates the service providing device 810.

When the authentication is successful, at T13, the user terminal device 100 randomly generates a common key used for the current communication using a processing device such as the CPU 911.
The user terminal device 100 uses a processing device such as the CPU 911 to encrypt the generated common key with the public key of the service providing device 810 included in the public key certificate of the service providing device 810.
The user terminal device 100 transmits the encrypted common key to the service providing device 810 using the communication device 915.

In T14, the service providing apparatus 810 uses the communication apparatus 915 to receive the encrypted common key transmitted from the user terminal apparatus 100.
The service providing apparatus 810 uses a processing device such as the CPU 911 to decrypt the received encrypted common key with the secret key stored in the secret key storage unit 841 and obtain the common key.

  Through this procedure, the user terminal device 100 and the service providing device 810 share a shared key, and communication encrypted with the shared key is established. Thereafter, until the communication is disconnected, communication between the user terminal device 100 and the service providing device 810 is performed by communication encrypted with the shared key.

The shared key is randomly generated by the user terminal device 100 each time, and there is no relationship between the shared key used for the current service use and the shared key used for the next service use. Therefore, the service providing apparatus 810 cannot specify the user terminal apparatus 100 and the user based on the shared key.
In addition, information that can identify the user terminal device 100 such as a public key of the user terminal device 100 is not transmitted to the service providing device 810 in the process of establishing communication. Therefore, the service providing apparatus 810 cannot specify the user terminal apparatus 100 and the user based on the information obtained by the communication establishment process.

When there are a plurality of user terminal devices 100 in the store, the service providing device 810 distinguishes the user terminal devices 100 by the shared key. Therefore, the one-to-one communication between the service providing apparatus 810 and the user terminal apparatus 100 can be normally performed without the service providing apparatus 810 specifying the user terminal apparatus 100.
There is almost no possibility that the shared keys will collide, but in the event of a collision, the service providing apparatus 810 may disconnect the communication and restart the communication establishment process from the beginning.

  Note that a general method such as the method described in Non-Patent Document 2 may be used as the authentication method / common key sharing method in the communication establishment process.

In T15, the user terminal device 100 randomly generates an anonymous ID for identifying the current service use, using a processing device such as the CPU 911.
The user terminal device 100 transmits the generated anonymous ID to the service providing device 810 using the communication device 915.

  The anonymous ID is information for identifying the user terminal device 100 only during the current service use. The anonymous ID is randomly generated by the user terminal device 100 each time, and there is no relevance between the anonymous ID used for the current service use and the anonymous ID used for the next service use. Therefore, the service providing apparatus 810 can identify the user terminal apparatus 100 based on the anonymous ID during the current service use, but thereafter specifies the user terminal apparatus 100 and the user based on the anonymous ID. It is not possible.

  The anonymous ID is also used as an ID number 712 that identifies the service usage record information 711 in the service usage record information group 710 stored in the usage record storage unit 823 when the current service usage is recorded as service usage record information. use.

In T16, the service providing apparatus 810 uses the communication apparatus 915 to receive the anonymous ID transmitted by the user terminal apparatus 100.
The service providing device 810 inputs the ID number 712 of the service usage record information 711 stored in the usage record storage unit 823 using a processing device such as the CPU 911.
The service providing apparatus 810 uses a processing apparatus such as the CPU 911 to determine whether the input ID number 712 is identical to the received anonymous ID.

When the same ID number 712 already exists (anonymous ID collision), the service providing apparatus 810 uses the communication apparatus 915 to transmit information notifying the user terminal apparatus 100 of this.
The user terminal device 100 receives this using the communication device 915, generates another anonymous ID using a processing device such as the CPU 911, and transmits it to the service providing device 810 using the communication device 915.

  When there is no identical ID number 712, at T17, the service providing apparatus 810 uses the communication apparatus 915 to transmit information notifying the user terminal apparatus 100 of this, and communication using the anonymous ID is established. . Thereafter, until the communication is disconnected, the user terminal device 100 uses the anonymous ID as information for identifying the service providing device 810 itself. Thereby, even when there are a plurality of user terminal devices 100 in the store, the service providing device 810 can identify the user terminal device 100 that is the transmission source, and can specify the user terminal device 100 that is the transmission destination.

In this example, the service providing apparatus 810 determines whether or not there is an anonymous ID collision. However, as will be described below, the service providing apparatus 810 provides an ID number to the user terminal apparatus 100. Since the list of 712 is transmitted, the user terminal device 100 can also determine whether or not there is an anonymous ID collision.
For example, at this time, it is assumed that the anonymous ID does not have to collide with another user terminal device 100 currently communicating, and this is set as the temporary anonymous ID. Thereafter, the user terminal device 100 receives a list of ID numbers 712 through communication using a temporary anonymous ID, and determines an anonymous ID that does not collide from the received list of ID numbers 712. This is transmitted to the service providing apparatus 810 as a formal anonymous ID, and thereafter communication using the formal anonymous ID is performed.

  FIG. 32 is a flowchart showing an example of a flow of information providing processing in which the history service providing system 800 according to this embodiment provides a history service.

In the anonymous ID list transmission step, the record identification transmission unit 824 inputs all ID numbers 712 included in the service usage record information group 710 stored in the usage record storage unit 823, using a processing device such as the CPU 911. .
The record identification transmitting unit 824 creates a list of input ID numbers 712 using a processing device such as the CPU 911.
The record identification transmission unit 824 transmits a list of the created ID numbers 712 to the user terminal device 100 using the communication device 915.

In the anonymous ID list receiving step, the record identification receiving unit 113 uses the communication device 915 to receive a list of ID numbers 712 transmitted by the service providing device 810 in the anonymous ID list transmitting step.
The record identification receiving unit 113 outputs a list of received ID numbers 712 using a processing device such as the CPU 911.

In the anonymous ID selection step, the record identification selection unit 152 inputs a list of ID numbers 712 output by the record identification reception unit 113 in the anonymous ID list reception step using a processing device such as the CPU 911.
The record identification selection unit 152 is included in the service use record information group 710 (use history information 610) stored in the use history storage unit 121 in the list of input ID numbers 712 using a processing device such as the CPU 911. All ID numbers 712 (history identification information 614) to be selected are selected.
The recording identification selection unit 152 selects a sufficient number of other ID numbers 712 from the list of input ID numbers 712 using a processing device such as the CPU 911.
The record identification selection unit 152 outputs a list of the selected ID numbers 712 using a processing device such as the CPU 911.

In the anonymous ID subset transmission step, the selection identification transmission unit 142 inputs a list of ID numbers 712 output by the recording identification selection unit 152 in the anonymous ID selection step using a processing device such as the CPU 911.
The selection identification transmission unit 142 transmits the list of the input ID numbers 712 to the service providing apparatus 810 using the communication apparatus 915.

In the anonymous ID subset receiving step, the selection identification receiving unit 825 receives the list of ID numbers 712 transmitted by the selection identification transmitting unit 142 in the anonymous ID subset transmission step using the communication device 915.
The selection identification receiving unit 825 outputs a list of received ID numbers 712 using a processing device such as the CPU 911.

In the history generation information creation step, the transmission use record generation unit 826 inputs a list of ID numbers 712 output by the selection identification reception unit 825 in the anonymous ID subset reception step using a processing device such as the CPU 911.
The transmission usage record generation unit 826 inputs service usage record information 711 stored in the usage record storage unit 823 for each input ID number 712 using a processing device such as the CPU 911.
The transmission usage record generation unit 826 creates transmission usage record information from the input service usage record information 711 using a processing device such as the CPU 911.
The transmission usage record generation unit 826 outputs the generated transmission usage record information using a processing device such as the CPU 911.
Note that the transmission usage record information is used by the user terminal device 100 to generate the anonymous history information 630 and may be referred to as history generation information.

In the history generation information transmission step, the usage record transmission unit 827 inputs the transmission usage record information created by the transmission usage record generation unit 826 in the history generation information creation step using a processing device such as the CPU 911.
The usage record transmission unit 827 transmits the input transmission usage record information to the user terminal device 100 using the communication device 915.

In the history generation information reception step, the usage record reception unit 111 receives the transmission usage record information (encrypted recording information 640) transmitted by the usage record transmission unit 827 in the history generation information transmission step using the communication device 915. To do.
The usage record receiving unit 111 acquires the usage record information 620 from the received transmission usage record information using a processing device such as the CPU 911.
The usage record receiving unit 111 outputs the acquired usage record information 620 using a processing device such as the CPU 911.

In the history generation information verification step, the reliability determination unit 151 inputs the usage record information 620 output from the usage record reception unit 111 using a processing device such as the CPU 911.
The reliability determination unit 151 verifies whether the input usage record information 620 has been tampered with using a processing device such as the CPU 911.
If the reliability determination unit 151 determines that the usage record information 620 has not been tampered with, the history generation process is executed.

In the history generation process, the anonymous history determination unit 130 inputs the usage record information 620 output by the usage record reception unit 111 using a processing device such as the CPU 911.
The anonymous history discriminating unit 130 calculates a user identification rate for each product based on the input usage record information 620 using a processing device such as the CPU 911.
The anonymity history determination unit 130 compares the calculated user identification rate with the threshold indicated by the user identification rate setting information using a processing device such as the CPU 911, and determines the anonymity of information about the product. .
The anonymity history determination unit 130 generates anonymity history information 630 from information about a product determined to have high anonymity using a processing device such as the CPU 911.
The anonymous history discriminating unit 130 outputs the generated anonymous history information 630 using a processing device such as the CPU 911.

In the history transmission step, the anonymous history transmission unit 141 inputs the anonymous history information 630 output by the anonymous history determination unit 130 in the history generation step using a processing device such as the CPU 911.
The anonymous history transmitting unit 141 transmits the input anonymous history information 630 to the service providing device 810 using the communication device 915.

When the anonymous history determination unit 130 does not output the anonymous history information 630, the anonymous history transmission unit 141 transmits empty information as the anonymous history information 630.
The case where the anonymous history discriminating unit 130 does not output the anonymous history information 630 is, for example, a case where the user has never purchased a product and there is no history to be transmitted.
Alternatively, as a result of the reliability determination unit 151 determining that the usage record information 620 has been tampered with, the anonymous history determination unit 130 may not output the anonymous history information 630.
Moreover, as a result of the anonymous history determination unit 130 determining that anonymity is low for all products that have been purchased, the anonymous history information 630 may not be output.

  The anonymous history transmitting unit 141 transmits empty information to the service providing apparatus 810 without distinguishing between these cases. This is because the service providing apparatus 810 is not given a clue for identifying the user.

In the history receiving step, the anonymous history receiving unit 831 receives the anonymous history information 630 transmitted by the user terminal device 100 in the history transmitting step using the communication device 915.
The anonymous history receiving unit 831 outputs the received anonymous history information 630 using a processing device such as the CPU 911.

In the service information selection step, the service information selection unit 833 inputs the anonymous history information 630 output by the anonymous history reception unit 831 in the history reception step using a processing device such as the CPU 911.
The service information selection unit 833 analyzes the input anonymous history information 630 by using a processing device such as the CPU 911 and acquires a service usage history such as a product that the user has purchased.
The service information selection unit 833 uses a processing device such as the CPU 911 to select information that is likely to be useful to the user from the service information stored in the service information storage unit 832 based on the acquired service usage history. .
The service information selection unit 833 outputs the selected service information using a processing device such as the CPU 911.

In the service information transmission step, the service information transmission unit 834 inputs the service information output by the service information selection unit 833 in the service information selection step using a processing device such as the CPU 911.
The service information transmission unit 834 transmits the input service information to the user terminal device 100 using the communication device 915.

  In the service information receiving process, the user terminal device 100 receives the service information transmitted by the service information transmitting unit 834 in the service information transmitting process using the communication device 915.

  In the service information display step, the user terminal device 100 uses the display device 901 to display the service information received in the service information reception step.

  FIG. 33 is a diagram illustrating an example of information exchanged between the service providing apparatus 810 and the user terminal apparatus 100 in the history service providing system 800 according to this embodiment.

It is assumed that the usage record storage unit 823 of the service providing apparatus 810 stores the service usage record information group 710 shown in FIG.
The usage record storage unit 823 stores five pieces of service usage record information 711 of “ID1”, “ID2”, “ID3”, “ID4”, and “ID5”.

Of these, the usage history storage unit 121 of the user terminal device 100 stores service usage record information 711 of “ID3” and “ID5” as usage history information 610.
That is, these two service usage records are those of the user who possesses this user terminal device 100. However, the service providing apparatus 810 does not know that.

The record identification transmission unit 824 lists all the ID numbers 712 included in the service usage record information group 710 stored in the usage record storage unit 823 and transmits the list to the user terminal device 100. In this example, the list of ID numbers 712 transmitted by the record identification transmission unit 824 includes five ID numbers 712 of “ID1”, “ID2”, “ID3”, “ID4”, and “ID5”.
The record identification receiving unit 113 receives the list of ID numbers 712 transmitted by the record identification transmitting unit 824.

  The record identification selecting unit 152 selects the ID number 712 from the list of ID numbers 712 received by the record identification receiving unit 113. In this example, the record identification selection unit 152 selects “ID3” and “ID5”, which are ID numbers 712 included in the service usage record information 711 stored in the usage history storage unit 121, and other ID numbers 712. “ID2” and “ID4” are selected.

The selection identification transmission unit 142 transmits the list of ID numbers 712 selected by the recording identification selection unit 152 to the service providing apparatus 810. In this example, the list of ID numbers transmitted by the selection identification transmitter 142 includes four ID numbers 712 of “ID2”, “ID3”, “ID4”, and “ID5”.
The selection identification receiving unit 825 receives the list of ID numbers 712 transmitted by the selection identification transmission unit 142.

  FIG. 34 is a diagram showing an example of history generation information 740 generated by the transmission usage record generation unit 826 in this embodiment.

The history generation information 740 generated by the transmission usage record generation unit 826 includes a service information group 741 and a verification information group 751.
The service information group 741 includes one or more service record information 742.
The service record information 742 is information corresponding to the service use record information 711 stored in the use record storage unit 823. The service record information 742 is service use record information 711 identified by the ID number 712 included in the list of ID numbers 712 received by the selection identification receiving unit 825 in the service use record information group 710 stored in the use record storage unit 823. Is generated by the transmission usage record generation unit 826.
The service record information 742 includes an ID number 743 and an encrypted individual service information group 744.
The ID number 743 is the ID number 712 of the original service usage record information 711.
The encrypted individual service information group 744 is information generated from the service usage record 714 of the original service usage record information 711. The encrypted individual service information group 744 is an example of an encrypted conversion information group.
The encrypted individual service information group 744 includes one or more encrypted individual service information 745.
The encrypted individual service information 745 is information generated by encrypting the product code, purchase quantity, and the like included in the service usage record 714. The encrypted individual service information 745 is an example of encryption conversion information.
Here, “E” means “encryption”, and “E (...)” Indicates data generated as a result of encryption. The subscript “E” means a common key used for encryption. For example, “E ₂ ” indicates encryption using “common key 2”.
For example, “E ₂ (Product A: 2: 4: 3: 15)” is generated by encrypting the data (character string) “Product A: 2: 4: 3: 15” with “Common Key 2”. Data is shown.
The transmission usage record generation unit 826 generates encrypted individual service information 745 by encrypting with the common key 713 of the service usage record information 711.

  Instead of encrypting the encrypted individual service information 745, the entire encrypted individual service information group 744 may be encrypted.

  Since the usage history storage unit 121 of the user terminal device 100 stores the common key 713 in the service usage record information 711, the user terminal device 100 uses the service usage record information 711 that is its own usage record. The encrypted individual service information group 744 included in the generated service record information 742 can be decrypted to obtain a product code, the number of purchases, and the like. However, the encrypted individual service information group 744 included in the service record information 742 generated from the service use record information 711 that is the use record of another user cannot be decrypted because the common key is not known.

The verification information group 751 includes one or more verification information 752.
The verification information 752 is information corresponding to the service usage record information 711 stored in the usage record storage unit 823. The verification information 752 is the service usage record information 711 identified by the ID number 712 included in the list of ID numbers 712 received by the selection identification receiving unit 825 in the service usage record information group 710 stored in the usage record storage unit 823. Is generated by the transmission usage record generation unit 826.

Unlike the service record information 742, the verification information 752 does not include an ID number. Therefore, it is not known from which service usage record information 711 the verification information 752 is generated from just looking at the verification information 752.
The transmission use record generation unit 826 generates the verification information group 751 by arranging the verification information 752 in a random order. Therefore, it is impossible to know which service usage record information 711 is generated from the order of the verification information 752.

The verification information 752 includes an individual service information verification information group 753 and an individual service number calculation information group 755.
The individual service information verification information group 753 includes one or more pieces of individual service information verification information 754.
The individual service information verification information 754 is information for the user terminal device 100 to verify whether the service record information 742 has been tampered with.
The individual service information verification information 754 is a hash value generated from the ID number 712 of the original service usage record information 711, the product code included in the service usage record 714, the number of purchases, and the like.
Here, “H” means “hash function”, and “H (...)” Indicates a hash value calculated by the hash function. For example, “H (ID3, C, 0)” indicates a hash value calculated from data (character string) “ID3, C, 0”.
In this example, a character string obtained by connecting an ID number, a product code, and the number of purchases separated by “,” is used as an argument of the hash function.

  The individual service information verification information 754 is generated separately by the transmission usage record generation unit 826 for each type of product. In this example, since there are four types of products, “product A”, “product B”, “product C”, and “product D”, one individual service information verification information group 753 includes four pieces of information for individual service information verification. 754. If the service usage record 714 of the original service usage record information 711 does not record that the product has been purchased, the transmission usage record generation unit 826 assumes that the purchase number is “0” and the transmission usage record generation unit 826 determines the individual service information Verification information 754 is generated.

The transmission usage record generation unit 826 generates the individual service information verification information group 753 by arranging the individual service information verification information 754 in a random order. Accordingly, it is impossible to know which product the individual service information verification information 754 belongs to from the position of the individual service information verification information 754 in the individual service information verification information group 753.
However, in the individual service information verification information group 753 included in one verification information group 751, the transmission usage record generation unit 826 arranges the individual service information verification information 754 in the same order, and the individual service information verification information group 753 is generated.

The information group 755 for calculating the number of individual services includes a user terminal device 100 that cannot decrypt the encrypted individual service information group 744 because the user does not know the common key 713 for the service usage record information 711 that is a usage record of another user. This is information configured so that the contents of the service used, such as the number of purchases, can be acquired. The individual service number calculation information group 755 is an example of an individual service content acquisition information group.
The individual service number calculation information group 755 includes one or more individual service number calculation information 756.
The individual service number calculation information 756 is generated for each type of product by the transmission usage record generation unit 826 based on the service usage record information 711. In this example, since there are four types of products, one individual service number calculation information group 755 includes four pieces of individual service number calculation information 756. The individual service number calculation information 756 is an example of individual service content acquisition information.
The transmission usage record generation unit 826 generates the individual service number calculation information group 755 by arranging the individual service number calculation information 756 in a random order. The order of the individual service number calculation information 756 in the individual service number calculation information group 755 and the order of the individual service information verification information 754 in the individual service information verification information group 753 are irrelevant. Therefore, from the position of the individual service number calculation information 756 in the individual service number calculation information group 755, it is impossible to know which product the individual service number calculation information 756 belongs to.
However, in the individual service number calculation information group 755 included in one verification information group 751, the transmission usage record generation unit 826 arranges the individual service number calculation information 756 in the same order, and the individual service number calculation information group 755 is generated.

  Next, the encrypted individual service information 745, the individual service information verification information 754, and the individual service number calculation information 756 will be described in detail.

  FIG. 35 is a diagram for explaining a generation method in which the transmission usage record generation unit 826 in this embodiment generates encrypted individual service information 745, individual service information verification information 754, and individual service number calculation information 756. It is.

Data to be encrypted with the common key 713 by the transmission usage record generation unit 826 to generate the encrypted individual service information 745 includes a product code 715, a purchase quantity 716, a verification position 761, a calculation position 762, and a numerical value for calculation. 763.
The product code 715 is a product code included in the service usage record 714 of the original service usage record information 711.
The purchase quantity 716 is the purchase quantity included in the service usage record 714 of the original service usage record information 711.

  The verification position 761 is information indicating where the individual service information verification information 754 for the product is in the individual service information verification information group 753. In this example, since the individual service information verification information 754 for the product A is located in the fourth of the individual service information verification information 754 in the individual service information verification information group 753, the verification position 761 is “ 4 ".

  The calculation position 762 is information indicating where the individual service number calculation information 756 for the product is in the individual service number calculation information group 755. In this example, since the individual service number calculation information 756 for the product A is located in the third of the individual service number calculation information 756 in the individual service number calculation information group 755, the calculation position 762 is “ 3 ".

The calculation numerical value 763 is a numerical value used for calculating the individual service number calculation information 756.
The verification position 761, the calculation position 762, and the calculation numerical value 763 are examples of service conversion information. The numerical value for calculation 763 is an example of a service encryption key.

  The transmission usage record generation unit 826 encrypts data including these pieces of information with the common key 713 to generate encrypted individual service information 745.

Data from which the transmission usage record generating unit 826 generates the individual service information verification information 754 includes an ID number 712, a product code 715, and a purchase quantity 716.
The transmission usage record generation unit 826 calculates a hash value of data including the ID number 712, the product code 715, and the purchase quantity 716, and generates individual service information verification information 754.

  The transmission usage record generation unit 826 adds the purchase number 716 to the calculated hash value (= individual service information verification information 754), and further adds an integer multiple of the calculation value 763 to calculate the number of individual services. Information 756 is generated.

In this example, the transmission usage record generation unit 826 calculates the hash value “H (ID2, A, 2)” from the ID number 712 “ID2”, the product code 715 “product A”, and the purchase quantity 716 “2”. The individual service information verification information 754 is added with the purchase quantity 716 “2”, and further added with “75”, which is five times the numerical value for calculation 763 “15”. To do.
The transmission usage record generating unit 826 generates the individual service information verification information group 753 by arranging the generated individual service information verification information 754 at the position indicated by the verification position 761. Similarly, the transmission usage record generation unit 826 generates the individual service number calculation information group 755 by arranging the generated individual service number calculation information 756 at the position indicated by the calculation position 762.

  Next, how the user terminal device 100 restores the history generation information 740 generated in this way will be described.

In FIG. 33, the selection identification transmission unit 142 transmits a list including four ID numbers 712 “ID2”, “ID3”, “ID4”, and “ID5” to the service providing apparatus 810.
In the service providing apparatus 810, the selection identification receiving unit 825 receives this, and the transmission use record generating unit 826 generates history generation information 740 corresponding thereto. FIG. 34 shows the generated history generation information 740. The usage record transmission unit 827 transmits history generation information 740 to the user terminal device 100.

The usage record receiving unit 111 of the user terminal device 100 receives the history generation information 740 using the communication device 915.
The usage record receiving unit 111 is included in the service usage record information group 710 stored in the usage history storage unit 121 from the service information group 741 included in the received history generation information 740 using a processing device such as the CPU 911. Service record information 742 having an ID number 743 that matches the ID number 712 to be extracted is extracted.
In this example, the usage record receiver 111 extracts two pieces of service record information 742 of “ID3” and “ID5”.

The usage record receiving unit 111 uses a processing device such as the CPU 911 to decrypt the encrypted individual service information 745 included in the extracted service record information 742 with the corresponding common key 713 to obtain the original data.
In this example, the usage record receiving unit 111 acquires “product A: 2: 4: 3: 15” and “product B: 2: 2: 1: 13” from the service record information 742 of “ID3”. From the service record information 742 of “ID5”, “product A: 2: 4: 3: 15” and “product C: 1: 1: 2: 11” are acquired.
Based on this, the usage record receiving unit 111 acquires a verification position 761 “4”, a calculation position 762 “3”, and a calculation numerical value 763 “15” for “product A”. Similarly, a verification position 761 “2”, a calculation position 762 “1”, a calculation numerical value 763 “13” for “product B”, a verification position 761 “1” for “product C”, and a calculation position 762 “2” and a numerical value for calculation 763 “11” are acquired.
The usage record receiver 111 cannot obtain the verification position 761 for “product D”. Since the user has never purchased “product D”, the service record information 742 of “ID3” and “ID5” does not include information on “product D”. The service record information 742 of “ID2” and “ID4” includes information about “product D”, but the usage history storage unit 121 stores a common key 713 corresponding to “ID2” and “ID4”. I can't decrypt it.

  Further, the usage record receiving unit 111 acquires the product code 715 “product A” and the purchase quantity 716 “2” based on the service record information 742 of “ID3”. Also, the product code 715 “product B” and the purchase quantity 716 “2” are acquired. Similarly, the product code 715 “product A”, the purchase number 716 “2”, the product code 715 “product C”, and the purchase number 716 “1” are acquired based on the service record information 742 of “ID5”.

  The reliability determination unit 151 uses a processing device such as the CPU 911 to collate the product code 715 and the purchase quantity 716 acquired by the usage record reception unit 111 with the service usage record information 711 stored in the usage history storage unit 121, Verify that it matches. If not, it is determined that the history generation information 740 is not reliable.

The reliability determination unit 151 uses a processing device such as the CPU 911 to verify the hash value “ID3” based on the ID number 743 “ID3”, the product code 715 “product A”, and the purchase quantity 716 “2”. H (ID3, A, 2) "is calculated.
Since the verification information 752 is arranged in a random order in the verification information group 751, it is not known which of the verification information 752 for “ID3” is. However, as a result of decoding the service record information 742, it is known that the individual service information verification information 754 for the “product A” is the fourth in the individual service information verification information group 753.

The reliability determination unit 151 uses the processing device such as the CPU 911 to check the fourth individual service information verification information in the individual service information verification information group 753 from the verification information 752 included in the verification information group 751. 754 searches for a match with the calculated hash value “H (ID3, A, 2)”.
In this example, the first verification information 752 in the verification information group 751 matches the condition.
The reliability determination unit 151 uses a processing device such as the CPU 911 to verify in more detail whether this is verification information 752 for “ID3”.
The reliability determination unit 151 calculates a hash value for other products using a processing device such as the CPU 911. “H (ID3, B, 2)” is calculated for “product B”, and “H (ID3, C, 0)” is calculated for “product C”. In addition, since the product code is unknown for “product D” that has not been purchased, the reliability judgment unit 151 cannot calculate the hash value “H (ID3, D, 0)”.
Since it is known that the individual service information verification information 754 for “product B” is second in the individual service information verification information group 753, the reliability determination unit 151 uses a processing device such as the CPU 911. The calculated hash value “H (ID3, B, 2)” is compared with the second individual service information verification information 754 to confirm that they match.
Similarly for “product C”, the reliability determination unit 151 uses a processing device such as the CPU 911 to calculate the calculated hash value “H (ID3, C, 0)” and the first individual service information verification information. 754 and confirm that they match.
Thus, it can be confirmed that the verification information 752 is for “ID3”.

For “product D”, since the reliability judgment unit 151 cannot obtain the verification position 761 from the service record information 742, it is known where the individual service information verification information 754 is in the individual service information verification information group 753. Not. Further, since the reliability determination unit 151 cannot calculate the hash value “H (ID3, D, 0)”, the verification information group 751 is searched and the individual service information verification information for “product D” is searched. The position of 754 cannot be known.
In this example, since there is only one product that has not been purchased, it is possible to specify that the third individual service information verification information 754 that is the remaining position is for “product D”. However, in reality, since there are more types of products to handle, the situation that there is only one product that has never been purchased is extremely rare, and the reliability judgment unit 151 has information on products that have not been purchased. It can be said that we cannot know.

  Since the “product D” is a product that has not been purchased, the reliability determination unit 151 can determine the reliability of the history generation information 740 without knowing the information about the “product D”. Thereby, it is possible to prevent information that does not need to be notified to the user terminal device 100 from being leaked.

  If something that does not match appears in the middle of the confirmation, the reliability judgment unit 151 uses a processing device such as the CPU 911 to inspect other verification information 752 that is likely to match, otherwise, It is determined that the digitized record information 640 is not reliable.

On the other hand, the usage record receiving unit 111 acquires service record information from the individual service number calculation information group 755 based on the information acquired by decrypting the encrypted individual service information 745.
The usage record receiving unit 111 uses the processing device such as the CPU 911 to acquire the individual service number calculation information 756 for “product A” from all the verification information 752 included in the verification information group 751. From the decryption result of the encrypted individual service information 745, it is known that the individual service number calculation information 756 for “product A” is the third in the individual service number calculation information group 755.
In addition, the usage record receiving unit 111 acquires the individual service information verification information 754 for “product A” from all the verification information 752 included in the verification information group 751 using a processing device such as the CPU 911. . From the decryption result of the encrypted individual service information 745, it is known that the individual service information verification information 754 for “product A” is the fourth in the individual service information verification information group 753.
The usage record receiving unit 111 subtracts the individual service information verification information 754 from the acquired individual service number calculation information 756 using a processing device such as the CPU 911. The usage record receiving unit 111 uses a processing device such as the CPU 911 and further divides the result by the calculation numerical value 763 “15” acquired from the decryption result of the encrypted individual service information 745 to obtain a remainder.
In this example, for example, in the case of the first verification information 752, the individual service number calculation information 756 “H (ID3, A, 2) +62” −the individual service information verification information 754 “H (ID3, A, 2) ”=“ 62 ”and“ 62 ÷ 15 = 4 is too much 2 ”. This indicates that the number of purchases of “product A” is “2” in the service record information 742.

Since the first verification information 752 is for “ID3”, the reliability judgment unit 151 verifies whether or not it is correct by comparing with the service usage record information 711 stored in the usage history storage unit 121. To do. If not correct, it is determined that the history generation information 740 is not reliable.
The usage record receiver 111 can obtain the number of purchases by using the same calculation for the usage records of other users. Similarly, for “product B” and “product C”, the purchase quantity can be obtained.
However, for “Product D”, the product code 715, the calculation position 762, and the calculation numerical value 763 are not known, and therefore the purchase quantity cannot be obtained.

FIG. 36 is a diagram showing an example of the service usage record information 721 decrypted by the usage record receiver 111 in this embodiment.
This example shows a case where the usage record receiver 111 decrypts the history generation information 740 shown in FIG.

The usage record receiver 111 uses the communication device 915 to receive the history generation information 740 transmitted by the service providing device 810.
The history generation information 740 received by the usage record reception unit 111 includes service record information 742 and verification information 752 for four ID numbers 743 “ID2”, “ID3”, “ID4”, and “ID5”. Among these, the service usage record information 711 for “ID3” and “ID5” is stored in the usage history storage unit 121.
The usage record receiving unit 111 uses a processing device such as the CPU 911 to share the service record information 742 for the ID numbers 743 “ID3” and “ID5” in the service information group 741 in the usage history storage unit 121. The service usage record 724 is obtained by decrypting with the key 713.
In addition, the usage record receiving unit 111 decrypts the service record information 742 for “ID3” and “ID5” by using a processing device such as the CPU 911, the verification position 761, the calculation position 762, and the numerical value for calculation. Based on 763, all the verification information 752 included in the verification information group 751 is decrypted, and the service usage record 724 is acquired.
At this time, the product code 715, the verification position 761, the calculation position 762, and the calculation numerical value 763 that can be obtained by decrypting the service record information 742 for “ID3” are those for “Product A” and “Product B”. It is. Also, the service record information 742 for “ID5” can be decrypted and acquired for “product A” and “product C”. Therefore, the product code 715, the verification position 761, the calculation position 762, and the calculation numerical value 763 for “product D” are not obtained.
Therefore, the usage record receiving unit 111 can determine that there is one product that has not been purchased based on the verification information group 751, but can determine that the product code of the product is “product D”. In addition, the service usage record 724 for “product D” cannot be decrypted.
However, since the anonymous history information 630 generated by the anonymous history discriminating unit 130 does not include information about the “product D” that has not been purchased, the anonymous history discriminating unit 130 stores the information about the “product D”. There is no need to judge anonymity. Therefore, the anonymity history determination unit 130 can determine the anonymity of information that needs to be determined without knowing the information about the “product D”.

The verification information 752 includes the hash value calculated from the ID number 743, but does not include the information of the ID number itself. As for the information 752, it is impossible to know which ID number the verification information 752 is.
However, the anonymity history discriminating unit 130 uses information about products purchased by other users to determine the anonymity of information, but it is necessary to know who the users who purchased the products are. Therefore, the anonymity of information that needs to be determined can be determined without knowing the ID number 743 of another user.

Therefore, the usage record receiving unit 111 is necessary for the reliability determination unit 151 to determine the reliability of the history generation information 740 and the anonymous history determination unit 130 to determine the anonymity of the information. Only information is acquired, and other information cannot be acquired.
Thereby, it is possible to prevent information that does not need to be notified to the user terminal device 100 from being leaked.

  The reliability determination unit 151 compares the service usage record information 721 acquired in this way with the service usage record information 711 stored in the usage history storage unit 121 by using a processing device such as the CPU 911 to generate a history. It is determined whether the usage information 740 is reliable.

  In addition, when the reliability determination unit 151 determines that the history generation information 740 is reliable, the anonymous history determination unit 130 uses the processing device such as the CPU 911 based on the service usage record information 721 to identify the user identification rate. And the information determined that the user identification rate is low is determined from the service usage record information group 710 stored in the usage history storage unit 121, and the anonymous history determination unit 130 is generated and output.

In this example, the anonymous history discriminating unit 130 inputs the service usage record information group 710 stored in the usage history storage unit 121 using a processing device such as the CPU 911.
According to the service usage record information group 710 stored in the usage history storage unit 121, since the user has purchased “two products A”, the anonymous history determination unit 130 sends this information to the service providing apparatus 810. Calculate the user identification rate when it is sent.
The anonymous history determination unit 130 inputs the service usage record information 721 output by the usage record reception unit 111 using a processing device such as the CPU 911.
The anonymity history discriminating unit 130 counts how many records “purchase product A” are based on the input service usage record information 721 using a processing device such as the CPU 911. In this example, there are three records of “purchased product A”.
Further, the anonymous history discriminating unit 130 counts the number of records indicating that “two” products A have been purchased based on the input service usage record information 721 using a processing device such as the CPU 911. In this example, there are three records of “purchased two products A”.
In this way, the anonymous history discriminating unit 130 simply counts both “already purchased” records and “same purchase quantity” records.

  Similarly, according to the service usage record information group 710 stored in the usage history storage unit 121, “product B” has been purchased by the user “2”, and “product C” has been purchased by the user “1”. The anonymous history discriminating unit 130 uses a processing device such as the CPU 911 to record “purchased product B”, “purchased two products B”, and “purchased product C”. ”Record,“ Purchase of one product C ”is calculated.

Since “(user specification rate) = 1 / (number of times of use) × 100”, the anonymous history determination unit 130 calculates each user specification rate using a processing device such as the CPU 911.
In this example, the anonymous history discriminating unit 130 has the information that “the user has purchased product A” has a user identification rate of “33.3%” and “has purchased two products A”. The user identification rate of the information “33.3%”, “has purchased product B” is the user identification rate of “100%”, and “has purchased 2 products B” The user identification rate of the information “100%”, “has purchased product C” is the user identification rate of “33.3%”, and “has purchased one product C” The user identification rate is calculated to be “50%”.
Anonymity history discriminating unit 130 uses a processing device such as CPU 911 to compare the calculated user identification rate with the value indicated by the stored user identification rate setting information, and whether the information is highly anonymous Determine whether. For example, when the user identification rate setting information is “50%”, the anonymity history determination unit 130 determines that the anonymity of the information is high when the user identification rate is lower than “50%”.
In this example, the anonymous history discriminating unit 130 has high anonymity for information that “has purchased product A”, “has purchased 2 products A”, and “has purchased product C”. Judge. In addition, it is determined that information such as “has purchased product B”, “has purchased 2 products B”, “has purchased 1 product C” has low anonymity.

The anonymity history determination unit 130 generates anonymity history information 630 including information determined to have high anonymity using a processing device such as the CPU 911.
In this example, the anonymous history information 630 generated by the anonymous history determination unit 130 includes information indicating that “two products A have been purchased” and “a product C has been purchased”.
However, the anonymous history discriminating unit 130 does not include the information determined to have low anonymity in the anonymous history information 630.
In this example, the anonymous history information 630 generated by the anonymous history determination unit 130 does not include information indicating that “the product B has been purchased” and “the product C has been purchased one”.

In this example, the user identification rate is calculated and the anonymity is determined for the two-stage information of “the product has been purchased” and “the number of the product that has been purchased”. Just be fine.
In addition, when the anonymity of the rough information (“I have purchased the product”) is low (the user identification rate is greater than or equal to the threshold), the detailed information (“Purchase the product” ”) Includes general information that is a superordinate concept thereof (information that“ has purchased one product C ”includes information that“ has purchased product C ”) Therefore, it is not necessary to calculate the user identification rate of detailed information, and the anonymity of detailed information is low.
Therefore, the anonymity history determination unit 130 may determine the anonymity of the schematic information using a processing device such as the CPU 911, and may determine the anonymity of the detailed information only when the anonymity is high.

Further, the anonymous history discriminating unit 130 is configured to determine that anonymity is low with a certain probability even when it is determined that the user identification rate of detailed information is lower than the threshold using a processing device such as the CPU 911. May be.
This is because if detailed information is configured to be transmitted to the service providing apparatus 810 when the user identification rate of the detailed information is lower than the threshold, only the schematic information is transmitted and the detailed information is transmitted. This is because if the information is not transmitted, the service providing apparatus 810 may be given a clue to identify the user.
For example, if there are many users who “purchased product A” and most people “buy 2”, but only one person has purchased “1”, Both the general information “has purchased A” and the detailed information “has purchased two products A” have low user identification rates.
In this example, if only the information that “the product A has been purchased” is transmitted, the service providing apparatus 810 “has purchased two products A”. You can see that there is no “something”. Therefore, information with a high user identification rate “has purchased one product A” has not been transmitted to the service providing apparatus 810, but is known to the service providing apparatus 810.
Even if the user identification rate is low for detailed information, if it is determined that anonymity is low with a certain probability and it is not transmitted to the service providing apparatus 810, “the product A has been purchased” Even if only information is transmitted, it may be “has purchased two products A” when viewed from the service providing apparatus 810, and the service providing apparatus 810 knows information that has not been transmitted and has a high user identification rate. Can be prevented.

The service providing apparatus 810 (server apparatus) in this embodiment is
A storage device such as a magnetic disk device 920 for storing information;
A processing device such as a CPU 911 for processing information;
A communication device 915 that communicates with a plurality of user terminal devices 100 (terminal devices) that store usage history information in which used service content is recorded;
Using a storage device such as the magnetic disk device 920, service usage record information 711 (usage record information) in which used service contents are stored, and an ID number 712 (record identification information) for identifying the service usage record information 711 A usage record storage unit 823 for storing a plurality of records;
The ID number 712 stored in the usage record storage unit 823 is input using a processing device such as the CPU 911, a list of the input ID numbers 712 is generated using the processing device such as the CPU 911, and the communication device 915 is used. A record identification transmission unit 824 that transmits a list of generated ID numbers 712 to the user terminal device 100;
The communication device 915 is used to receive a plurality of ID numbers 712 selected by the user terminal device 100 from the list of ID numbers 712 transmitted by the record identification transmission unit 824 from the user terminal device 100, and the CPU 911. A selection identification receiving unit 825 that outputs the received ID number 712 using the processing device of
A plurality of ID numbers 712 output by the selection identification receiving unit 825 are input using a processing device such as the CPU 911, and a plurality of services identified by the plurality of input ID numbers 712 using the processing device such as the CPU 911. Usage record information 711 is input, and history generation information 740 (transmission usage record information to be transmitted to user terminal device 100 based on a plurality of input service usage record information 711 using a processing device such as CPU 911. ), And using a processing device such as the CPU 911, the transmission use record generation unit 826 that outputs the generated history generation information 740;
The history generation information 740 output from the transmission usage record generation unit 826 is input using a processing device such as the CPU 911, and the input history generation information 740 is input to the user terminal device 100 using the communication device 915. A usage record transmission unit 827 for transmitting
When the anonymity is high based on the history generation information 740 transmitted by the usage record transmission unit 827 among the service usage record information 711 (use history information) stored by the user terminal device 100 using the communication device 915. Anonymous history receiving unit 831 that receives information determined by user terminal device 100 from communication device 915 and outputs the received information as anonymous history information 630 using a processing device such as CPU 911;
A service information selection unit 833 for storing service information to be provided to the user terminal device 100 using a storage device such as the magnetic disk device 920;
Anonymous history information 630 output by the anonymous history receiving unit 831 is input using a processing device such as the CPU 911, and input from the service information stored in the service information storage unit 832 using a processing device such as the CPU 911. A service information selection unit 833 that selects information useful for the user terminal device 100 based on the anonymous history information 630 and outputs the selected service information using a processing device such as the CPU 911. .

  According to the service providing apparatus 810 in this embodiment, only the information determined by the user terminal device 100 as having high anonymity is received, and the history service is provided based on the received information. It is possible to provide a history service that can be used with peace of mind without worrying about being done.

The data structure of the history generation information 740 (transmission use record information) in this embodiment is:
History generated based on a service usage record information group 710 (a plurality of usage record information) that records that at least one of a plurality of products (service types) has been purchased (service contents belonging to the service type are used) In the data structure of the generation information 740,
The history generation information 740 includes a service information group 741 and a verification information group 751.
The service information group 741 is a list in which a plurality of service record information 742 for each of a plurality of service use record information 711 (use record information) are arranged.
The service record information 742 has an ID number 712 for identifying the service use record information 711 and an encrypted individual service information group 744 (encrypted conversion information group).
The encrypted individual service information group 744 is a list in which encrypted individual service information 745 (encrypted conversion information) for each purchased product (service type to which the service content belongs) recorded by the service use record information 711 is arranged.
The encrypted individual service information 745 includes a verification position 761, a calculation position 762, and a calculation numerical value 763 (service conversion information) corresponding to the product, which are notified when the product is purchased (service contents are used). (History encryption key) encrypted information,
The verification information group 751 is a list in which verification information 752 for each of the plurality of service usage record information 711 is arranged in a random order.
The verification information 752 includes an individual service information verification information group 753 and an individual service number calculation information group 755 (individual service content acquisition information group).
The individual service information verification information group 753 is a list in which individual service information verification information 754 for each of a plurality of products is arranged in a random first order indicated by the verification position 761 (service conversion information).
The individual service information verification information 754 is a hash value generated from the ID number 712 for identifying the service usage record information 711 and the product code 715 and the number of purchases 716 (service contents) recorded by the service usage record information 711.
The individual service number calculation information group 755 is a random second order in which the calculation position 762 (service conversion information) indicates the individual service number calculation information 756 (individual service content acquisition information) for each of a plurality of products. Is a list arranged in
The individual service number calculation information 756 converts the purchase number 716 (service contents) recorded by the service usage record information 711 based on the individual service information verification information 754, and calculates a calculation numerical value 763 (service included in the service conversion information). It is information encrypted with an encryption key.

According to the data structure of the history generation information 740 in this embodiment, the user terminal device 100 that has received the history generation information 740 uses the common key 713 notified when the service is used to encrypt the individual service. Based on the verification position 761, the calculation position 762, and the calculation numerical value 763 included in the encrypted individual service information 745 obtained by decrypting the information 745, the product code 715 included in the verification information 752, the purchase quantity 716, and the like Therefore, it is possible to verify whether the information has been altered by comparing with the service usage record information 711 stored in the usage history storage unit 121.
In addition, since the information about the service type that has not been used among the information included in the verification information 752 cannot be restored, the user terminal device 100 can verify and anonymize the usage records of other users. Only the information necessary for the determination is acquired, and there is an effect that unnecessary information can be prevented from spreading.

According to the history service providing system 800 in this embodiment, before a user transmits a history, information about the history is obtained from the store in advance, and the user is not specified by the store using the information. By creating a purchase history from the purchase information and transmitting it to the store, the user can use the history service anonymously with privacy protected.
In addition, since the amount of information related to the history that the user obtains from the store can be controlled by the user, the optimum amount of information can be adjusted according to the performance of the user's mobile terminal.
In addition, the user can verify any of the information related to the history obtained from the store, but the store cannot specify the information to be verified by the user, so the store may tamper with the information to a convenient value. Can be prevented.
Further, the information that the user can know among the information related to the history obtained from the store is only the information related to the product purchased by the user in the past, and the purchase information of other users is protected.
Further, since communication data between the user's mobile terminal and the store server is encrypted, it is possible to prevent eavesdropping by a third party.

Embodiment 9 FIG.
The ninth embodiment will be described with reference to FIGS.
FIG. 37 is a system configuration diagram showing an example of the overall configuration and hardware configuration of the history service providing system 800 in this embodiment.
In addition, the same code | symbol is attached | subjected about the part which is common in the log | history service provision system 800 demonstrated in Embodiment 1, and description is abbreviate | omitted here.
The history service providing system 800 further includes an ID management device 850.
The ID management device 850 is, for example, a server device.
The hardware configuration of the ID management device 850 is the same as that of the service providing device 810.
The ID management device 850 communicates with the user terminal device 100 using the communication device 915. Also, the ID management device 850 communicates with the service providing device 810 using the communication device 915.
The ID management device 850 manages the user's anonymous ID.

  In order for the user terminal device 100 to accurately determine the anonymity of information, it is necessary to calculate the user identification rate based on a sufficient number of service usage record information 721. However, the user terminal device 100 is a mobile phone, for example, and processes a sufficient number of service usage record information 721 depending on the processing capability of the processing device such as the CPU 911 and the communication performance of the communication device 915. It may not be possible.

  The history service providing system 800 according to this embodiment accurately determines the anonymity of information regardless of the processing capability of the user terminal device 100 by calculating the user identification rate by the reliable ID management device 850. Is.

FIG. 38 is a block configuration diagram showing an example of the functional block configuration of the user terminal device 100 and the ID management device 850 in this embodiment.
Note that blocks common to the functional blocks described in the fourth embodiment are denoted by the same reference numerals, and description thereof is omitted here.
Further, the functional block configuration of the service providing apparatus 810 is the same as that described in the eighth embodiment, and the description thereof is omitted here.

  The user terminal device 100 includes a usage history reception unit 112, a usage history storage unit 121, an anonymous history determination unit 130, an anonymous history transmission unit 141, a reliability determination unit 151, an identification generation request transmission unit 161, a generation identification reception unit 163, A record identification transmission unit 164 and a user history reception unit 172 are included.

  The identification generation request transmission unit 161, when the user who has the user terminal device 100 needs to establish communication with the service providing device 810, for example, by visiting a store where the service providing device 810 exists. Using the communication device 915, information (hereinafter referred to as “identification generation request information”) for requesting generation of an anonymous ID (record identification information) is transmitted to the ID management device 850.

The generation identification receiving unit 163 receives the anonymous ID transmitted from the ID management device 850 using the communication device 915 as a response to the identification generation request information transmitted by the identification generation request transmission unit 161.
The generation identification receiving unit 163 outputs the received anonymous ID using a processing device such as the CPU 911.

The record identification transmission unit 164 inputs the anonymous ID output by the generation identification reception unit 163 using a processing device such as the CPU 911.
Using the communication device 915, the record identification transmission unit 164 transmits the input anonymous ID to the service providing device 810, and establishes communication using the anonymous ID.

The user history receiving unit 172 receives the user history information transmitted from the ID management device 850 using the communication device 915.
The user history receiving unit 172 outputs the received user history information using a processing device such as the CPU 911.

The user history information is information including user identification rate information indicating the user identification rate and history generation information 740 for the user who owns the user terminal device 100.
The user history information is generated based on the history generation information 740 received from the service providing apparatus 810 by the ID management apparatus 850.

The reliability determination unit 151 inputs the user history information output from the user history reception unit 172 and the service usage record information 711 stored in the usage history storage unit 121 using a processing device such as the CPU 911. .
Using the processing device such as the CPU 911, the reliability determination unit 151 compares the service usage record information 721 included in the input user usage example information with the input service usage record information 711 so as to match. Determine whether or not. When it is determined that they match, it is determined that the history generation information 740 is reliable, and when it is determined that they do not match, it is determined that the history generation information 740 is not reliable.

The anonymous history discriminating unit 130 uses the processing device such as the CPU 911 and the user history output by the user history receiving unit 172 when the reliability determining unit 151 determines that the history generation information 740 is reliable. Enter information.
The anonymity history determination unit 130 determines the anonymity of the information based on the user identification rate information included in the input user history information using a processing device such as the CPU 911, and generates anonymous history information 630. And output.

  The ID management device 850 includes a usage record reception unit 111, a record identification reception unit 113, a record identification selection unit 152, a selection identification transmission unit 142, an identification generation request reception unit 861, a record identification generation unit 862, a generation identification transmission unit 863, a recording It has an identification storage unit 864, a user history generation unit 871, and a user history transmission unit 872.

  The usage record reception unit 111, the record identification reception unit 113, the record identification selection unit 152, and the selection identification transmission unit 142 are the same as those used in the functional block of the user terminal device 100 in the fourth embodiment.

  The identification generation request receiving unit 861 receives the identification generation request information transmitted from the user terminal device 100 using the communication device 915.

When the identification generation request receiving unit 861 receives the identification generation request information, the record identification generation unit 862 generates an anonymous ID using a processing device such as the CPU 911. The record identification generation unit 862 generates a new anonymous ID using a processing device such as the CPU 911 based on the anonymous ID stored by the record identification storage unit 864 so that the anonymous ID does not collide.
The record identification generation unit 862 outputs the generated anonymous ID using a processing device such as the CPU 911.

The generation identification transmission unit 863 inputs the anonymous ID output by the recording identification generation unit 862 using a processing device such as the CPU 911.
The generation identification transmission unit 863 transmits the input anonymous ID to the user terminal device 100 using the communication device 915.

The record identification storage unit 864 inputs the anonymous ID output by the record identification generation unit 862 using a processing device such as the CPU 911.
The recording identification storage unit 864 stores the input anonymous ID in association with the real name ID of the user terminal device 100 using a storage device such as the magnetic disk device 920.

  Thus, the ID management device 850 can determine whether the plurality of anonymous IDs belong to the same user or different users. Instead, the ID management device 850 does not have information on the service used by the user having the anonymous ID.

The history generation unit 871 for the user uses the processing device such as the CPU 911 and the history generation information 740 (encrypted recording information 640) received by the usage record reception unit 111 and the anonymous ID stored by the recording identification storage unit 864. Enter.
The user history generation unit 871 calculates a user identification rate based on the input history generation information 740 using a processing device such as the CPU 911.
The user history generation unit 871 extracts the history generation information 740 for the user who owns the user terminal device 100 from the input history generation information 740 using a processing device such as the CPU 911. .
The user history generation unit 871 generates user history information including the user identification rate information indicating the calculated user identification rate and the extracted history generation information 740 using a processing device such as the CPU 911. To do.
The user history generation unit 871 outputs the generated user history information using a processing device such as the CPU 911.

The user history transmission unit 872 inputs the user history information output by the user history generation unit 871 using a processing device such as the CPU 911.
The user history transmission unit 872 transmits the generated user history information to the user terminal device 100 using the communication device 915.

Next, the operation will be described.
The overall flow of the history service providing process in which the history service providing system 800 in this embodiment provides a history service is the same as that described in the eighth embodiment with reference to FIG.

  FIG. 39 is a flowchart showing an example of the flow of communication establishment processing in which the history service providing system 800 in this embodiment establishes communication between the user terminal device 100 and the service providing device 810.

When the service providing device 810 detects the visit of the user at T11, the service providing device 810 uses the communication device 915 to store the public key certificate stored in the certificate storage unit 842 with respect to the user terminal device 100. Send.
Thereafter, the user terminal device 100 and the service providing device 810 share a shared key by the same procedure as described in the eighth embodiment until T14, and communication encrypted with the shared key is established. Thereafter, until the communication is disconnected, communication between the user terminal device 100 and the service providing device 810 is performed by communication encrypted with the shared key.

Next, communication between the user terminal device 100 and the ID management device 850 is established.
At T21, mutual authentication is performed between the user terminal device 100 and the ID management device 850, and communication using a common key is established.
For example, the user terminal device 100 uses the communication device 915 to transmit information requesting the public key certificate to the ID management device 850.
The ID management device 850 reads the public key certificate of the ID management device 850 stored in the storage device such as the magnetic disk device 920 using a processing device such as the CPU 911 and uses the communication device 915 to read the user terminal device 100. Against.
The user terminal device 100 receives the public key certificate transmitted from the ID management device 850 using the communication device 915, and confirms the content of the received public key certificate using a processing device such as the CPU 911. Then, the ID management device 850 is authenticated.
The user terminal device 100 reads out the public key certificate of the user terminal device 100 stored in a storage device such as a memory using a processing device such as the CPU 911, encrypts it with the public key of the ID management device 850, and communicates with the communication device. 915 is used for transmission to the ID management device 850.
The ID management device 850 receives the encrypted public key certificate transmitted from the user terminal device 100 using the communication device 915, and uses the processing device such as the CPU 911 to use the private key of the ID management device 850. After decrypting, the contents are confirmed and the user terminal device 100 is authenticated.
Thereafter, the user terminal device 100 and the ID management device 850 generate a common key element used for the current communication, encrypt it with the other party's public key, and transmit it. The user terminal device 100 and the ID management device 850 decrypt the received prime of the common key with its own secret key, synthesize it with the prime of the common key generated by itself, and generate a common key used for this communication .

  In this way, the user terminal device 100 and the ID management device 850 identify each other and establish communication. Since the public key certificate of the user terminal device 100, which is information that can identify the user terminal device 100, is encrypted and transmitted with the public key of the ID management device 850, even if the service providing device 810 intercepts, the user The terminal device 100 is not specified.

  Thereafter, communication between the user terminal device 100 and the ID management device 850 is encrypted with the common key shared by this procedure. Therefore, even if the service providing apparatus 810 intercepts this, the contents cannot be known.

  Note that a general method such as the method described in “ISO / IEC 11770-3 Key Transport Mechanism 6” may be used as the authentication method / common key sharing method in the communication establishment process.

  In T22, the identification generation request transmission unit 161 of the user terminal device 100 generates identification generation request information using a processing device such as the CPU 911. The identification generation request transmission unit 161 transmits the generated identification generation request information to the ID management device 850 using the communication device 915.

  The identification generation request receiving unit 861 of the ID management device 850 receives the identification generation request information transmitted from the user terminal device 100 using the communication device 915.

The record identification generating unit 862 of the ID management device 850 randomly generates an anonymous ID using a processing device such as the CPU 911.
The record identification generation unit 862 determines whether the generated anonymous ID and the anonymous ID stored in the record identification storage unit 864 collide with each other using a processing device such as the CPU 911.
If there is a collision, the record identification generation unit 862 uses a processing device such as the CPU 911 to generate an anonymous ID again and repeats until an anonymous ID that does not collide is generated.
When there is no collision, the record identification generation unit 862 outputs the generated anonymous ID using a processing device such as the CPU 911.

The record identification storage unit 864 of the ID management device 850 inputs the anonymous ID output by the record identification generation unit 862 using a processing device such as the CPU 911.
The recording identification storage unit 864 stores the input anonymous ID in association with information (for example, real name ID) for identifying the user terminal device 100 using a storage device such as the magnetic disk device 920.

The generation identification transmission unit 863 of the ID management device 850 inputs the anonymous ID output by the recording identification generation unit 862 using a processing device such as the CPU 911.
The generation identification transmission unit 863 transmits the input anonymous ID to the user terminal device 100 using the communication device 915.

The generation identification receiving unit 163 of the user terminal device 100 receives the anonymous ID transmitted from the ID management device 850 using the communication device 915.
The generation identification receiving unit 163 outputs the received anonymous ID using a processing device such as the CPU 911.

The record identification transmission unit 164 inputs the anonymous ID output by the generation identification reception unit 163 using a processing device such as the CPU 911.
The record identification transmitting unit 164 transmits the input anonymous ID to the service providing apparatus 810 using the communication apparatus 915.

  The ID management device 850 manages all anonymous IDs. Since the anonymous ID transmitted from the user terminal device 100 to the service providing device 810 has been confirmed to have no collision, the anonymous ID is identified between the user terminal device 100 and the service providing device 810 by this. Communication established.

  As described in the eighth embodiment, the user terminal device 100 may generate an anonymous ID and determine the anonymous ID. In this case, the user terminal device 100 transmits the determined anonymous ID to the ID management device 850, and the ID management device 850 stores it.

  Communication is also established between the service providing apparatus 810 and the ID management apparatus 850 by the mutual authentication / shared key sharing procedure.

Thus, the three of the user terminal device 100, the service providing device 810, and the ID management device 850 each establish one-to-one communication. Each one-to-one communication is encrypted, and others including the remaining one cannot know the contents.
Hereinafter, in order to distinguish the common key used in each one-to-one communication, the common key between the user terminal device 100 and the service providing device 810 is “common key US”, and the user terminal device 100 and the ID management device 850 are used. A common key between the service providing apparatus 810 and the ID management apparatus 850 is referred to as a “common key IS”.

  FIG. 40 is a flowchart showing an example of a flow of information providing processing in which the history service providing system 800 according to this embodiment provides a history service.

In the anonymous ID list transmission step, the record identification transmission unit 824 of the service providing device 810 uses all the IDs included in the service usage record information group 710 stored in the usage record storage unit 823 using a processing device such as the CPU 911. Enter the number 712.
The record identification transmitting unit 824 creates a list of input ID numbers 712 using a processing device such as the CPU 911.
The record identification transmission unit 824 transmits a list of the created ID numbers 712 to the ID management device 850 using the communication device 915.
Further, the record identification transmission unit 824 transmits the anonymous ID of the user terminal device 100 together with the list of ID numbers 712 to the ID management device 850 using the communication device 915.

In the anonymous ID list receiving step, the record identification receiving unit 113 uses the communication device 915 to obtain the list of ID numbers 712 transmitted by the service providing device 810 and the anonymous ID of the user terminal device 100 in the anonymous ID list transmission process. Receive.
The record identification receiving unit 113 outputs a list of received ID numbers 712 and an anonymous ID of the user terminal device 100 using a processing device such as the CPU 911.

In the anonymous ID selection step, the record identification selection unit 152 uses a processing device such as the CPU 911 and the list of ID numbers 712 output by the record identification reception unit 113 in the anonymous ID list reception step and the anonymous ID of the user terminal device 100. Enter.
The recording identification selection unit 152 uses a processing device such as the CPU 911 to extract the ID number 712 that matches the anonymous ID stored in the recording identification storage unit 864 from the list of input ID numbers 712, and the real ID number And
The recording identification selection unit 152 uses a processing device such as the CPU 911 to determine the anonymous ID of the same user as the input anonymous ID based on the anonymous ID stored in the recording identification storage unit 864.
The record identification selection unit 152 selects all the ID numbers 712 (history identification information 614) that are the same as the determined anonymous ID from the list of input ID numbers 712 using a processing device such as the CPU 911.
The record identification selection unit 152 further selects a sufficient number of other ID numbers 712 from the extracted real ID numbers using a processing device such as the CPU 911.
The record identification selection unit 152 outputs a list of the selected ID numbers 712 using a processing device such as the CPU 911.

In the anonymous ID subset transmission step, the selection identification transmission unit 142 inputs a list of ID numbers 712 output by the recording identification selection unit 152 in the anonymous ID selection step using a processing device such as the CPU 911.
The selection identification transmission unit 142 transmits the list of the input ID numbers 712 to the service providing apparatus 810 using the communication apparatus 915.

In the anonymous ID subset receiving step, the selection identification receiving unit 825 receives the list of ID numbers 712 transmitted by the selection identification transmitting unit 142 in the anonymous ID subset transmission step using the communication device 915.
The selection identification receiving unit 825 outputs a list of received ID numbers 712 using a processing device such as the CPU 911.

In the history generation information creation step, the transmission use record generation unit 826 inputs a list of ID numbers 712 output by the selection identification reception unit 825 in the anonymous ID subset reception step using a processing device such as the CPU 911.
The transmission usage record generation unit 826 inputs service usage record information 711 stored in the usage record storage unit 823 for each input ID number 712 using a processing device such as the CPU 911.
The transmission usage record generation unit 826 generates history generation information 740 from the input service usage record information 711 using a processing device such as the CPU 911.
The transmission use record generation unit 826 outputs the generated history generation information 740 using a processing device such as the CPU 911.

In the history generation information transmission step, the usage record transmission unit 827 inputs the transmission usage record information created by the transmission usage record generation unit 826 in the history generation information creation step using a processing device such as the CPU 911.
The usage record transmission unit 827 transmits the input transmission usage record information to the ID management device 850 using the communication device 915.

In the history generation information reception step, the usage record reception unit 111 uses the communication device 915 to transmit the history generation information 740 (encrypted recording information 640) transmitted by the usage record transmission unit 827 in the history generation information transmission step. Receive.
The usage record receiving unit 111 acquires service usage record information 721 (usage record information 620) from the received transmission usage record information using a processing device such as the CPU 911.
The usage record receiving unit 111 outputs the acquired service usage record information 721 using a processing device such as the CPU 911.

In the user history generation step, the user history generation unit 871 uses the processing device such as the CPU 911 and the service usage record information 721 output by the usage record reception unit 111 in the history generation information reception step, and the record identification. The anonymous ID stored in the storage unit 864 is input.
The user history generation unit 871 calculates a user identification rate for each product based on the input service usage record information 721 using a processing device such as the CPU 911.
The user history generation unit 871 uses a processing device such as the CPU 911 to extract service usage record information 721 about the user who owns the user terminal device 100 from the input service usage record information 721. To do.
The user history generation unit 871 generates user history information including the user specification rate information indicating the calculated user specification rate and the extracted service use record information 721 using a processing device such as the CPU 911. To do.
The user history generation unit 871 outputs the generated user history information using a processing device such as the CPU 911.

In the user history transmission step, the user history transmission unit 872 inputs the user history information output by the user history generation unit 871 in the user history generation step.
The user history transmission unit 872 transmits the input user history information to the user terminal device 100 using the communication device 915.

  The user history information may be transmitted directly to the user terminal device 100 by the ID management device 850 or may be transmitted via the service providing device 810. Even in the case of transmission via the service providing apparatus 810, the user history information is encrypted with the shared key shared between the ID management apparatus 850 and the user terminal apparatus 100. The service providing apparatus 810 does not know the contents, and the service providing apparatus 810 does not alter the contents.

In the user history receiving step, the user history receiving unit 172 receives the user history information transmitted by the user history transmitting unit 872 in the user history transmitting step using the communication device 915. .
The user history receiving unit 172 outputs the received user history information using a processing device such as the CPU 911.

In the history generation information verification step, the reliability determination unit 151 inputs the user history information output from the user history reception unit 172 using a processing device such as the CPU 911.
The reliability determination unit 151 verifies whether the service usage record information 721 included in the input user history information has been tampered with using a processing device such as the CPU 911.
When the reliability determination unit 151 determines that the service usage record information 721 has not been tampered with, the history generation process is executed.

In the history generation step, the anonymous history determination unit 130 inputs the user history information output by the user history reception unit 172 using a processing device such as the CPU 911.
Anonymity history discriminating unit 130 uses a processing device such as CPU 911 to obtain the user identification rate indicated by the user identification rate information included in the input user history information and the threshold value indicated by the user identification rate setting information. In comparison, the anonymity of the information about the product is determined.
The anonymity history determination unit 130 generates anonymity history information 630 from information about a product determined to have high anonymity using a processing device such as the CPU 911.
The anonymous history discriminating unit 130 outputs the generated anonymous history information 630 using a processing device such as the CPU 911.

  Since the following processing flow is the same as that described in the eighth embodiment, a description thereof will be omitted.

  Of the information included in the history generation information 740 generated by the service providing apparatus 810, the service usage record information 721 for the user is used to verify whether the history generation information 740 is reliable, The service usage record information 721 for other users is used to calculate the user identification rate and determine anonymity.

In the history service providing system 800 in this embodiment, since the ID management device 850 calculates the user identification rate, the user terminal device 100 does not need to process the service usage record information 721 for other users. .
On the other hand, since the ID management device 850 does not store the service usage record information 711, the reliability cannot be verified.
Therefore, the ID management device 850 transmits only the service usage record information 721 for the user to the user terminal device 100, and the user terminal device 100 verifies the reliability.

  FIG. 41 is a diagram showing an example of history generation information 740 generated by the transmission usage record generation unit 826 and user history information 780 generated by the user history generation unit 871 in this embodiment.

The history generation information 740 includes a service type information group 771 and a service information group 741.
The service type information group 771 includes one or more encrypted service type information 772.
As for the encrypted service type information 772, the transmission usage record generating unit 826 uses a processing device such as the CPU 911 to send information indicating the type of service (product code in this example), the user terminal device 100, and the service providing device. This is information generated by encrypting with the common key US used for the current communication with 810.
The service type information group 771 is generated by the transmission usage record generation unit 826 using the processing device such as the CPU 911 to arrange the encrypted service type information 772 in a random order.
As a result, the ID management device 850 cannot know the type of service used from the history generation information 740.

The service information group 741 includes one or more service record information 742.
The service record information 742 is information corresponding to the service use record information 711 recorded by the use record storage unit 823. The service record information 742 is service use record information 711 identified by the ID number 712 included in the list of ID numbers 712 received by the selection identification receiving unit 825 in the service use record information group 710 stored in the use record storage unit 823. Is generated by the transmission usage record generation unit 826.
The service record information 742 includes an ID number 743 and an individual service information group 746.
The ID number 743 is the ID number 712 of the original service usage record information 711.
The individual service information group 746 is information generated from the service usage record 714 of the original service usage record information 711.
The individual service information group 746 includes one or more individual service information 747.
The individual service information 747 is information (in this example, the number of purchases) indicating the contents of the used service.
In the individual service information group 746, the transmission usage record generating unit 826 generates the individual service information 747 in the same order as the encrypted service type information 772 in the service type information group 771 using a processing device such as the CPU 911.
Thereby, the ID management apparatus 850 can know which individual service information 747 corresponds to which encrypted service type information 772.

  The history record generation information 740 generated by the transmission usage record generation unit 826 is transmitted by the usage record transmission unit 827 to the ID management device 850 and received by the usage record reception unit 111 of the ID management device 850. The usage record reception unit 111 outputs the received history generation information 740 and the user history generation unit 871 inputs the information.

The user history generation unit 871 inputs the anonymous ID stored in the record identification storage unit 864 using a processing device such as the CPU 911.
The user history generation unit 871 uses a processing device such as the CPU 911 to determine the anonymous ID of the user of the user terminal device 100 from the input anonymous ID, and obtains the ID number 743 that matches the determined anonymous ID. The service record information 742 is extracted from the input service record information 742.
In this example, the user history generation unit 871 extracts the service record information 742 of “ID3” and “ID5”.

The user history generation unit 871 uses a processing device such as the CPU 911, and based on the extracted service record information 742, products for which the purchase numbers indicated by the individual service information 747 are all “0” (never purchased) Product). The user history generation unit 871 uses a processing device such as the CPU 911 to calculate a user identification rate for products other than the determined product (has been purchased).
In this example, the user history generation unit 871 calculates a user identification rate for products other than the third product.

The user history information 780 generated by the user history generation unit 871 includes a service type information group 771, a service information group 741, and a user identification rate information group 781.
The service type information group 771 is a service type information group 771 included in the history generation information 740 generated by the transmission use record generation unit 826, and the user history generation unit 871 determines that the product has not been purchased. It is generated excluding the encryption service information.
The service information group 741 includes the service record information 742 of the service information group 741 included in the history generation information 740 generated by the transmission usage record generation unit 826. Only the service record information 742 is extracted, and further, the service record information 742 is generated by excluding the individual service information 747 for the product determined to have not been purchased.
The user identification rate information group 781 encrypts the user identification rate information 782 indicating the user identification rate calculated by the user history generation unit 871, and the user history generation unit 871 encrypts the service identification information group 771. They are generated in the same order as the service type information 772.

In this example, the user identification rate of the information “has purchased the product” is calculated, but the user identification rate of information including the number of purchases may be calculated.
Moreover, you may calculate the frequency | count of use instead of a user specific rate.

  The user history information 780 generated by the user history generation unit 871 is transmitted to the user terminal device 100 by the user history transmission unit 872, and the user history reception unit 172 of the user terminal device 100 is transmitted. Receive.

Using a processing device such as the CPU 911, the user history receiving unit 172 decrypts the service type information group 771 of the user history information 780 with the common key US, and acquires the product code.
The user history receiving unit 172 outputs the user history information 780 including the decrypted product code using a processing device such as the CPU 911.

The reliability determination unit 151 inputs the user history information 780 output from the user history reception unit 172 and the service usage record information 711 stored in the usage history storage unit 121 using a processing device such as the CPU 911. To do.
Using the processing device such as the CPU 911, the reliability determination unit 151 compares the service content used by the user history information 780 with the service content used by the service usage record information 711, and whether or not they match. Determine whether.
When it is determined that they match, the reliability determination unit 151 determines that the history generation information 740 received by the ID management device 850 is reliable.
When it is determined that they do not match, the reliability determination unit 151 determines that the history generation information 740 received by the ID management device 850 is not reliable.

When the reliability determination unit 151 determines that the history generation information 740 is reliable, the anonymous history determination unit 130 uses the processing device such as the CPU 911 to output the user history information output by the user history reception unit 172. Enter 780.
Anonymity history discriminating unit 130 uses a processing device such as CPU 911 and anonymity of information indicating that the corresponding product has been purchased based on the user identification rate indicated by input user history information 780. Judging.
The anonymous history discriminating unit 130 generates and outputs anonymous history information 630 from information determined to have high anonymity.

Thus, since the user terminal device 100 determines the anonymity of information based on the user identification rate calculated by the ID management device 850, the processing capability of the processing device such as the CPU 911 and the communication capability of the communication device 915 Even if is low, the anonymity of information can be accurately determined.
The user terminal device 100 is, for example, a mobile phone, and the ID management device 850 is, for example, a server device. This is because the communication capability of the device 915 is high and the user identification rate can be calculated based on more service usage records.

  Since the anonymous history information 630 generated from the information that the user terminal device 100 has determined to have high anonymity is transmitted to the service providing device 810 and the history service is used, the service providing device 810 identifies the user. Can not do it.

On the other hand, the ID management device 850 can identify the user and grasps the connection of the service usage record information 711 of the user.
However, the ID management device 850 knows the connection between the ID numbers 712 of the service use record information 711, but does not know the contents of the service use record information 711, so the entire contents of the service contents used by the user are The ID management device 850 does not know.

  The ID management device 850 obtains a part of the contents of the service usage record information 711 (in this example, the number of purchases) in order to calculate the user identification rate, but the product code corresponding thereto cannot be decrypted. I don't know what they bought "what".

  Thus, the specific contents of the service usage record are stored in the service providing apparatus 810, and only the connection of the service usage record is stored in the ID management apparatus 850, so that the information is distributed. Even if the information stored in the ID management device 850 is leaked, it is impossible to know what service the user has used only by the information, and the personal information of the user can be protected.

  According to the history service providing system 800 in this embodiment, even when the processing capability of the processing device such as the CPU 911 and the communication capability of the communication device 915 included in the user terminal device 100 are low, the ID management device 850 has the user identification rate. Therefore, it is possible to accurately determine the anonymity of the information, and it is possible to make it difficult for the service providing apparatus 810 to identify the user.

In this example, the ID management device 850 calculates the user identification rate. However, a user identification rate calculation device is provided separately from the ID management device 850, and the user identification rate calculation device calculates the user identification rate. It is good also as a structure to calculate.
Further, the anonymous ID management may be performed by the user terminal device 100 without the ID management device 850, and the user identification rate calculation device may perform only the process of substituting the calculation of the user identification rate. .

  According to the history service providing system 800 in this embodiment, the ID type management apparatus 850 is configured to encrypt the service type (product code in this example) so that the ID management apparatus 850 cannot know the service type. Since the entire usage record cannot be grasped, the personal information of the user can be protected even if information is leaked.

Further, the history service providing system 800 in this embodiment prevents the service providing apparatus 810 from deceiving the user terminal device 100 using the lie history generation information 740 and collecting information that can identify the user. The ID management device 850 compares the history generation information 740 acquired from the service providing device 810 with the service usage record information 711 stored in the user terminal device 100, whereby the reliability of the history generation information 740 is verified. Only the service record information 742 that can be determined is extracted and transmitted to the user terminal device 100.
As a result, the user history information 780 received by the user terminal device 100 has a much smaller amount of information than the history generation information 740 received by the ID management device 850 from the service providing device 810. Even if the communication capability of the communication device 915 of the terminal device 100 is low, the reliability of the history generation information 740 can be determined.

  Further, since the service providing apparatus 810 cannot determine which service record information 742 the ID management apparatus 850 has extracted, the service providing apparatus 810 cannot identify the user. Furthermore, since the service providing apparatus 810 cannot determine which service record information 742 is used for the determination of reliability, the service providing information 742 cannot be falsified and the user terminal apparatus 100 cannot be deceived.

Furthermore, the service providing apparatus 810 may generate a fictitious anonymous ID and attempt to deceive the user terminal apparatus 100 with the fictitious service record information 742. Since there is no user terminal device 100 that can verify the fictitious anonymous ID, even if the service record information 742 having convenient contents is generated, the reliability judgment unit 150 of the user terminal device 100 generates This is because the history generation information 740 is not determined to be unreliable.
In this embodiment, the ID management device 850 is configured so that the record identification selection unit 152 from the list of ID numbers 712 received by the record identification receiving unit 113 is based on the anonymous ID stored by the record identification storage unit 864. Since the ID number for generating the history generation information 740 is selected from among the ID numbers to be extracted, a fictitious ID number is included in the list of ID numbers 712 transmitted by the service providing apparatus 810. Even in this case, the history generation information 740 includes only the service record information 742 corresponding to the existing ID number.

  Therefore, the ID management device 850 correctly calculates the user identification rate without calculating the erroneous user identification rate intended by the service providing device 810 based on the fictitious service record information 742. Thereby, the service providing apparatus 810 cannot trick the user terminal apparatus 100 by the fictitious service record information 742.

According to the history service providing system 800 in this embodiment, before a user transmits a history, information relating to the history is obtained from the store by mediating the ID management device 850 in advance, and the information is used using the information. By creating a purchase history from purchase information that is not specified by the store and transmitting the purchase history to the store, the user can use the history service anonymously with privacy protected.
Moreover, since the information amount regarding the history acquired from the store can be controlled by the ID management device 850, the optimum information amount can be adjusted according to the performance of the ID management device 850 and the user terminal device 100.
In addition, the user terminal device 100 can verify any of the information regarding the history acquired from the store, but the store cannot specify the information to be verified by the user, so the store falsifies the information to a convenient value. Can be prevented.
Further, the information that can be known by the ID management device 850 among the information on the history acquired from the store is only information on the number of products, and the product code that identifies the product is protected.
Further, even if the store relays information including an anonymous ID and a user identification rate from the ID management device 850, since the information is encrypted, the store browses the information and uses the information. Cannot be specified.
Further, communication data between the user terminal device 100 and the store service providing device 810, between the user terminal device 100 and the ID management device 850, and between the store service providing device 810 and the ID management device 850 is encrypted. , Preventing eavesdropping by third parties.

Embodiment 10 FIG.
The tenth embodiment will be described with reference to FIGS.
Since the overall configuration of the history service providing system 800 and the hardware configuration of the user terminal device 100 and the service providing device 810 in this embodiment are the same as those described in the first embodiment, description thereof is omitted here.
In addition, since the functional block configuration of the service providing apparatus 810 in this embodiment is the same as that described in the eighth embodiment, description thereof is omitted here.

FIG. 42 is a block configuration diagram illustrating an example of a functional block configuration of the user terminal device 100 according to this embodiment.
Note that blocks common to the functional blocks described in the fourth embodiment are denoted by the same reference numerals, and description thereof is omitted here.

  The user terminal device 100 further includes a usage history input unit 181, a type identification determination unit 182, and a type identification storage unit 183.

The usage history input unit 181 inputs information indicating the type and content of the service used by the user using an input device such as a keyboard 902.
Here, the type of service used by the user is, for example, a product purchased by the user this time. The content of the service used by the user is, for example, the number of products purchased by the user this time.
The usage history input unit 181 outputs information indicating the type and content of the input service using a processing device such as the CPU 911.

The type identification determination unit 182 uses a processing device such as the CPU 911 to input information indicating the type and contents of the service output from the usage history input unit 181 and the usage history information 610 output from the usage history reception unit 112. .
The type identification determination unit 182 uses a processing device such as the CPU 911 to collate the input usage history information 610 with information indicating the type and content of the input service, and the product code 611 included in the usage history information 610 It is determined to which service type the information indicating the service type (hereinafter referred to as “type identification information”) actually corresponds.
The type identification determination unit 182 uses a processing device such as the CPU 911 to output type identification information and information indicating the type of service indicated by the type identification information.

The type identification storage unit 183 uses the processing device such as the CPU 911 to input the type identification information output from the type identification determination unit 182 and information indicating the type of service indicated by the type identification information.
The type identification storage unit 183 uses a processing device such as the CPU 911 to determine whether the correspondence between the input type identification information and the type of service indicated by the type identification information is consistent with the correspondence already stored. To do.
When it is determined that there is no contradiction, the type identification storage unit 183 stores type identification information and information indicating the type of service indicated by the type identification information, using a storage device such as a memory.
If it is determined that there is a contradiction, the type identification storage unit 183 stores the type identification information and information indicating the type of service indicated by the type identification information using a storage device such as a memory, and further, the type Information indicating that the identification information is not reliable is stored.

For example, if the user has used the same service before, the type identification storage unit 183 already stores type identification information for the service type. The type identification storage unit 183 determines whether or not the type identification information output from the type identification determination unit 182 matches the type identification information already stored. If they do not match, the type identification storage unit 183 determines that there is a contradiction.
Conversely, if the type identification storage unit 183 has already stored type identification information that matches the type identification information output by the type identification determination unit 182, the type identification storage unit 183 matches the corresponding service type. Judge whether to do. If they do not match, the type identification storage unit 183 determines that there is a contradiction.

Anonymity history discriminating unit 130 can trust the type identification information based on the information stored in type identification storage unit 183 for the type identification information of the information whose anonymity is to be determined using a processing device such as CPU 911. Determine whether or not. That is, it is determined whether or not the type identification storage unit 183 stores information indicating that the type identification information is not reliable.
When it is determined that the type identification information is not reliable, the anonymous history determination unit 130 determines that the information related to the type identification information is low in anonymity using a processing device such as the CPU 911.

When the private information generated uniquely by the service providing apparatus 810 is used as the type identification information such as the product code 611, the user terminal device 100 cannot know the type identification information in advance.
Therefore, there is a possibility that the service providing apparatus 810 attempts to identify the user by performing some sort of the type identification information. For example, there is a possibility that a plurality of type identification information can be assigned to the same service and used as a clue to narrow down users.

  The user terminal device 100 according to this embodiment, when using a service, inputs information about the service actually used by the user and verifies whether the type identification information has been crafted. is there.

  FIG. 43 is a flowchart showing an example of the flow of type identification determination processing in which the user terminal device 100 according to this embodiment determines whether there is a contradiction in the type identification information.

In T <b> 31, the usage history receiving unit 112 receives the usage history information 610 transmitted from the service providing device 810 using the communication device 915.
The usage history receiving unit 112 outputs the received usage history information 610 using a processing device such as the CPU 911.

In T32, the usage history input unit 181 inputs information indicating the type and content of the service used by the user using an input device such as the keyboard 902.
For example, the usage history input unit 181 uses the display device 901 to display a message for prompting the user to input, and the user uses the content based on the operation content of the user operating the input device such as the keyboard 902. Enter information indicating the type and content of the service.
The usage history input unit 181 outputs information indicating the type and content of the input service using a processing device such as the CPU 911.

At T33, the type identification determination unit 182 inputs the usage history information 610 output from the usage history reception unit 112 at T31 using a processing device such as the CPU 911.
In addition, the type identification determination unit 182 inputs information indicating the type and content of the service output from the usage history input unit 181 in T32 using a processing device such as the CPU 911.
The type identification determination unit 182 uses a processing device such as the CPU 911 to collate the input usage history information 610 with information indicating the type and content of the input service, and the product code 611 included in the usage history information 610 The correspondence relationship between the type identification information and the service type indicated by the type identification information is determined.
The type identification determination unit 182 outputs information indicating the correspondence between the type identification information and the service type indicated by the type identification information, using a processing device such as the CPU 911.

For example, when the user purchases one product “XYZ”, the usage history input unit 181 inputs the product name “XYZ” and the purchase quantity “1”.
The usage history information 610 received by the usage history receiving unit 112 includes information indicating the product code “product A” and the number of purchases “1”.
The type identification determination unit 182 collates this information using a processing device such as the CPU 911 and determines that the product name of the product indicated by the product code “product A” is “XYZ”.
As described above, when the contents of the used services match, the type identification determination unit 182 associates the type identification information with the input service type and determines the correspondence.

When the user purchases two products “PQR” and three products “UVW”, the usage history input unit 181 displays the product name “PQR”, the product name “UVW”, and the number of items purchased. Enter.
The usage history information 610 received by the usage history receiving unit 112 includes information indicating the product code “product B” and the purchase quantity “2”, the product code “product C” and the purchase quantity “3”.
The type identification determination unit 182 uses a processing device such as the CPU 911 to collate this information, the product name of the product indicated by the product code “product B” is “PQR”, and the product indicated by the product code “product C”. Is determined to be “UVW”.
As described above, when a plurality of types of services are used in one service use, the type identification determination unit 182 determines that the corresponding service contents match and determines the correspondence.

At T34, the type identification storage unit 183 uses a processing device such as the CPU 911 to display information indicating the correspondence between the type identification information output by the type identification determination unit 182 at T33 and the service type indicated by the type identification information (hereinafter referred to as “type identification information”). "Type identification correspondence information").
The type identification storage unit 183 uses a processing device such as the CPU 911 to select a type in which either the type identification information or the service type matches the input type identification correspondence information from the type identification correspondence information already stored. Search for identification correspondence information.

As a result of the search, if no information is found that matches either the type identification information or the type identification corresponding information entered, the type identification storage unit 183 uses the processing device such as the CPU 911 to input the type identification correspondence. It is determined that there is no contradiction in the correspondence relationship indicated by the information.
As a result of the search, when information matching either the type identification information or the type identification correspondence information input is found, the type identification storage unit 183 uses the processing device such as the CPU 911 to execute the type identification information and the service. It is determined whether or not both types match.
If it is determined that there is type identification information that matches either the type identification information or the service type that is entered, but the other does not match, among the type identification information found as a result of the search, The type identification storage unit 183 uses a processing device such as the CPU 911 to determine that there is a contradiction in the correspondence.
When it is determined that all of the type identification correspondence information found as a result of the search matches the type identification correspondence information entered, the type identification storage unit 183 uses a processing device such as the CPU 911. Judge that there is no contradiction in the correspondence.
If it is determined that there is no contradiction in the correspondence relationship, the process proceeds to T35.
If it is determined that there is a contradiction in the correspondence, the process proceeds to T36.

  When information indicating that the information is not reliable is added to any of the type identification correspondence information found as a result of the search, the type identification storage unit 183 uses the processing device such as the CPU 911 and the correspondence relationship is inconsistent. It is good also as judging.

At T35, the type identification storage unit 183 stores the input type identification correspondence information using a storage device such as a memory.
Thereafter, the type identification determination process ends.

At T36, the type identification storage unit 183 uses a processing device such as the CPU 911 to add information indicating that it is unreliable to the input type identification correspondence information, and stores the information using a storage device such as a memory.
In addition, the type identification storage unit 183 uses a processing device such as the CPU 911 to add information indicating that it is unreliable to the type identification correspondence information found as a result of the search in T33, and stores a storage device such as a memory. Use and remember.
Thereafter, the type identification determination process ends.

  When the service providing apparatus 810 has some sort of work on the type identification information, the correspondence between the type identification information sent from the service providing apparatus 810 and the service type actually used by the user may not match. . Therefore, the user terminal device 100 determines whether or not the correspondence relationship always matches through the type identification determination process.

When it is found that the correspondence relationship does not match, the service providing apparatus 810 may have crafted the type identification information in some way, and thus the information including the type identification information may have low anonymity.
Therefore, when determining the anonymity of information, the anonymity history discriminating unit 130 uses the processing device such as the CPU 911 to select the information for which anonymity is to be determined from the type identification correspondence information stored in the type identification storage unit 183. The type identification correspondence information for the type identification information included is searched.
The anonymity history discriminating unit 130 uses a processing device such as the CPU 911 to determine whether there is information to which unreliable information is added in the type identification correspondence information found as a result of the search.
If there is type identification correspondence information to which information indicating that it is not reliable is added, the anonymous history determination unit 130 determines that anonymity is low using a processing device such as the CPU 911.
When there is no type identification correspondence information to which information indicating that the information is not reliable is added, the anonymous history determination unit 130 calculates the user identification rate by using a processing device such as the CPU 911, so that anonymity is obtained as usual. to decide.

The user terminal device 100 (terminal device) in this embodiment further includes:
The usage history information 610 output from the usage history receiving unit 112 is input using a processing device such as the CPU 911, and the type of service used by the user is input from the input usage history information 610 using the processing device such as the CPU 911. Type identification information is obtained, and the correspondence between the acquired type identification information and the service type actually used by the user is determined using a processing device such as the CPU 911, and the processing device such as the CPU 911 is used. A type identification determination unit 182 that outputs information indicating the determined correspondence;
Using the processing device such as the CPU 911, the information indicating the correspondence output from the type identification determining unit 182 is input as the type identification correspondence information, and from the stored type identification correspondence information using the processing device such as the CPU 911. Search for type identification correspondence information for type identification information that matches the type identification information indicated by the type identification correspondence information that has been input, and type identification correspondence information for a service type that matches the type of service indicated by the type identification correspondence information that has been input. Then, using a processing device such as the CPU 911, the correspondence relationship indicated by the retrieved type identification correspondence information is compared with the correspondence relationship indicated by the input type identification correspondence information, and whether or not there is a mismatch between the correspondence relationships. If a processing device such as the CPU 911 determines that there is no correspondence relationship, a storage device such as a memory is installed. If the input type identification correspondence information is stored and it is determined that there is a mismatch in correspondence using a processing device such as the CPU 911, information indicating that the type identification correspondence information is not reliable is added to the input type identification correspondence information. And using a storage device such as a memory, a type identification storage unit 183 that stores type identification correspondence information to which information indicating that it is not reliable is added,
The anonymous history discriminating unit 130 further
The type identification information is acquired from the input usage history information 610 using a processing device such as the CPU 911, and acquired from the type identification correspondence information stored in the type identification storage unit 183 using the processing device such as the CPU 911. The type identification correspondence information is searched for the type identification information, and using a processing device such as the CPU 911, it is determined whether or not information indicating that the type identification correspondence information is not trusted is added to the searched type identification correspondence information. When the information indicating that it is not reliable is added using the processing device, the input usage history information 610 is determined to be easily identified by the user.

  According to the user terminal device 100 in this embodiment, type identification information such as a product code included in the usage history information 610 received by the usage history receiving unit 112 and the type of service actually used by the user (for example, The type identification discriminating unit 182 discriminates the correspondence relationship with the purchased product), and the type identification storage unit 183 determines whether the correspondence relationship is consistent with the past record. In some cases, the anonymous history discriminating unit 130 determines that the anonymity of the information including the type identification information is low, so that the service providing apparatus 810 crafts the type identification information to identify the user. If an attempt is made, information including the crafted type identification information is not transmitted to the service providing apparatus 810, and the service providing apparatus 810 cannot obtain a clue for specifying the user. The effect say.

Embodiment 11 FIG.
The eleventh embodiment will be described with reference to FIGS.

FIG. 44 is a system configuration diagram showing an example of the overall configuration and hardware configuration of the history service providing system 800 in this embodiment.
In addition, the same code | symbol is attached | subjected about the part which is common in the log | history service provision system 800 demonstrated in Embodiment 1, and description is abbreviate | omitted here.
The history service providing system 800 further includes an ID signature device 880.
The ID signature device 880 is, for example, a server device owned by a reliable third party organization.
The hardware configuration of the ID signature device 880 is the same as that of the service providing device 810.
The ID signature device 880 communicates with the user terminal device 100 using the communication device 915.
The ID signature device 880 attaches a signature to the anonymous ID generated by the user terminal device 100 and ensures that it is not a fictitious anonymous ID created by the service providing device 810.

  In this embodiment, even if the ID management device 850 in the configuration of the ninth embodiment is not provided, the service providing device 810 cannot deceive the user terminal device 100 with a fictitious anonymous ID.

FIG. 45 is a block configuration diagram showing an example of the functional block configuration of the user terminal device 100 and the ID signature device 880 in this embodiment.
Note that blocks common to the functional blocks described in the fourth embodiment are denoted by the same reference numerals, and description thereof is omitted here.
Further, the functional block configuration of the service providing apparatus 810 is the same as that described in the eighth embodiment, and the description thereof is omitted here.

  The ID signature device 880 (also referred to as an identification signature device) includes a signature request reception unit 881, a signature generation unit 882, and a signature transmission unit 883.

The signature request receiving unit 881 receives the signature request information (identification signature request information) transmitted from the user terminal device 100 using the communication device 915.
The signature request information includes information desired to be signed (hereinafter referred to as “signature target information”). The user terminal device 100 transmits signature request information including an anonymous ID (or information obtained by converting the anonymous ID) as signature target information to the ID signature device 880.
The signature request receiving unit 881 uses a processing device such as the CPU 911 to acquire signature target information from the received signature request information and outputs the acquired signature target information.

The signature generation unit 882 inputs the signature target information output from the signature request reception unit 881 using a processing device such as the CPU 911.
The signature generation unit 882 generates electronic signature information by encrypting the input signature target information with the secret key of the ID signature device 880 using a processing device such as the CPU 911.
The signature generation unit 882 outputs the generated electronic signature information using a processing device such as the CPU 911.

The signature transmission unit 883 inputs the electronic signature information output from the signature generation unit 882 using a processing device such as the CPU 911.
The signature transmission unit 883 transmits the input electronic signature information to the user terminal device 100 using the communication device 915.

  The public key of the ID signature device 880 is open to the public, and the electronic signature information transmitted by the signature transmission unit 883 can be decrypted by anyone using the public key of the public ID signature device 880. By comparing the information obtained by decryption with the original signature target information, anyone can determine whether the signature target information has been tampered with.

  The user terminal device 100 further includes a recording identification generation unit 862, an identification signature request transmission unit 191, an identification signature reception unit 192, a recording identification transmission unit 164, and a signature verification unit 193.

The record identification generation unit 862 generates an anonymous ID using a processing device such as the CPU 911.
The record identification generation unit 862 outputs the generated anonymous ID using a processing device such as the CPU 911.

The identification signature request transmission unit 191 inputs the anonymous ID output by the recording identification generation unit 862 using a processing device such as the CPU 911.
The identification signature request transmission unit 191 converts the input anonymous ID using a processing device such as the CPU 911.
Using the communication device 915, the identification signature request transmission unit 191 transmits signature request information (hereinafter referred to as “identification signature request information”) including information obtained by converting the anonymous ID to the ID signature device 880.

The identification signature receiving unit 192 receives the electronic signature information transmitted from the ID signature device 880 using the communication device 915.
The identification signature receiving unit 192 converts the received electronic signature information using a processing device such as the CPU 911 to obtain electronic signature information (hereinafter referred to as “identification signature information”) for the anonymous ID.
The identification signature receiving unit 192 outputs the acquired identification signature information using a processing device such as the CPU 911.

Since the communication between the user terminal device 100 and the ID signature device 880 performs mutual authentication, the ID signature device 880 can identify the user terminal device 100.
If the user terminal device 100 transmits the anonymous ID to be signed as it is to the ID signature device 880, the correspondence between the user terminal device 100 and the anonymous ID may remain in the ID signature device 880. There is sex.
Therefore, in this embodiment, the ID signature device 880 is signed by the blind signature method.

The blind signature scheme is an electronic signature scheme in which a signature is made without notifying the signing device (in this case, the ID signature device 880) of the contents of information to be signed.
That is, information obtained by converting the information to be signed (anonymous ID) is transmitted as signature target information to the ID signature device 880 to be signed. At this time, since the ID signature device 880 does not know the conversion formula obtained by converting the information to be signed, the information desired to be signed cannot be restored, and the information desired to be signed by the ID signature device 880 is known. There is nothing.
The user terminal device 100 receives the electronic signature information signed by the ID signature device 880, and performs a reverse conversion to the conversion of the information desired to be signed. As a result, the user terminal device 100 can acquire the same information as the case where the ID signature device 880 directly signed the information desired to be signed.

The recording identification transmitting unit 164 inputs the anonymous ID output from the recording identification generating unit 862 and the identification signature information output from the identification signature receiving unit 192 using a processing device such as the CPU 911.
The recording identification transmitting unit 164 uses a processing device such as the CPU 911 to generate information (hereinafter referred to as “anonymous ID with signature”) in which the input identification signature information is added to the input anonymous ID.
The record identification transmission unit 164 transmits the generated anonymous ID with signature to the service providing apparatus 810 using the communication apparatus 915.

In subsequent processing, the anonymous ID with signature is used as the anonymous ID / ID number.
For example, the list of ID numbers 712 (anonymous IDs) received by the record identification receiving unit 113 is a list of signed anonymous IDs.

The signature verification unit 193 inputs a list of signed anonymous IDs received by the record identification reception unit 113 using a processing device such as the CPU 911.
The signature verification unit 193 verifies the signatures for all the anonymous IDs with signatures included in the list of anonymous IDs with signatures using a processing device such as the CPU 911, and determines whether the anonymous IDs are forged or falsified. .

That is, the signature verification unit 193 acquires an anonymous ID and identification signature information from the anonymous ID with signature using a processing device such as the CPU 911.
The signature verification unit 193 decrypts the acquired identification signature information with the public key of the ID signature device 880 using a processing device such as the CPU 911.
The signature verification unit 193 uses a processing device such as the CPU 911 to compare the acquired anonymous ID with the information obtained by decryption to determine whether or not they match.
If it is determined that they match, the signature verification unit 193 determines that the anonymous ID has not been forged or altered using a processing device such as the CPU 911.
If it is determined that they do not match, the signature verification unit 193 determines that the anonymous ID has been forged / tampered using a processing device such as the CPU 911.

  The signature verification unit 193 uses a processing device such as the CPU 911 to generate a list of anonymous IDs (ID numbers) determined not to be forged / tampered, and outputs the generated list of ID numbers.

  The recording identification selection unit 152 uses a processing device such as the CPU 911 to input a list of ID numbers output from the signature verification unit 193 and selects an ID number from the input ID number list.

In this embodiment, when the service providing device 810 attempts to forge the user terminal device 100 by forging a fictitious anonymous ID, it is necessary to add identification signature information to the forged anonymous ID.
However, since the service providing apparatus 810 does not know the secret key of the ID signature apparatus 880, it cannot generate identification signature information for the fabricated anonymous ID.

  Since the record identification selection unit 152 selects an ID number from among the anonymous IDs that the signature verification unit 193 verifies the signature and determines that the signature is not forged, the fictitious usage record information about the fictitious anonymous ID is obtained. It is not sent from the service providing apparatus 810, and the anonymous history determination unit 130 can correctly determine the anonymity of the information without being deceived.

FIG. 46 is a flowchart showing an example of a flow of communication establishment processing in which the history service providing system 800 in this embodiment establishes communication between the user terminal device 100 and the service providing device 810.
Note that steps common to the communication establishment process described in FIG. 31 in the eighth embodiment are denoted by the same reference numerals and description thereof is omitted.

In T41, the record identification generation unit 862 generates an anonymous ID for identifying the current service use, using a processing device such as the CPU 911.
The record identification generation unit 862 outputs the generated anonymous ID using a processing device such as the CPU 911.
The anonymous ID generated at T41 is a temporary anonymous ID because it may collide with another anonymous ID.

At T42, the record identification transmission unit 164 inputs the anonymous ID output by the record identification generation unit 862 at T41 using a processing device such as the CPU 911.
The record identification transmitting unit 164 transmits the input anonymous ID to the service providing apparatus 810 using the communication apparatus 915.
At this stage, since it is still a temporary anonymous ID, no signature is attached and only the anonymous ID is transmitted.

At T16, the service providing apparatus 810 uses the communication apparatus 915 to receive the anonymous ID transmitted by the record identification transmitting unit 164 of the user terminal apparatus 100 at T42. The service providing device 810 uses a processing device such as the CPU 911 to determine whether the received anonymous ID has collided with another anonymous ID. The service providing apparatus 810 transmits information indicating the determination result to the user terminal apparatus 100 using the communication apparatus 915.
The user terminal device 100 uses the communication device 915 to receive information indicating the determination result transmitted by the service providing device 810.
If there is a collision with another anonymous ID based on the received determination result, the process returns to T41 to generate another anonymous ID.
If there is no collision with another anonymous ID, the process proceeds to T43.

At T43, the identification signature request transmission unit 191 inputs the anonymous ID output by the recording identification generation unit 862 at T41 using a processing device such as the CPU 911.
The identification signature request transmission unit 191 uses a processing device such as the CPU 911 to convert the input anonymous ID and generate signature target information.
Using the communication device 915, the identification signature request transmission unit 191 transmits identification signature request information including the generated signature target information to the ID signature device 880.

  Prior to transmission to the ID signature device 880, the user terminal device 100 and the ID signature device 880 perform mutual authentication and establish communication encrypted with a common key. Thereby, even if a third party such as the service providing device 810 intercepts communication between the user terminal device 100 and the ID signature device, the contents cannot be known.

In T44, using the communication device 915, the identification signature receiving unit 192 receives the electronic signature information transmitted by the ID signature device 880 as a response to the identification signature request information transmitted in T43.
Using the processing device such as the CPU 911, the identification signature receiving unit 192 performs reverse conversion on the received electronic signature information, which is the reverse of the conversion of the anonymous ID by the identification signature request transmission unit 191 in T43, and the identification signature information To get.
The identification signature receiving unit 192 outputs the acquired identification signature information using a processing device such as the CPU 911.

At T45, the record identification transmitting unit 164 inputs the identification signature information output by the identification signature receiving unit 192 at T44 using a processing device such as the CPU 911.
The recording identification transmitting unit 164 adds a received identification signature information to the anonymous ID input at T42 using a processing device such as the CPU 911, and generates a signed anonymous ID.
The record identification transmission unit 164 transmits the generated anonymous ID with signature to the service providing apparatus 810 using the communication apparatus 915.
At this stage, since it has been confirmed that the anonymous ID has not collided, the signed anonymous ID is transmitted as the official anonymous ID.

  Since the anonymous ID has already been transmitted to the service providing apparatus 810, the record identification transmitting unit 164 may transmit only the identification signature information instead of the signed anonymous ID.

  FIG. 47 is a flowchart showing an example of a flow of information providing processing in which the history service providing system 800 according to this embodiment provides a history service.

In the anonymous ID list transmission step, the record identification transmission unit 824 uses all the ID numbers 712 included in the service usage record information group 710 stored in the usage record storage unit 823 using a processing device such as the CPU 911, The identification signature information for the ID number 712 is input.
The record identification transmitting unit 824 creates a list of input ID numbers 712 using a processing device such as the CPU 911. At this time, identification signature information about the ID number 712 is added to each ID number 712.
The record identification transmission unit 824 transmits a list (with a signature) of the created ID numbers 712 to the user terminal device 100 using the communication device 915.

In the anonymous ID list receiving step, the record identification receiving unit 113 uses the communication device 915 to receive the list (with signature) of the ID numbers 712 transmitted by the service providing device 810 in the anonymous ID list transmitting step.
The record identification receiving unit 113 outputs a list (with a signature) of the received ID numbers 712 using a processing device such as the CPU 911.

In the signature verification process, the signature verification unit 193 inputs a list (with a signature) of ID numbers 712 output by the record identification reception unit 113 in the anonymous ID list reception process using a processing device such as the CPU 911.
The signature verification unit 193 acquires all ID numbers 712 and identification signature information for the ID numbers 712 from the list of input ID numbers 712 (with signatures) using a processing device such as the CPU 911.
The signature verification unit 193 decrypts the acquired identification signature information with the public key of the ID signature device 880 using a processing device such as the CPU 911.
The signature verification unit 193 compares the information obtained by decryption with the acquired ID number 712 using a processing device such as the CPU 911 and determines whether or not they match.
The signature verification unit 193 uses a processing device such as the CPU 911 to generate a list of ID numbers 712 determined to match.
The signature verification unit 193 outputs a list of generated ID numbers 712 using a processing device such as the CPU 911.

In the anonymous ID selection step, the record identification selection unit 152 inputs a list of ID numbers 712 output by the signature verification unit 193 in the signature verification step using a processing device such as the CPU 911.
The record identification selection unit 152 is included in the service use record information group 710 (use history information 610) stored in the use history storage unit 121 in the list of input ID numbers 712 using a processing device such as the CPU 911. All ID numbers 712 (history identification information 614) to be selected are selected.
The recording identification selection unit 152 selects a sufficient number of other ID numbers 712 from the list of input ID numbers 712 using a processing device such as the CPU 911.
The record identification selection unit 152 outputs a list of the selected ID numbers 712 using a processing device such as the CPU 911.

  Since the processing after the anonymous ID subset transmission step and the anonymous ID subset reception step is the same as the processing described in FIG. 32 in the eighth embodiment, the description thereof is omitted here.

The user terminal device 100 (terminal device) in this embodiment further includes:
A record identification generating unit 862 that generates an anonymous ID (record identification information) using a processing device such as the CPU 911 and outputs the generated anonymous ID using a processing device such as the CPU 911;
Using a processing device such as the CPU 911, the anonymous ID output by the record identification generating unit 862 is input, and using the communication device 915, identification signature request information for requesting a signature for the input anonymous ID is input to the ID signature device 880. An identification signature request transmission unit 191 that transmits to (identification signature device);
The electronic signature information transmitted by the ID signature device 880 is received as a response to the identification signature request information transmitted by the identification signature request transmission unit 191 using the communication device 915, and the received electronic signature information is received using a processing device such as the CPU 911. An identification signature receiving unit 192 that acquires electronic signature information about the anonymous ID from the signature information, and outputs the acquired electronic signature information as identification signature information;
Using a processing device such as the CPU 911, the anonymous ID output from the record identification generating unit 862 and the identification signature information output from the identification signature receiving unit 192 are input, and the service providing device 810 (server) is used using the communication device 915. Device), a record identification transmitting unit 164 that transmits the input anonymous ID and the input identification signature information,
Using the communication device 915, a list of ID numbers 712 (record identification information) for identifying the usage record information stored in the service providing device 810 and identification signature information for the ID numbers 712 is received, and the processing of the CPU 911, etc. A record identification receiving unit 113 that outputs a list of received ID numbers 712 and identification signature information using the apparatus;
A list of ID numbers 712 output by the record identification receiving unit 113 and identification signature information are input using a processing device such as the CPU 911, and based on the input identification signature information using a processing device such as the CPU 911. It is determined whether or not the ID number 712 included in the input ID number 712 list has been modified, and a list of ID numbers 712 determined to have not been modified using a processing device such as the CPU 911 (recording identification information A signature verification unit 193 that generates a list of ID numbers 712 using a processing device such as the CPU 911,
A plurality of ID numbers 712 are selected from the list of ID numbers 712 output by the signature verification unit 193 using a processing device such as the CPU 911, and a plurality of selected ID numbers 712 are selected using the processing device such as the CPU 911. A record identification selection unit 152 that outputs
A plurality of ID numbers 712 output from the record identification selection unit 152 are input using a processing device such as the CPU 911, and the input plurality of ID numbers 712 are transmitted to the service providing device 810 using the communication device 915. And a selection identification transmission unit 142 for
The usage record receiver 111
A plurality of usage record information identified by a plurality of ID numbers 712 transmitted by the selection identification transmission unit 142 is received from the service providing apparatus 810 using the communication apparatus 915.

  According to the user terminal device 100 in this embodiment, the signature verification unit 193 verifies the electronic signature attached to the ID number 712 and determines the record identification selection unit from among the ID numbers 712 determined not to be altered. 152 selects the ID number 712 that causes the service providing apparatus 810 to transmit the usage record information, so the usage record information that is the basis for the anonymous history determination unit 130 to determine the anonymity of the information includes fictitious usage record information. Even if the service providing apparatus 810 tries to obtain a clue to identify the user by deceiving the user terminal device 100, the anonymity of the information can be correctly determined, and the user is identified in the service providing apparatus 810. The effect of not giving clues to do.

Embodiment 12 FIG.
The twelfth embodiment will be described with reference to FIGS.
FIG. 48 is a system configuration diagram showing an example of the overall configuration of the history service providing system 800 in this embodiment.
In addition, the same code | symbol is attached | subjected about the part which is common in the log | history service provision system 800 demonstrated in Embodiment 1, and description is abbreviate | omitted here.

The history service providing system 800 in this embodiment includes a service providing device 810 (server device), a plurality of ID management devices 850 (identification management devices), and a large number of user terminal devices 100 (terminal devices).
Since the hardware configurations of the service providing apparatus 810, the ID management apparatus 850, and the user terminal apparatus 100 are the same as those described in the ninth embodiment, description thereof is omitted here.

The ID management device 850 shares and manages the user's anonymous ID.
When using the service, the user terminal device 100 establishes communication with one of the ID management devices 850, issues an anonymous ID, and uses the service.
Each time the user terminal device 100 uses a service, the user ID device 850 may issue an anonymous ID, or the same ID device 850 may issue an anonymous ID.
The ID management device 850 manages the anonymous ID issued by itself.

FIG. 49 is a block configuration diagram showing an example of a functional block configuration of the ID management device 850 in this embodiment.
Note that blocks common to the functional blocks of the ID management device 850 described in FIG. 38 in Embodiment 9 are denoted by the same reference numerals, and description thereof is omitted here.
In addition, the functional block configurations of the user terminal device 100 and the service providing device 810 are the same as those described in the ninth embodiment, and thus description thereof is omitted here.

  The ID management device 850 further includes a signature generation unit 882, a signature verification unit 193, and a usage record verification unit 194.

The signature generation unit 882 inputs the anonymous ID (record identification information) output by the record identification generation unit 862 using a processing device such as the CPU 911.
The signature generation unit 882 encrypts the input anonymous ID with the secret key of the ID management device 850 using a processing device such as the CPU 911, and generates identification signature information.
The signature generation unit 882 outputs the generated identification signature information using a processing device such as the CPU 911.

The generation identification transmitting unit 863 inputs the anonymous ID output from the recording identification generation unit 862 and the recording identification information output from the signature generation unit 882 using a processing device such as the CPU 911.
Using the processing device such as the CPU 911, the generation identification transmission unit 863 adds the input record identification information to the input anonymous ID to generate a signed anonymous ID.
The generation identification transmission unit 863 transmits the generated anonymous ID with signature to the user terminal device 100 using the communication device 915.

Note that the anonymous ID generated by the ID management device 850 in this embodiment includes information indicating the ID management device 850 that generated the anonymous ID.
Therefore, there is no possibility that the anonymous ID generated by the ID management device 850 collides with the anonymous ID generated by another ID management device 850.

The record identification receiving unit 113 uses the communication device 915 to receive a list of ID numbers 712 (anonymous IDs) transmitted by the service providing device 810.
The list of ID numbers 712 received by the record identification receiving unit 113 in this embodiment includes identification signature information for each ID number 712.
The record identification receiving unit 113 outputs a list (with a signature) of the received ID numbers 712 using a processing device such as the CPU 911.

The signature verification unit 193 inputs a list (with a signature) of the ID numbers 712 output by the recording identification reception unit 113 using a processing device such as the CPU 911.
The signature verification unit 193 acquires all ID numbers 712 and identification signature information for the ID numbers 712 from the list of input ID numbers 712 (with signatures) using a processing device such as the CPU 911.
The signature verification unit 193 determines the ID management device 850 that generated the ID number 712 based on the ID number 712 using a processing device such as the CPU 911.
The signature verification unit 193 decrypts the acquired identification signature information with the public key of the identified ID management device 850 using a processing device such as the CPU 911.
The signature verification unit 193 compares the information obtained by decryption with the acquired ID number 712 using a processing device such as the CPU 911 and determines whether or not they match.
The signature verification unit 193 uses a processing device such as the CPU 911 to generate a list of ID numbers 712 determined to match.
The signature verification unit 193 outputs a list of generated ID numbers 712 using a processing device such as the CPU 911.

  Of the ID numbers 712, the self-generated ID number 712 does not verify the signature but determines whether there is a matching anonymous ID stored in the record identification storage unit 864. Thus, it may be determined whether or not to include in the list of ID numbers 712 to be output.

  The recording identification selection unit 152 uses a processing device such as the CPU 911 to input a list of ID numbers output from the signature verification unit 193 and selects an ID number from the input ID number list.

In this embodiment, since there are a plurality of ID management devices 850, the record identification storage unit 864 does not store anonymous IDs generated by other ID management devices 850.
Therefore, as described in the eleventh embodiment, a fictitious ID number is included in the list of ID numbers 712 transmitted by the service providing apparatus 810 by verifying the signature added to the ID number. Verify if there is any.

The recording identification selection unit 152 extracts an anonymous ID corresponding to the user terminal device 100 based on the anonymous ID stored in the recording identification storage unit 864 using a processing device such as the CPU 911.
The record identification selection unit 152 selects all the ID numbers 712 (history identification information 614) that are the same as the determined anonymous ID from the list of input ID numbers 712 using a processing device such as the CPU 911.
The record identification selection unit 152 further selects a sufficient number of other ID numbers 712 from the extracted real ID numbers using a processing device such as the CPU 911.
The record identification selection unit 152 outputs a list of the selected ID numbers 712 using a processing device such as the CPU 911.

The anonymous ID managed by the ID management device 850 is a part of the total anonymous ID, and the ID management device 850 knows the correspondence between the user terminal device 100 and the anonymous ID because the anonymous ID issued by itself Limited to.
Therefore, the ID number selected by the record identification selection unit 152 is an ID number (anonymous) generated by the ID management device 850 itself among the ID numbers for identifying the usage record information in which the service used by the user terminal device 100 is recorded. ID) are all included, but ID numbers generated by other ID management devices 850 may not be included.
For example, if the user terminal device 100 has had another ID management device 850 issue an anonymous ID, but this is the first time that the ID management device 850 has issued an anonymous ID, the record identification The ID number selected by the selection unit 152 does not include any ID number for identifying the usage record information that records the service used by the user terminal device 100, and the user terminal device 100 determines the reliability of the history generation information 740. It may not be possible to judge.

  However, since the service providing apparatus 810 does not know which service record information 742 of the service record information 742 included in the history generation information 740 is used for determination of reliability, the service providing apparatus 810 does not know the service record information. 742 cannot be modified.

The user terminal device 100 transmits to the ID management device 850 the ID number generated by the other ID management device 850 among the ID numbers identifying the usage record information recording the used service, and the ID The management device 850 may be instructed about the correspondence between the user terminal device 100 and the ID number, and the recording identification selection unit 152 may select the ID number 712 based on the correspondence.
Alternatively, the ID management device 850 may acquire information indicating the correspondence between the ID number generated by the other ID management device 850 and the user terminal device 100 by making an inquiry to the other ID management device 850. .

The usage record verification unit 194 receives the service usage record information 711 output from the usage record reception unit 111 using a processing device such as the CPU 911.
The usage record verification unit 194 verifies the input service usage record information 711 using a processing device such as the CPU 911 and determines whether or not the history generation information 740 received by the usage record reception unit 111 has been falsified. .
The usage record verification unit 194 outputs information indicating the determination result using a processing device such as the CPU 911.

The user history generation unit 871 inputs service usage record information 711 output by the usage record reception unit 111 and information indicating the determination result output by the usage record verification unit 194 using a processing device such as the CPU 911.
When the usage record verification unit 194 determines that the history generation information 740 received by the usage record reception unit 111 has not been tampered with, the user history generation unit 871 uses a processing device such as the CPU 911 to execute the embodiment. The user history information 780 is generated by the same operation as described in FIG.
When the usage record verification unit 194 determines that the history generation information 740 received by the usage record reception unit 111 has been tampered with, the user history generation unit 871 uses an empty usage by using a processing device such as the CPU 911. The user history information 780 is generated.
The user history generation unit 871 outputs the generated user history information 780 using a processing device such as the CPU 911.

FIG. 50 is a diagram showing an example of history generation information 740 in this embodiment.
The history generation information 740 is generated by the transmission usage record generation unit 826 of the service providing device 810, the usage record transmission unit 827 transmits it to the ID management device 850, and the usage record reception unit 111 of the ID management device 850. To receive.
Note that the same reference numerals are given to the information common to the history generation information 740 described in FIG. 34 in the eighth embodiment, and the description thereof is omitted here.

  The encrypted individual service information 745 is generated by the transmission usage record generating unit 826 of the service providing apparatus 810 from the product code (type identification information) included in the service usage record 714 and the number of purchases. Among these, the product code is encrypted with the common key US between the service providing device 810 and the user terminal device 100. Therefore, the ID management device 850 cannot know the product code of the service used by the user.

The individual service information verification information 754 includes a transmission usage record generation unit based on the ID number 712 of the original service usage record information 711, information obtained by encrypting the product code included in the service usage record 714 with the common key US, the number of purchases, and the like. A hash value 826 is generated.
Although the ID management device 850 does not know the product code, the information obtained by encrypting the product code with the common key can be acquired from the encrypted individual service information 745, so that the hash value can be calculated.

The individual service number calculation information 756 is obtained by adding the hash value (= individual service information verification information 754) and an integer multiple of the calculation numerical value 763 to the purchase number 716. The individual service number calculation information 756 is the same as that described in the eighth embodiment except that the product code from which the hash value is calculated is encrypted with the common key US.
The ID management device 850 does not know the product code, but can calculate a hash value and can acquire the calculation position 762 and the calculation numerical value 763 from the encrypted individual service information 745. Therefore, the individual service number calculation information 756 The number of purchases can be calculated from

The usage record reception unit 111 of the ID management device 850 operates in the same manner as the usage record reception unit 111 of the user terminal device 100 described in the eighth embodiment, and based on the history generation information 740, the service usage record information 711. To restore. Since the ID management device 850 cannot decrypt the product code, the ID management device 850 restores the encrypted product code as it is.
The usage record receiving unit 111 outputs the restored service usage record information 711 using a processing device such as the CPU 911.

The usage record verification unit 194 receives the service usage record information 711 output from the usage record reception unit 111 using a processing device such as the CPU 911.
The usage record verification unit 194 determines whether or not the history generation information 740 received by the usage record reception unit 111 has been falsified based on the input service usage record information 711 using a processing device such as the CPU 911. .
That is, the usage record verification unit 194 compares the information such as the number of purchases restored from the service information group 741 by the usage record reception unit 111 with the information restored from the verification information group 751 and determines whether or not they match. If it is determined that they do not match, it is determined that the history generation information 740 has been falsified.

Since the service information group 741 and the verification information group 751 are generated by the service providing apparatus 810 from the same information, the information restored from both should match.
Therefore, when the information restored from the service information group 741 and the information restored from the verification information group 751 do not match, the history generation information 740 is being transmitted from the service providing apparatus 810 to the ID management apparatus 850. There is a high possibility that it has been tampered with by a third party.
Therefore, when the information restored from the service information group 741 and the information restored from the verification information group 751 do not match, the usage record verification unit 194 determines that the history generation information 740 has been falsified.

Since the ID management device 850 does not store the service usage record information 721, if the two match, the ID management device 850 cannot verify whether the content has been tampered with.
Therefore, when the two match, the usage record verification unit 194 determines that there is no falsification for the time being, and the user history generation unit 871 generates the user history information 780.
As described in the ninth embodiment, since the user history information 780 includes service record information 742 that records the service used by the user, the user terminal device 100 receives this information. By comparing with the service usage record information 721 stored in the user terminal device 100, it is finally determined whether or not the history generation information 740 has been falsified.

FIG. 51 is a flowchart showing an example of a flow of information providing processing in which the history service providing system 800 according to this embodiment provides a history service.
Note that steps that are the same as those described in Embodiment 9 with reference to FIG. 40 are given the same names, and descriptions thereof are omitted here.

In the anonymous ID list transmission step, the record identification transmission unit 824 of the service providing device 810 uses all the IDs included in the service usage record information group 710 stored in the usage record storage unit 823 using a processing device such as the CPU 911. A number 712 and identification signature information for the ID number 712 are input.
The record identification transmission unit 824 generates a list of input ID numbers (with a signature) using a processing device such as the CPU 911.
The record identification transmission unit 824 transmits the list (with signature) of the generated ID numbers 712 and the anonymous ID of the user terminal device 100 to the ID management device 850 using the communication device 915.

In the anonymous ID list receiving step, the record identification receiving unit 113 of the ID management device 850 uses the communication device to list the ID numbers 712 (with a signature) transmitted by the service providing device 810 in the anonymous ID list transmitting step and the user. The anonymous ID of the terminal device 100 is received.
The record identification receiving unit 113 outputs a list (with a signature) of the received ID numbers 712 and the anonymous ID of the user terminal device 100 using a processing device such as the CPU 911.

In the signature verification process, the signature verification unit 193 of the ID management apparatus 850 inputs a list (with signature) of the ID numbers 712 output by the record identification reception unit 113 in the anonymous ID list reception process using a processing device such as the CPU 911. To do.
The signature verification unit 193 verifies the signatures of all ID numbers 712 included in the input ID number 712 list (with signatures) using a processing device such as the CPU 911. A list of the determined ID numbers 712 is generated.
The signature verification unit 193 outputs a list of generated ID numbers 712 using a processing device such as the CPU 911.

In the anonymous ID selection step, the record identification selection unit 152 of the ID management device 850 uses a processing device such as the CPU 911 to receive a list of ID numbers 712 output by the signature verification unit 193 in the signature verification step and an anonymous ID list reception step. The anonymous ID of the user terminal device 100 output by the record identification receiving unit 113 is input.
The recording identification selection unit 152 selects a sufficient number of ID numbers 712 from the list of input ID numbers 712 using a processing device such as the CPU 911 and outputs a list of the selected ID numbers 712.

In the anonymous ID subset transmission step, the selection identification transmission unit 142 of the ID management device 850 inputs a list of ID numbers 712 output by the recording identification selection unit 152 in the anonymous ID selection step using a processing device such as the CPU 911.
The selection identification transmission unit 142 transmits the list of the input ID numbers 712 to the service providing apparatus 810 using the communication apparatus 915.

In the anonymous ID subset receiving process, the selection identification receiving unit 825 of the service providing apparatus 810 receives the list of the ID numbers 712 transmitted by the ID management apparatus 850 in the anonymous ID subset transmitting process using the communication device 915.
The selection identification receiving unit 825 outputs a list of received ID numbers 712 using a processing device such as the CPU 911.

In the history generation information creation step, the transmission usage record generation unit 826 of the service providing device 810 uses the processing device such as the CPU 911 to store the service usage record stored in the usage record storage unit 823 based on the input ID number 712. Information 711 is input, and history generation information 740 (transmission use record information) shown in FIG. 50 is generated.
The transmission use record generation unit 826 outputs the generated history generation information 740 using a processing device such as the CPU 911.

In the history generation information transmission step, the usage record transmission unit 827 of the service providing apparatus 810 uses a processing device such as the CPU 911 to output the history generation information 740 output from the transmission usage record generation unit 826 in the history generation information generation step. Enter.
The usage record transmission unit 827 transmits the input history generation information 740 to the ID management device 850 using the communication device 915.

In the history generation information reception step, the usage record reception unit 111 of the ID management device 850 receives the history generation information 740 transmitted by the service providing device 810 in the history generation information transmission step using the communication device 915.
The usage record receiving unit 111 restores the service usage record information 711 (use record information) based on the received history generation information 740 using a processing device such as the CPU 911.
The usage record receiving unit 111 outputs the restored service usage record information 711 using a processing device such as the CPU 911.

In the user history generation step, the usage record verification unit 194 of the ID management device 850 uses the processing device such as the CPU 911 to store the service usage record information 711 output by the usage record reception unit 111 in the history generation information reception step. input.
The usage record verification unit 194 uses a processing device such as the CPU 911 to modify the history generation information 740 received by the usage record reception unit 111 in the history generation information reception step based on the input service usage record information 711. Judge whether there is.
The usage record verification unit 194 outputs information indicating the determination result using a processing device such as the CPU 911.

In the user history generation process, the user history generation unit 871 of the ID management device 850 uses the processing device such as the CPU 911 to output the service usage record information output by the usage record reception unit 111 in the history generation information reception process. 711 and information indicating the determination result output by the usage record verification unit 194 in the usage record verification process.
When the usage record verification unit 194 determines that the history generation information 740 is not falsified, the user history generation unit 871 uses a processing device such as the CPU 911 based on the input service usage record information 711. The user history information 780 is generated.
When the usage record verification unit 194 determines that the history generation information 740 is falsified, the user history generation unit 871 generates empty user history information 780 using a processing device such as the CPU 911.
The user history generation unit 871 outputs the generated user history information 780 using a processing device such as the CPU 911.

In the user history transmission step, the user history transmission unit 872 uses the processing device such as the CPU 911 to store the user history information 780 generated by the user history generation unit 871 in the user history generation step. input.
The user history transmission unit 872 transmits the input user history information 780 to the user terminal device 100 using the communication device 915.

In the user history receiving process, the user history receiving unit 172 of the user terminal device uses the communication device 915 to store the user history information 780 transmitted by the ID management apparatus 850 in the user history transmitting process. Receive.
The user history receiving unit 172 outputs the received user history information 780 using a processing device such as the CPU 911.

In the history generation information verification step, the reliability determination unit 151 inputs the user history information output from the user history reception unit 172 in the user history reception step using a processing device such as the CPU 911.
The reliability determination unit 151 determines the reliability of the history generation information 740 based on the input user history information 780 using a processing device such as the CPU 911.
When the user history information 780 input by the reliability determination unit 151 is empty, it indicates that the ID management device 850 has determined that the history generation information 740 has been tampered with. Therefore, the reliability determination unit 151 Determines that the history generation information 740 is not reliable.
In other cases, the reliability determination unit 151 determines the reliability of the history generation information 740 by the same operation as described in the ninth embodiment.

  The processing after the history generation step / history reception step is the same as that described with reference to FIG. 40 in the ninth embodiment, and thus description thereof is omitted here.

  In this way, when there are a plurality of ID management devices 850, since one ID management device 850 does not manage all of the anonymous IDs, a signature is issued when the ID management device 850 issues an anonymous ID. By attaching and verifying this, a fictitious ID can be found.

  Since the user terminal device 100 may have any of the plurality of ID management devices 850 issue an anonymous ID, the service providing device 810 is based on the ID management device 850 that has issued the anonymous ID. You can't get a clue to identify 100.

  Since the ID management device 850 verifies whether there is a contradiction between the service information group 741 and the verification information group 751 included in the history generation information 740, while being transmitted from the service providing device 810 to the ID management device 850 In addition, it can be discovered that a third party has falsified the history generation information 740.

  The user terminal device 100 generates a history by comparing the service information group 741 included in the user history information 780 generated from the history generation information 740 by the ID management device 850 with the stored service usage record information 711. Since the reliability of the service information 740 is determined, the service providing apparatus 810 cannot falsify the service usage record information 721.

1 is a system configuration diagram illustrating an example of an overall configuration of a history service providing system 800 according to Embodiment 1. FIG. FIG. 3 is a diagram illustrating an example of an appearance of a service providing apparatus 810 according to Embodiment 1. FIG. 3 is a diagram illustrating an example of hardware resources of a service providing apparatus 810 according to Embodiment 1. 2 is a hardware configuration diagram illustrating an example of a hardware configuration of a user terminal device 100 and a service providing device 810 according to Embodiment 1. FIG. FIG. 3 is a block configuration diagram showing an example of a functional block configuration of a user terminal device 100 according to the first embodiment. FIG. 6 shows an example of usage history information 610 in the first embodiment. FIG. 6 shows an example of usage record information 620 in the first embodiment. The flowchart figure which shows an example of the whole flow of the history service provision process in which the history service provision system 800 in Embodiment 1 provides a history service. The flowchart figure which shows an example of the flow of the anonymous history discrimination | determination process in which the anonymous history discrimination | determination part 130 in Embodiment 1 discriminate | determines anonymous history information. FIG. 6 is a block configuration diagram showing an example of a functional block configuration of a user terminal device 100 according to a second embodiment. The figure explaining the case where the service provision apparatus 810 transmitted the false use record information 620. The flowchart figure which shows an example of the flow of the reliability judgment process in which the reliability judgment part 151 in Embodiment 2 judges the reliability of the utilization record information 620. FIG. 14 is a diagram illustrating an example of usage history information 610 received by the usage history receiving unit 112 and stored in the usage history storage unit 121 according to the third embodiment. FIG. 14 is a diagram illustrating an example of usage record information 620 received by a usage record reception unit 111 according to the third embodiment. The flowchart figure which shows an example of the flow of the reliability judgment process in which the reliability judgment part 151 in Embodiment 3 judges the reliability of the utilization record information 620. FIG. 10 is a block configuration diagram illustrating an example of a functional block configuration of a user terminal device 100 according to a fourth embodiment. The flowchart figure which shows an example of the whole flow of the history service provision process in which the history service provision system 800 in Embodiment 4 provides a history service. The flowchart figure which shows an example of the flow of the recording identification selection process in which the recording identification selection part 152 in Embodiment 4 selects the recording identification information 624. FIG. 18 is a diagram illustrating an example of usage record information 620 received by a usage record reception unit 111 according to the fifth embodiment. FIG. 16 is a flowchart showing an example of a flow of a reliability determination process in which the reliability determination unit 151 in Embodiment 5 determines the reliability of usage record information 620. FIG. 18 is a diagram illustrating an example of usage history information 610 received by the usage history receiving unit 112 and stored in the usage history storage unit 121 according to the sixth embodiment. FIG. 20 is a diagram illustrating an example of encrypted recording information 640 received by a usage record reception unit 111 according to the sixth embodiment. FIG. 20 is a diagram illustrating another example of usage record information 620 received by the usage record reception unit 111 according to the sixth embodiment. FIG. 18 is a diagram illustrating an example of usage history information 610 received by the usage history receiving unit 112 and stored in the usage history storage unit 121 according to the seventh embodiment. FIG. 20 is a diagram illustrating an example of encrypted record information 640 and an encrypted encryption key 650 received by a usage record reception unit 111 according to the seventh embodiment. FIG. 18 is a flowchart showing an example of a flow of usage record transmission processing in which the service providing apparatus 810 in Embodiment 7 transmits encrypted record information 640. FIG. 18 is a flowchart illustrating an example of a flow of usage record reception processing in which the usage record receiving unit 111 according to the seventh embodiment receives and decrypts encrypted recording information 640. FIG. 20 is a block configuration diagram illustrating an example of a functional block configuration of a service providing apparatus 810 according to an eighth embodiment. FIG. 20 is a diagram illustrating an example of a service use record information group 710 stored in a use record storage unit 823 in the eighth embodiment. The flowchart figure which shows the flow of the whole history service provision process in which the history service provision system 800 in Embodiment 8 provides a history service. The flowchart figure which shows an example of the flow of the communication establishment process in which the historical service provision system 800 in Embodiment 8 establishes communication between the user terminal device 100 and the service provision apparatus 810. FIG. 20 is a flowchart showing an example of a flow of information providing processing in which the history service providing system 800 according to the eighth embodiment provides a history service. FIG. 20 is a diagram illustrating an example of information exchanged between a service providing device 810 and a user terminal device 100 in a history service providing system 800 according to an eighth embodiment. FIG. 20 is a diagram illustrating an example of history generation information 740 generated by a transmission usage record generation unit 826 according to Embodiment 8. The figure for demonstrating the production | generation method in which the transmission usage record production | generation part 826 in Embodiment 8 produces | generates the encryption separate service information 745, the information for individual service information verification 754, and the information 756 for individual service number calculation. FIG. 20 is a diagram illustrating an example of service usage record information 721 decrypted by the usage record reception unit 111 according to the eighth embodiment. FIG. 10 is a system configuration diagram illustrating an example of an overall configuration and a hardware configuration of a history service providing system 800 according to a ninth embodiment. The block block diagram which shows an example of a structure of the functional block of the user terminal device 100 in Embodiment 9, and the ID management apparatus 850. FIG. The flowchart figure which shows an example of the flow of the communication establishment process in which the log | history service provision system 800 in Embodiment 9 establishes communication between the user terminal device 100 and the service provision apparatus 810. FIG. 25 is a flowchart showing an example of a flow of information providing processing in which the history service providing system 800 according to the ninth embodiment provides a history service. FIG. 20 is a diagram illustrating an example of history generation information 740 generated by a transmission usage record generation unit 826 and user history information 780 generated by a user history generation unit 871 according to the ninth embodiment. FIG. 25 is a block configuration diagram showing an example of a functional block configuration of a user terminal device 100 according to the tenth embodiment. The flowchart figure which shows an example of the flow of the classification identification determination process which the user terminal device 100 in Embodiment 10 determines whether there is no contradiction in classification identification information. FIG. 20 is a system configuration diagram showing an example of the overall configuration and hardware configuration of a history service providing system 800 in an eleventh embodiment. FIG. 25 is a block configuration diagram showing an example of functional block configurations of a user terminal device 100 and an ID signature device 880 in the eleventh embodiment. The flowchart figure which shows an example of the flow of the communication establishment process in which the historical service provision system 800 in Embodiment 11 establishes communication between the user terminal device 100 and the service provision apparatus 810. The flowchart figure which shows an example of the flow of the information provision process in which the historical service provision system 800 in Embodiment 11 provides a historical service. FIG. 20 is a system configuration diagram illustrating an example of an overall configuration of a history service providing system 800 according to Embodiment 12. FIG. 25 is a block configuration diagram illustrating an example of a functional block configuration of an ID management device 850 according to Embodiment 12. 20 is a diagram illustrating an example of history generation information 740 according to Embodiment 12. FIG. The flowchart figure which shows an example of the flow of the information provision process in which the historical service provision system 800 in Embodiment 12 provides a historical service.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 User terminal device, 111 Usage record receiving part, 112 Usage history receiving part, 113 Record identification receiving part, 121 Usage history storage part, 130 Anonymity history discrimination | determination part, 131 Anonymity judgment part, 141 Anonymity history transmission part, 142 selection Identification transmission unit, 151 Reliability determination unit, 152 Recording identification selection unit, 161 Identification generation request transmission unit, 163 Generation identification reception unit, 164 Recording identification transmission unit, 172 User history reception unit, 181 Usage history input unit, 182 Type identification determination unit, 183 Type identification storage unit, 191 Identification signature request transmission unit, 192 Identification signature reception unit, 193 Signature verification unit, 200 Card unit, 210 UIM, 610 Usage history information, 611, 621, 631, 651 Product code 612, 622 Purchased quantity, 613 Purchase date and time, 614 History identification information, 616, 6 6 Service encryption key, 617 History encryption key, 620 Usage record information, 624, 654 Record identification information, 625 Hash value, 627 Record encryption key, 630 Anonymity history information, 640 Encryption record information, 642 Encrypted purchase quantity, 650 encryption Encryption key, 652 position, 710 service use record information group, 711, 721 service use record information, 712 ID number, 713 common key, 714, 724 service use record, 715 product code, 716 purchased quantity, 740 history generation information 741 Service information group, 742 Service record information, 743 ID number, 744 Encrypted individual service information group, 745 Encrypted individual service information, 746 Individual service information group, 747 Individual service information, 751 Verification information group, 752 For verification Information, 753 Individual service Service information verification information group, 754 individual service information verification information, 755 individual service number calculation information group, 756 individual service number calculation information, 761 verification position, 762 calculation position, 763 calculation numerical value, 771 service type Information group, 772 Encryption service type information, 780 User history information, 781 User identification rate information group, 782 User identification rate information, 800 History service provision system, 810 Service provision device, 821 Usage history generation unit, 822 Usage history transmission unit, 823 Usage record storage unit, 824 Record identification transmission unit, 825 Selection identification reception unit, 826 Transmission usage record generation unit, 827 Usage record transmission unit, 831 Anonymity history reception unit, 832 Service information storage unit, 833 service Information selection unit, 834 Service information transmission unit, 841 Secret Storage unit, 842 certificate storage unit, 850 ID management device, 861 identification generation request receiving unit, 862 recording identification generation unit, 863 generation identification transmission unit, 864 recording identification storage unit, 871 user history generation unit, 872 user History transmission unit, 880 ID signature device, 881 signature request reception unit, 882 signature generation unit, 883 signature transmission unit, 901 display device, 902 keyboard, 903 mouse, 904 FDD, 905 CDD, 906 printer device, 907 scanner device, 910 system unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication device, 920 magnetic disk device, 921 OS, 922 window system, 923 program group, 924 file group, 931 telephone, 932 facsimile machine, 940 Internet, 941 gateway, 942 LAN.

Claims (13)

A storage device for storing information;
A processing device for processing information;
A communication device that communicates with a server device that stores a plurality of usage record information in which used service content is recorded;
Of the use record information stored by the server device using the storage device, a use history storage unit that stores use record information about the service content used by a predetermined user as use history information;
A plurality of usage record information received from the server device using the communication device, and a plurality of usage record information received using the processing device;
Using the processing device, the plurality of usage record information output from the usage record receiving unit and the usage history information stored in the usage history storage unit are input, and the plurality of input information is input using the processing device. Based on the usage record information, the information on the input usage history information that is difficult to identify the predetermined user even if transmitted to the server device is determined, and the determined information is determined using the processing device. Anonymity history discriminating section for outputting as anonymous history information,
Anonymous history transmission unit that inputs the anonymous history information output by the anonymous history determination unit using the processing device and transmits the input anonymous history information to the server device using the communication device. It has a door,
The anonymous history discriminating unit discriminates the service content recorded by the usage record information for each of the plurality of input usage record information input using the processing device, and discriminates the service content using the processing device. For each service content, the number of uses of the service content is calculated, and when the calculated number of uses is greater than a predetermined number using the processing device, information about the service content is stored in the server device. A terminal device comprising an anonymity determining unit that determines that the predetermined user is difficult to be identified even if transmitted to the terminal. A storage device for storing information;
A processing device for processing information;
A communication device that communicates with a server device that stores a plurality of usage record information in which used service content is recorded;
Of the use record information stored by the server device using the storage device, a use history storage unit that stores use record information about the service content used by a predetermined user as use history information;
A plurality of usage record information received from the server device using the communication device, and a plurality of usage record information received using the processing device;
Using the processing device, the plurality of usage record information output from the usage record receiving unit and the usage history information stored in the usage history storage unit are input, and the plurality of input information is input using the processing device. Based on the usage record information, the information on the input usage history information that is difficult to identify the predetermined user even if transmitted to the server device is determined, and the determined information is determined using the processing device. Anonymity history discriminating section for outputting as anonymous history information,
Anonymous history transmission unit that inputs the anonymous history information output by the anonymous history determination unit using the processing device and transmits the input anonymous history information to the server device using the communication device. And
The usage history storage unit stores the usage history information and history identification information for identifying the usage history information using the storage device,
The usage record receiving unit receives the plurality of usage record information and the plurality of record identification information respectively identifying the plurality of usage record information using the communication device, and receives the plurality of usage record information using the processing device. Outputting a plurality of the use record information and the received plurality of record identification information;
In further,
Using the processing device, the history identification information stored in the usage history storage unit and the plurality of record identification information output by the usage record receiving unit are input, and the input of the history information is performed using the processing device. Of the usage history information stored by the usage history storage unit, the usage history information identified by the history identification information and the usage record reception unit for the history identification information that matches the input record identification information. The usage record information identified by the record identification information is input from among the usage record information output by the user, and the service content recorded by the input usage history information using the processing device and the input usage It is determined whether or not the recorded service content matches the recorded service content, and the use record is determined when it is determined that the service content matches using the processing device. A reliability determining unit which determines that the broadcast is reliable,
The said anonymous log | history discrimination | determination part outputs the said anonymous log | history information, when the said reliability judgment part judges that the said usage record information can be trusted using the said processing apparatus. A storage device for storing information;
A processing device for processing information;
A communication device that communicates with a server device that stores a plurality of usage record information in which used service content is recorded;
Of the use record information stored by the server device using the storage device, a use history storage unit that stores use record information about the service content used by a predetermined user as use history information;
A plurality of usage record information received from the server device using the communication device, and a plurality of usage record information received using the processing device;
Using the processing device, the plurality of usage record information output from the usage record receiving unit and the usage history information stored in the usage history storage unit are input, and the plurality of input information is input using the processing device. Based on the usage record information, the information on the input usage history information that is difficult to identify the predetermined user even if transmitted to the server device is determined, and the determined information is determined using the processing device. Anonymity history discriminating section for outputting as anonymous history information,
Anonymous history transmission unit that inputs the anonymous history information output by the anonymous history determination unit using the processing device and transmits the input anonymous history information to the server device using the communication device. And
The usage history storage unit stores the usage history information and history identification information for identifying the usage history information using the storage device,
The usage record receiving unit receives a plurality of hash values and a plurality of usage record information corresponding to the plurality of hash values using the communication device, and receives the plurality of received usage information using the processing device. Output the hash value and a plurality of received use record information,
In further,
Using the processing device, the history identification information stored in the usage history storage unit, the usage history information, and the plurality of hash values output from the usage record reception unit are input, and the processing device is used. The hash value is calculated based on the input history identification information and the input usage history information, and the input hash value matches the calculated hash value using the processing device. Of the usage record information output by the usage record receiver, the usage record information corresponding to the hash value is input, and using the processing device, the service content recorded by the input usage history information is input. It is determined whether or not the service content recorded by the usage record information matches, and when it is determined that the service content matches using the processing device, A reliability determining unit which determines that the recording information is reliable,
The anonymous history determination unit, using the processing device, when the reliability judging unit when the usage record information is reliable is determined, the terminal apparatus you and outputting the anonymous history information. The usage history storage unit stores the usage history information and history identification information for identifying the usage history information using the storage device,
The usage record receiving unit receives the plurality of usage record information and the plurality of record identification information respectively identifying the plurality of usage record information using the communication device, and receives the plurality of usage record information using the processing device. Outputting a plurality of the use record information and the received plurality of record identification information;
The terminal device further includes:
Using the processing device, the history identification information stored in the usage history storage unit and the plurality of record identification information output by the usage record receiving unit are input, and the input of the history information is performed using the processing device. Of the usage history information stored by the usage history storage unit, the usage history information identified by the history identification information and the usage record reception unit for the history identification information that matches the input record identification information. The usage record information identified by the record identification information is input from among the usage record information output by the user, and the service content recorded by the input usage history information using the processing device and the input usage It is determined whether or not the recorded service content matches the recorded service content, and the use record is determined when it is determined that the service content matches using the processing device. A reliability determining unit which determines that the broadcast is reliable,
The anonymous history determination unit outputs the anonymous history information when the reliability determination unit determines that the usage record information is reliable using the processing device. Terminal equipment. The terminal device further includes:
Record identification reception for receiving the list of record identification information for identifying the use record information stored in the server device using the communication device, and outputting the list of the received record identification information for the processing device. And
Using the processing device, select a plurality of recording identification information from the list of recording identification information output by the recording identification receiving unit, and use the processing device to select the plurality of recording identification information selected. A record identification selection unit to output;
The plurality of record identification information output from the record identification selection unit is input using the processing device, and the plurality of input record identification information is transmitted to the server device using the communication device. and a selection identifying transmitting unit,
The usage record receiving unit receives the plurality of usage record information identified by the plurality of record identification information transmitted by the selection identification transmission unit from the server device using the communication device. The terminal device according to claim 2 or 4 .   The record identification selection unit further inputs the history identification information stored in the usage history storage unit using the processing device, and uses the processing device to match the record identification information input. 6. The terminal device according to claim 5, wherein identification information is selected, and the record identification information that does not match the input history identification information is selected at random using the processing device. The usage history storage unit stores the usage history information and history identification information for identifying the usage history information using the storage device,
The usage record receiving unit receives a plurality of hash values and a plurality of usage record information corresponding to the plurality of hash values using the communication device, and receives the plurality of received usage information using the processing device. Output the hash value and a plurality of received use record information,
The terminal device further includes:
Using the processing device, the history identification information stored in the usage history storage unit, the usage history information, and the plurality of hash values output from the usage record reception unit are input, and the processing device is used. The hash value is calculated based on the input history identification information and the input usage history information, and the input hash value matches the calculated hash value using the processing device. Of the usage record information output by the usage record receiver, the usage record information corresponding to the hash value is input, and using the processing device, the service content recorded by the input usage history information is input. It is determined whether or not the service content recorded by the usage record information matches, and when it is determined that the service content matches using the processing device, A reliability determining unit which determines that the recording information is reliable,
The anonymous history determination unit outputs the anonymous history information when the reliability determination unit determines that the usage record information is reliable using the processing device. Terminal equipment. The terminal device further includes:
When the predetermined user uses the service content using the communication device, the server records the usage record information recording the service content used and the encryption key corresponding to the type of the service content. And using the processing device, the received usage record information is output as usage history information, and the received encryption key is output as a service encryption key.
The usage history storage unit inputs the usage history information and the service encryption key output from the usage history reception unit using the processing device, and the input usage history information and the service encryption key. Memorize the service encryption key,
The usage record receiving unit uses the communication device to encrypt a plurality of the usage record information from the server device with different encryption keys for each type of service content recorded by the usage record information. Receive encrypted record information, input the service encryption key stored in the usage history storage unit using the processing device, and input the plurality of received encrypted record information using the processing device. decodes respectively the service cryptographic key, acquires a plurality of said usage records information, using the processing device, according to claim 1 to claim and outputs the acquired plurality of said usage records information The terminal device according to any one of 7 . The terminal device further includes:
When the predetermined user uses the service content using the communication device, the server device uses the usage record information recording the used service content and the encryption key corresponding to the usage record information. Receiving and using the processing device, outputting the received usage record information as usage history information, and having a usage history receiving unit that outputs the received encryption key as a history encryption key,
The usage history storage unit inputs the usage history information and the history encryption key output from the usage history reception unit using the processing device, and uses the storage device to input the usage history information and Memorize the above history encryption key,
The usage record receiving unit uses the communication device to encrypt a plurality of usage record information from the server device with different service encryption keys for each type of service content recorded by the usage record information. And a plurality of encrypted encryption keys obtained by encrypting the service encryption key corresponding to the type of service content recorded by the usage record information with the encryption key corresponding to the usage record information. The history encryption key stored in the usage history storage unit is input using the processing device, and at least one of the received plurality of encrypted encryption keys is input using the processing device. The service encryption key is obtained by decrypting with the history encryption key, and the received plurality of pieces of encrypted record information are obtained with the obtained service encryption key using the processing device. Decoding to acquire a plurality of said usage record information, by using the processing device, according to any one of claims 1 to 7 and outputs the acquired plurality of said usage records information Terminal device. Provided by the server device is a terminal device having a storage device that stores information, a processing device that processes information, and a communication device that communicates with a server device that stores a plurality of usage record information in which used service content is recorded. In the history service usage method that uses the history service,
A usage history storage step in which the storage device stores usage record information about the service content used by a predetermined user among the usage record information stored by the server device as usage history information;
The communication device receives a plurality of the usage record information from the server device, and the processing device outputs a plurality of the received usage record information;
The processing device inputs the plurality of usage record information output by the processing device in the usage record receiving step and the usage history information stored in the storage device in the usage history storage step. Based on the plurality of input usage record information, the information that is difficult to identify the predetermined user even if transmitted to the server device among the input usage history information is determined, and the processing device determines Anonymous history determination step for outputting the above information as anonymous history information,
Anonymous history transmission step in which the processing device inputs the anonymous history information output by the processing device in the anonymous history determination step, and the communication device transmits the input anonymous history information to the server device. And
In the anonymous history determination step, the processing device determines the service content recorded by the usage record information for each of the plurality of usage record information input, and the processing device determines each of the determined service contents. The number of times of use of the service content is calculated, and the processing device transmits the information about the service content to the server device when the calculated number of uses is greater than a predetermined number of times. A history service utilization method comprising an anonymity determination step of determining that a predetermined user is difficult to be identified . A storage device for storing information, and a processor for processing information, a computer having a communication device communicating with the server apparatus for storing a plurality of usage records information recorded services utilizing, claims 1 to 9 A history service use program that causes the terminal device to function as described in any of the above. A storage device for storing information;
A processing device for processing information;
A communication device that communicates with a plurality of terminal devices that store usage history information in which used service content is recorded;
A use record storage unit for storing a plurality of use record information storing the used service content and record identification information for identifying the use record information using the storage device;
The record identification information stored in the usage record storage unit is input using the processing device, the list of the record identification information input is generated using the processing device, and the list is input using the communication device. A record identification transmitter for transmitting the generated list of record identification information to the terminal device;
Using the communication device, the terminal device receives a plurality of record identification information selected by the terminal device from the list of record identification information transmitted by the record identification transmitter, and uses the processing device. A selection identification receiving unit for outputting the received record identification information;
Using the processing device, the plurality of record identification information output by the selection identification receiving unit is input, and using the processing device, the plurality of use record information identified by the plurality of input record identification information. And using the processing device to generate transmission usage record information to be transmitted to the terminal device based on the plurality of input usage record information, and using the processing device to generate the transmission A transmission usage record generator for outputting usage record information;
Use of the processing device to input the transmission usage record information output from the transmission usage record generation unit, and to transmit the input transmission usage record information to the terminal device using the communication device A recording transmission unit;
By using the communication device, information about the services that the terminal device generated by the terminal device is used under the above-described terminal device the transmission usage record information use history information and the usage log transmission unit which stores sent An anonymous history receiving unit that outputs the received information as anonymous history information using the processing device,
A service information storage unit for storing service information to be provided to the terminal device using the storage device;
Using the processing device, the anonymous history information output by the anonymous history receiving unit is input, and using the processing device, the input anonymous history information from the service information stored in the service information storage unit. A service information selection unit that selects information useful for the terminal device and outputs the selected service information using the processing device;
The server apparatus characterized by having. A history service providing system comprising the terminal device according to claim 1 .

Images