JP6298583B2 - Personal information protection method, electronic device, and computer program - Google Patents

Description

  The present invention relates to a technology for protecting personal information provided to a cyber space.

  In recent years, users have been offered various services from the cloud. For example, Amazon (Registered Trademark) Co., Ltd. has started a service that allows users to purchase goods by simply speaking with a combination of a voice recognition and response device called Echo and a drone technology as logistics. There are also services that provide relevant advertisements by guessing the user's preferences from the contents of visited sites and emails according to the use of a specific Web browser or Web mail service. Furthermore, points can be earned by purchasing products using point cards at various stores.

  In order to use cloud services, users need to provide personal information to cyberspace. Personal information is stored in cyberspace in various states, and scattered pieces of personal information are combined to create property value that can be diverted, resold, or stolen without the user being aware of it. Have danger. For example, there is a collection of personal information by a third party in the background in which an advertisement for an article related to purchasing a specific article is displayed on a Web browser or sent by Web mail.

  Patent Document 1 enables a user to make a transaction on a network without disclosing his / her personal information for each transaction to a dealer who is the counterpart, and the dealer does not need the user's personal information. Disclose an electronic commerce system for secure and secure transactions. The system uses a transaction mediation server that is interposed between the user device and the store device. Patent Document 2 discloses a method for anonymizing personal information in an online service. This document describes that the company information is anonymized by an initial ID for anonymizing personal information by a company, a login ID for anonymizing personal information related to counseling, and an ID management server of an ID manager.

JP 2002-117264 A JP 2004-334433 A

  The use of cyberspace services comes at the price of the risk of information leakage due to the provision of personal information. It is convenient for users to protect personal information if the personal information provided to the cyber space can be limited to the minimum range necessary for the service. Generally, the less personal information that is provided, the lower the quality of the service it receives. Therefore, it is necessary to protect personal information while minimizing service degradation. It would also be more convenient if the user could harmonize the quality of service he received with the degree of personal information protection. In addition, it is desirable that protection of personal information can be realized without the user being aware of it. An object of the present invention is to solve such a problem.

  The present invention relates to protection of personal information provided to a cyber space by a client. Providing authentic personal information to cyberspace. Furthermore, pseudo personal information related to genuine personal information is generated and provided to cyberspace. In addition, it receives a response to authentic personal information from cyberspace. In one example, when the authentic personal information and pseudo personal information are provided by the character input support service, the authentic personal information can be an input character string input by the user to the client.

  At this time, the pseudo personal information can be a plurality of pseudo character strings generated by changing a part of the input character string. At this time, the pseudo character string can be generated by replacing a word extracted from the input character string with a word of the same concept. At this time, the word can be extracted from words belonging to a class for which the user has set a concealment level in advance.

  In another example, when the authentic personal information and pseudo personal information are provided by the voice input support service, the authentic personal information can be voice text input by the user to the client. At this time, the pseudo personal information can be a synthesized voice obtained by reading a text. Furthermore, it is possible to provide the voice input support service with a synthesized voice in which text is read out with a different sound quality for each user conversation. In yet another example, when the Web site is a destination for providing genuine personal information and pseudo personal information, the authentic personal information can be used as data indicating a user's selection operation for an object on the Web site. At this time, the pseudo personal information can be data indicating a selection operation for an object that the user of the website does not select.

  According to the present invention, one or more of the following effects could be achieved. According to the present invention, personal information can be protected while providing genuine personal information to cyberspace. According to the present invention, personal information can be protected while using a cyberspace service. According to the present invention, the quality of service received by the user and the degree of protection of personal information can be harmonized. According to the present invention, personal information can be protected without making the user aware of it.

It is a figure for demonstrating an example of the execution environment 10 of this invention. 3 is a schematic functional block diagram showing a configuration of an avatar 200 for protecting personal information provided to a character input support server 21. FIG. It is a figure for demonstrating a mode when the avatar 200 processes the input character string 151. FIG. It is a figure for demonstrating an example of the data structure of the class table 107a. 4 is a flowchart for explaining an operation of an avatar 200. It is a figure for demonstrating notionally how a pseudo character string 161-167 dilutes the personal information which the input character string 151 contains. 3 is a schematic functional block diagram showing a configuration of an avatar 300 for protecting personal information provided to a voice input support server 31. FIG. 5 is a flowchart for explaining an operation of an avatar 300. 3 is a functional block diagram for explaining a configuration of an avatar 500 for protecting personal information provided to a Web server 41. FIG. 5 is a flowchart for explaining an operation of an avatar 500.

[personal information]
First, personal information will be described. Personal identifiable information refers to information useful for identifying a person as a social or physical entity. The personal identification information includes, for example, biometric information such as a facial photograph, fingerprint, and voiceprint, information associated with an information terminal dedicated to the user, such as an IP address, a MAC address, a service account, and a user agent, and This can include information such as address, name, date of birth, telephone number, and surrounding information useful for identifying a person such as an email address. As for the personal identification information, the greater the amount of information, the higher the accuracy of identification.

  Privacy information includes personal information such as hobbies and preferences, information about security such as current place of stay, bank, account number, password, and surrounding information such as family structure, living environment, and affiliated organizations. Any information that you do not want others to know. There is information about individuals that falls into both categories of personal identification information and privacy information. Information related to individuals has a property value and must be protected when personally identifiable information and privacy information are combined. In this specification, information obtained by combining personal identification information and privacy information is referred to as personal information.

  Users who access cyberspace usually provide some personal information, even when they are unconscious. Reducing the amount of personal information provided to cyberspace is beneficial for protecting personal information. However, since the more personal information to be provided, the more useful service can be received from cyberspace, the user provides corresponding personal information to cyberspace while keeping in mind the risks. In addition, a plurality of pieces of personal information remaining in various places in the cyber space may be combined by a third party in a legitimate or illegal manner.

  This means that personal information cannot be adequately protected by reducing the amount of information provided to cyberspace. Considering that personal information is a combination of personal identification information and privacy information, a method of weakening the connection between the personal identification information provided to the cyber space and the privacy information can be considered. For example, when it is necessary to provide personal identification information such as an address or name in order to purchase a product by electronic transaction, it is effective to prevent the third party from acquiring privacy information at the same time.

  Reducing privacy information is one way to prevent it from being acquired, but here we note that only accurate privacy information combined with accurate personal identification information is worth protecting. The authentic privacy information generated by the user can be concealed with pseudo privacy information provided to the cyber space at the same time. Even if there is genuine privacy information associated with genuine personal identification information in cyberspace, at the same time pseudo privacy information associated with the same genuine personal identification information remains, the genuine privacy information is diluted. It becomes. Similarly, the personal identification information can be diluted with pseudo information.

[Execution environment]
FIG. 1 is a diagram for explaining an example of an execution environment 10 according to the present invention. The plurality of clients 11 are information terminal devices that can access the cyber space 15 including the Internet, such as a laptop personal computer, a desktop personal computer, a smartphone, or a tablet terminal. The avatar 100 relays the client 11 and the cyber space 15 to protect the user's personal information. When each client 11 is owned by a specific user, the IP address and MAC address of the client 11 are personal identification information.

  As an example, the avatar 100 can be provided outside the client 11 so as to protect personal information of the plurality of clients 11. The avatar 100 in this case can be a server that is securely connected to the client 11 via an intranet or VPN (Virtual Private Network). In another example, the avatar 100 can be configured by software and installed in each client 11. If the avatar 100 is built inside the client 11, the user can be most relieved in protecting personal information.

  Software provided in the client 11 may be stored in a storage device of the client 11 or may be downloaded through a network at the time of execution. The avatar 100 provides the user's authentic personal information to the cyber space 15 so that the user can enjoy the service, while hiding the authentic personal information with pseudo personal information. The avatar 100 is a reliable entity that has no fear of leaking personal information to the client 11.

  The data base server 13 stores a dictionary such as a thesaurus in which words are hierarchized and classified according to semantic concepts. The data base server 13 is a reliable entity that has no fear of leaking personal information to the client 11. The data base server 13 may be mounted on the client 11. As an example, the cyber space 15 includes a character input support server 21, a voice input support server 31, and a Web server 41 that are accessed by the client 11 providing personal information.

[Apply to character input support server]
The protection of personal information when the client 11 uses the character input support server 21 will be described. The character input support server 21 performs a predictive conversion service such as Japanese IME (Input Method Editor) of Windows (registered trademark) 10 in a cloud environment. The character input support server 21 predicts a longer character string to be input by the user including the subsequent character string from several preceding input characters (input character strings) received from the client 11 and predictive conversion candidates. Reply.

  Now, a case where the client 11 creates a mail or searches a Web site without going through the avatar 200 will be described. The character string input by the client 11 is sent to the character input support server 21. The character input support server 21 accumulates past history in order to search for an appropriate prediction conversion candidate for each user. Normally, a company that operates the character input support server 21 promises not to disclose personal information. However, if a history of input character strings remains in the character input support server 21, there is a risk of leakage of personal information.

  As the accuracy of learning of the character input support server 21 increases, the user can receive an intended accurate character string as a predictive conversion candidate only by inputting a part of the character string. For example, while using the service of the character input support server 21, a character string “My child likes apples and oranges” is entered, and a sentence “My child likes apples and oranges” is entered. Once created, just enter “I am” and the same answer will be returned as a candidate for conversion.

  Since the character input support server 21 learns and stores the input history for each user, even if the same input character string is received, a prediction conversion candidate suitable for each user can be returned. As the learning of the character input support server 21 progresses, the convenience for the user increases. However, the privacy information related to the user's hobbies and preferences and the personal identification information are accumulated.

  FIG. 2 is a schematic functional block diagram showing a configuration of an avatar 200 that is an example of the avatar 100. FIG. 3 is a diagram for explaining a situation when the avatar 200 processes the input character string 151. The avatar 200 is located between the client 11 and the cyber space 15. The avatar 200 can also be realized by software installed in the client 11. The input / output unit 101 includes an interface that connects to the client and the cyberspace 15 in a wired or wireless manner.

  When the avatar 100 is mounted on the client 11, the input / output unit 101 can use the network interface of the client 11. In the avatar 100 provided outside, the input / output unit 101 includes software for receiving the service of the character input support server 21. The input / output unit 101 extracts the input character string 151 included in the packet received from the client 11. The input / output unit 101 generates its own packet including the extracted input character string 151 and outputs it to the character input support server 21.

The input / output unit 101 further passes the input character string 151 to the hidden word extraction unit 105. In one example, the hidden word extraction unit 105 extracts a hidden word from the input character string 151 with reference to the class setting unit 107. The concealment word corresponds to a word that may constitute personal information. The class setting unit 107 includes a class table 107a that defines a concealment class for the user to set a concealment level of personal information.

  FIG. 4 shows an example of the data structure of the class table 107a. The class table 107a defines a hidden class in which personal information is hierarchized for each user ID. The concealment class corresponds to a group of personal information that is conceptually similar. The user can set the concealment level by selecting one of levels 1 to 3 set in advance by the avatar 200 or by selecting for each concealment class.

  The hidden word extraction unit 105 recognizes words belonging to the hidden class set at the hidden level as hidden words. In the class table 107a, the higher the concealment level, the more concealment words are extracted from the input character string 151. The hidden word extraction unit 105 generates an input character string 153 in which the control code SEQ is added to the hidden word and transfers it to the pseudo word acquisition unit 107.

  The pseudo word acquisition unit 107 acquires a pseudo word for replacing the concealment word specified by the control code SEQ from the data base server 13 and transfers it to each proxy processing unit 121 together with the input character string 153. The proxy processing unit 121 includes four proxy processing units 121a to 121d as an example, but the number of proxy processing units 121 is not particularly limited. Each of the proxy processing units 121a to 121d converts the pseudo character strings 161 to 167 generated by inserting the pseudo word received from the pseudo word acquiring unit 107 into the control code SEQ of the input character string 153, and the input / output unit 101 To the character input support server 21.

  FIG. 5 is a flowchart for explaining the operation of the avatar 200. In block 201, the client 11 executes software that uses the character input support server 21. A user inputs a character string to the client 11 for e-mail, creation of a document, search of a Web site, and the like. The input character string 151 is composed of a plurality of characters in units of words, phrases, or sentences. Here, a case where the user inputs the input character string 151 of the sentence “My child likes apples and mandarin oranges” and presses the conversion key will be described as an example. The conversion key may be pressed in units of words or phrases, but can be processed in a similar procedure.

  As an example, the packet of the input character string 151 output by the client 11 is sent to the avatar 200 together with personal identification information such as the IP address, MAC address, and user agent of the client 11 every time the user presses the conversion key. In block 203, the input / output unit 101 receives the packet of the input character string 151 and passes the input character string 151 to the hidden word extraction unit 105. At this time, the input / output unit 101 stores the transmission source IP address and the MAC address of the client 11.

  In block 205, in one example, the input / output unit 101 generates its own packet including the input character string 151 and outputs the packet to the character input support server 21. The input / output unit 101 deletes the personal identification information such as the IP address, MAC address, and user agent of the client 11 from the packet to be transmitted. Further, when the packet received from the client 11 includes the identifier and position information of the client 11 received by the client 11 from the character input support server 21, these are also deleted from the packet to be transmitted.

  At this point, since the avatar 200 takes the place of the client 11, the personal identification information of the client 11 cannot be seen from the character input support server 21. However, the input character string is sent to the character input support server 21 as authentic personal information of the user. In block 207, the character input support server 21 returns a predictive conversion candidate for the input character string 151 in a packet destined for the avatar 200. The avatar 200 includes the payload of the received packet in its own packet and sends it to the client 11.

  In block 209, the hidden word extraction unit 105 extracts a hidden word candidate from the input character string 151. In one example, the hidden word extraction unit 105 extracts nouns and verbs from the input character string 151 by morphological analysis (Morphological Analysis) for specifying a part of speech from a character string in natural language. At this time, the hidden word extraction unit 105 uses a natural language processing technique such as text classification provided by the Web service in the cyber space 15 to extract words corresponding to nouns and verbs from the input character string 151. It can also be extracted.

  In one example, the hidden word extraction unit 105 extracts words of nouns “I”, “Children”, “Ringo”, and “Mikan” from the input character string 151 as candidates for hidden words. The concealment word extraction unit 105 may extract a verb word as a concealment word candidate in addition to a verb word or a noun word. In block 211, the hidden word extraction unit 105 checks the hidden class in the class table 107a to which the extracted word belongs. At this time, the concealment word extraction unit 105 can specify the concealment class to which the extracted word refers to the data base server 13. Also, the concealment word extraction unit 105 can extract the verb “Sukida” from the input character string 151 and use it to recognize the concealment class to which the noun word belongs.

  For example, the word “apple” is judged to belong to the security hiding class if the input string contains a verb such as “send money”, and if it contains the verb “delicious”, it is judged to belong to the preference hiding class. can do. When the concealment class to which the extracted word belongs is set as the concealment level in the class table 107a, the concealment word extraction unit 105 recognizes the word as a concealment word. Here, it is assumed that “apple” and “mandarin” are concealment words belonging to the concealment class set.

In block 213, the concealed word extraction unit 105 sends the character string 153 obtained by adding the control codes SEQ01 and SEQ02 to the concealed word to the pseudo word acquisition unit 107. The pseudo word acquisition unit 107 acquires the number of pseudo words whose concept is similar to the concealment word specified by the control codes SEQ01 and SEQ02 by the number of the proxy processing unit 121. In one example, pseudowords can be selected from a range of words whose superordinate concepts belong to the same group to dilute personal information. The pseudo word acquisition unit 107 can acquire a plurality of words included in the superordinate concept of the concealment word from the data base server 13 or the cyber space 15.

  In one example, the pseudo-word acquisition unit 107 recognizes a superordinate concept of the concealment word “apple” and “mandarin orange” as a fruit, and is included in the same superordinate concept and different from the concealment word, such as “straw”, “peach”, Get multiple pseudo-words. The pseudo-word acquisition unit 107 sends a set of pseudo-words with control codes SEQ01 and SEQ02 corresponding to the character string 153 and the hidden word to the proxy processing unit 121. At this time, the pseudo-word acquisition unit 107 can send different sets of pseudo-words so that each proxy processing unit 121 can create different pseudo-character strings.

  In block 215, the proxy processing units 121a to 121d generate the pseudo character strings 161 to 167 by way of example by inserting the received pseudo words at the positions specified by the control code SEQ of the input character string 153. In block 217, the proxy processing units 121a to 121d transmit the pseudo character strings 161 to 167 through the input / output unit 101. The input / output unit 101 can add an identifier to the pseudo character strings 161 to 167 as necessary to distinguish from the input character string 151 transmitted earlier. In block 219, the character input support server 21 outputs prediction conversion candidates for the pseudo character strings 161 to 167 with the avatar 200 as a destination. In block 221, the input / output unit 101 discards the prediction conversion candidates corresponding to the pseudo character strings 161 to 167, and returns to block 201 to process the subsequent input character string.

  According to the above procedure, the client 11 can dilute the personal information that remains in the character input support server 21 while receiving the predictive conversion candidate for the input character string 151. Since the avatar 200 sends the terminal information of the avatar 200 to the character input support server 21 in place of the client 11, the personal identification information of the client 11 remaining in the character input support server 21 can be reduced. In addition, since the avatar 200 is shared by the plurality of clients 11, information remaining in the character input support server 21 is not easily recognized as personal information of a specific client existing behind the avatar 200.

  Although the concealment word can be all the nouns included in the input character string 151, in this embodiment, as described in block 211, the number can be selected according to the concealment level set for the concealment class. . Since the concealment word is replaced with a plurality of different pseudo words, the hit rate of the prediction conversion candidate decreases as the number of concealment words increases. At this time, if a user who does not care about privacy regarding preferences excludes the concealment class from the concealment words, the hit rate of the predictive conversion candidate regarding preference is improved. Therefore, the concealment level can be set according to the circumstances of each user, and the degree of protection and convenience of personal information can be harmonized.

  In addition, by configuring the pseudo character strings 161 to 167 with pseudo words whose concept is similar to the concealment word, the personal information included in the input character string 151 can be effectively hidden. FIG. 6 is a diagram for conceptually explaining how the pseudo character strings 161 to 167 dilute the personal information included in the input character string 151. The trunk 251 corresponds to genuine personal information included in the input character string 151. In order to use the character input support server 21, the user provides the trunk 251 to the cyberspace 15.

  The branches and leaves 253 correspond to the pseudo character strings 161 to 167. The branches and leaves 253 remain in the character input support server 21 so as to cover the trunk 251. That is, the character input support server 21 stores the prediction conversion candidate for the input character string 151 “I am” including the prediction conversion candidate for the pseudo word. Branches and leaves 255 indicate a state in which the concealment level is increased. When the concealment level is increased, in the pseudo character strings 161 to 167, more concealment words are replaced with pseudo words, so that the branches and leaves 255 are widened. Increasing the number of pseudo character strings also corresponds to expanding the branches 255.

  When the branches and leaves 255 become wider, personal information is further diluted to enhance protection, but on the other hand, conversion efficiency decreases. At this time, the user can adjust the size of the branches and leaves 253 by setting a concealment level in the class setting unit 107. Branches and leaves 257a to 257c show a case where the pseudo word is composed of a word having a different concept from the concealment word. For example, if the pseudo-word is a word that has a high-level concept of a vehicle such as “SEQ01: ship” and “SEQ02: airplane”, the trunk 251 is effective for clever analysis because it is away from the concept that the trunk 251 means. It may not be possible to hide. However, the present invention includes a case where a word having a different superordinate concept is selected as a pseudo word.

  The avatar 200 can operate transparently with respect to the character input support server 21. The user is not aware of the presence of the avatar 200. If the avatar 200 is configured by a program that can be installed in the client 11, the risk of personal information leaking from the avatar 200 can be reduced. The example of creating the pseudo character strings 161 to 167 by replacing the concealment words with the pseudo words has been described, but some word, phrase, or sentence is inserted as noise at the beginning, middle, or tail of the input character string 151 A pseudo character string may be created. If the unnatural noise may be ignored from the meaning of the whole sentence by the character input support server 21 that has evolved at this time, it is desirable to insert meaningful noise.

[Application to voice input support server]
Next, protection of personal information when the client 11 uses the voice input support server 31 will be described. For example, the voice input support server 31 provides a voice recognition response service to the client 11 such as Siri introduced in iOS or Cortana introduced in Windows (registered trademark) 10. In one example, the voice input support server 31 receives the voice data of the user who talked to the client 11, recognizes the voice, understands the meaning content, responds with voice, and returns an execution command for processing the query to the client 11. .

  The client 11 can execute the received command to control the operation of the client and access the cyberspace 15. For example, when the user asks the client 11 “What's the weather today?”, The client 11 receives a reply with voice data “This is the weather today” from the voice input support server 31, and executes the received command at the same time. Display the local weather forecast on the screen. The voice data includes personal identification information such as a voiceprint, tone, and inflection, and personal information as conversation contents (text).

  For example, the voice input support server 31 can specify the voice data of the user by a voice print and tone, give a user ID, and accumulate text indicating the content of the conversation for the user ID. Since the normal voice input support server 31 introduces artificial intelligence, the user conveys a lot of personal information as if talking to a human. Then, when a lot of personal information is accumulated for each user ID, there is a possibility that accurate personal identification information will be revealed.

  FIG. 7 is a schematic functional block diagram showing a configuration of an avatar 300 that is an example of the avatar 100. The avatar 300 is located between the client 11 and the cyber space 15. The avatar 300 can also be realized by software installed in the client 11. The user has a conversation with the voice input support server 31 through the client 11. The conversation is performed in the form of a response from the voice input support server 31 in response to an inquiry from the user.

  The user "Hello" as an example, or, to the conversation of the question such as "What is the route from here to home". The unit of conversation is independent of the length of time. The voice input support server 31 can recognize the user's conversation when a predetermined time has elapsed after the reception of the voice data is finished. The input / output unit 301 corresponds to an interface connected to the client and the cyber space 15 by wire or wireless. When the avatar 300 is mounted on the client 11, the input / output unit 301 can use the network interface of the client 11. The input / output unit 301 transfers voice data of the user conversation included in the packet received from the client 11 to the voice recognition unit 303.

  The voice recognition unit 303 recognizes voice data and generates text data. In one example, the voice recognition unit 303 generates feature data such as a user's sex, age group, tone, and tone from the voice data. The voice recognition unit 303 sends text data and feature data to the selection unit 305. In one example, the selection unit 305 can select the speech synthesis unit 321 to be used for each conversation based on the feature data. In another example, the selection unit 305 can select a speech synthesis unit 321 to be used randomly for each conversation. The selection unit 305 sends text data to the selected speech synthesis unit 321. The speech synthesizer 321 includes four speech synthesizers 321a to 321d as an example, but the number of speech synthesizers 321 is not particularly limited.

  Each speech synthesizer 321 has a speech synthesizer function for generating synthesized speech that reads out received text data. Each speech synthesizer 321 generates synthesized speech having different sound qualities such as gender, age, clarity, fluidity, intonation and the like. Of the plurality of speech synthesizers 321, only the speech synthesizer selected by the selector 305 operates on the corresponding conversation.

  FIG. 8 is a flowchart for explaining the operation of the avatar 300. At block 401, the user initiates a dialog with the client 11. In block 403, the input / output unit 301 receives voice data of conversation from the client 11. In block 405, the voice data recognition unit 303 recognizes the voice data and generates text data and feature data. In block 407, the selection unit 305 selects the speech synthesis unit 321 to be used for the current conversation and sends text data.

  Since any voice synthesizer 321 has different voice characteristics from the user, the selection unit 305 may select any voice synthesizer 321. For example, the selection unit 305 selects the speech synthesis unit 321a. In block 409, the speech synthesizer 321a generates a synthesized speech that reads out the text data. In block 411, the input / output unit 301 outputs the synthesized speech packet to the speech input support server 31. At this time, if there is an identifier or position information of the client 11 that the client 11 has received from the voice input support server 31, the input / output unit 301 deletes them from the packet to be output. Further, when the avatar 300 is mounted on the client 11, the IP address can be dynamically changed for each output.

  In block 413, the input / output unit 301 incorporates the payload of the response packet received from the voice input support server 31 into its own packet and transfers it to the client 11. As an example, the response packet includes voice data that responds to an inquiry and a command that executes processing for the inquiry. In block 415, the selection unit 305 returns to block 403 if there is a subsequent conversation. If the conversation is interrupted for a predetermined time or longer, the process ends at block 417.

  In block 407 following block 403, the selection unit 305 selects the speech synthesis unit 321 for the user's next conversation. As long as the synthesized speech generated by the speech synthesizer 321a is different from the features of the user's speech, the user's direct personal identification information is not provided. However, it is not preferable that a lot of privacy information and other personal identification information are associated with the synthesized speech of the specific speech synthesizer 321a. In one example, the selection unit 321 can select the speech synthesis unit 321 at random for each conversation.

  By the way, the voice input support server 31 whose intelligence level has evolved infers the gender and age of the user from the voice and responds accordingly. Such a response may be favorable to the user. When the selection unit 305 determines that the user is an adult woman, the selection unit 305 may select the speech synthesis unit 321 having the characteristics of a female voice. At this time, the speech synthesizer 321 can be configured to generate synthesized speech of various sound qualities of an adult female.

  According to the above procedure, the content of the conversation that constitutes the personal information remains in the voice input support server 31 as privacy information or as personal identification information, but the personal identification information as a feature of the user's voice that can be specified by sound quality or voiceprint is It does not remain in the voice input support server 31. Further, by selecting a synthesized speech similar to the user, it is possible to prevent a deterioration in quality related to the responsiveness of the speech input support server 31. In addition, the specific speech synthesizer 321a may generate and output a plurality of synthesized speech reading the text of the user's conversation and the text of the conversation different from the user's conversation.

[Application to Web server]
Next, protection of personal information when the client 11 accesses the Web server 41 will be described. In one example, the web server 41 is operated by a book seller for advertising and electronic transactions. A user who purchases a book selects and purchases the intended book from the Web server 41 site. In order to purchase a book, the user needs to send authentic personal identification information such as an address, name, and mail address to the Web server 41 as a report destination.

  Various books are introduced on the Web server 41 site. Even if the user does not intend to purchase, the user may select an object of the book by clicking on the screen in order to know the outline of the book of a specific genre with interest. The book selected by the user becomes privacy information such as the user's hobbies and preferences, and remains in the Web server 41 in association with the IP address or mail address. The Web server 41 grasps the user's hobbies and preferences, and displays the objects of those books when the user visits the site. While this is convenient, it also risks privacy damage.

  FIG. 9 is a functional block diagram for explaining the configuration of the avatar 500. The avatar 500 can be provided outside the client 11 to provide services to a plurality of clients. In this embodiment, an example in which software for realizing the avatar 500 is incorporated in the client 11 will be described. The client 11 includes a display 501, a system 505, a network interface 503, an input device 507, and an avatar 500.

  On the display 501, a site screen 511 of the Web server 41 including a plurality of objects 513 indicating the titles of books is displayed. The system 505 includes hardware such as a CPU, a system memory, and an I / O chipset, a device driver, an OS, and an application program such as a Web browser. The network interface 503 connects the client 11 to the cyber space 15 by wire or wireless. The input device 507 corresponds to a device for a user to input to the system 505 such as a touch panel, a mouse, and a keyboard. The avatar 500 attempts to dilute the personal information provided when the user accesses the Web server 41.

  FIG. 10 is a flowchart for explaining the operation of the avatar 500. In block 601, a site screen 511 is displayed on the display 501 when the user accesses the website. The system 505 holds source data (HTTP) that constitutes the site screen 511. In block 603, the avatar 500 recognizes an object 513 such as an image or a character set with a hyperlink from the source data.

  In block 605, when the user clicks the target object 513a with the input device 507 to confirm the contents of the book, data indicating the selection is sent to the Web server 41 as authentic privacy information. The Web server 41 sends a response packet for access to the target object 513a to the client 11. The client 11 can receive the result of the user selecting the target object 513a as scheduled.

  In block 607, the avatar 500 selects a plurality of pseudo objects other than the target object 513 a to which a hyperlink exists in the site screen 511 immediately before the target object 513 a is selected in one example. Alternatively, the avatar 500 may select a pseudo object from other objects included in the site screen after clicking the target object 513a. Further, the avatar 500 may select the pseudo object included in the source data of the site screen sent from the Web server 41 in response to the packet indicating that the pseudo object has been operated.

  At this time, the avatar 500 does not pass the site screen data sent by the Web server 41 in response to the operation of the pseudo object to the system 505. Therefore, the selection of the pseudo object is performed in the background. The avatar 500 can recognize a character or image of the target object 513a and randomly select a predetermined number of pseudo objects from other objects in the same category as the target object 513a included in the same site.

  For example, the avatar 500 can interpret the contents of the target object 513a as text and select any object included in the superordinate concept of the text as a pseudo object. Specifically, if the avatar 500 interprets the site screen 511 and recognizes the meaning of the target object 513a as the name of a book, the avatar 500 selects a book object with another name as a pseudo object and recognizes it as a photo. Can be selected as a pseudo object.

  The avatar 500 does not select, for example, an introduction to a campaign or an object for moving to another page, which is irrelevant to the target object 513a. As another method, the avatar 500 can classify the book genre into classes such as novels, mysteries, comics, etc., and select pseudo objects equally from each class. In block 609, the avatar 500 outputs data indicating that the pseudo object has been selected to the Web server 41 as pseudo privacy information.

  The data indicating that the pseudo object has been selected hides the genuine data indicating that the user has selected. As a result, the Web server 41 recognizes that it is interested not only in the book actually selected by the user, but also in books of other genres, so it becomes difficult to narrow down the user's interest. Even if the user provides personal identification information to actually purchase a book, it becomes difficult for the Web server 41 to associate the name of another book accessed by the user with the personal identification information. Therefore, the user can purchase a book from the website while protecting personal information.

  Although the present invention has been described with the specific embodiments shown in the drawings, the present invention is not limited to the embodiments shown in the drawings, and is known so far as long as the effects of the present invention are achieved. It goes without saying that any configuration can be adopted.

15 Cyberspace 11 Client 100, 200, 300, 500 Avatar 107a Class table 151 Input character string 161-167 Pseudo character string

Claims (5)

A method for protecting personal information stored in a character input support server ,
The client sends the input string entered by the user to the avatar;
The avatar sending the input character string to the character input support server;
Sending a conversion candidate for the input character string received by the avatar from the character input support server to the client;
The avatar extracts a word belonging to a concealment class for which a user has set a concealment level in advance from the input character string and replaces it with a word of the same concept to generate a pseudo character string for the input character string;
The avatar sending the pseudo-character string to the character input support server ;
Having a method. An electronic device that protects personal information related to the input of an input character string to a client,
An input / output unit that outputs the input character string to cyberspace, and outputs conversion candidates for the input character string received from the cyberspace to the client;
A class setting unit that defines a concealment class for the user to set the concealment level of the personal information ;
A concealment word extraction unit that extracts words belonging to the concealment class set at the concealment level from the input character string as concealment words ;
A pseudo word acquisition unit that acquires a pseudo word having a concept similar to the concealment word;
An electronic apparatus comprising: a proxy processing unit that generates a pseudo character string obtained by correcting the concealment word with the pseudo word and outputs the pseudo character string to the cyber space. The electronic device according to claim 2 , wherein the proxy processing unit outputs the plurality of pseudo character strings that are different from each other. To a computer that can communicate with the client and the character input support server ,
A function of sending an input character string received from the client to the character input support server ;
A function of sending conversion candidates for the input character string received from the character input support server to the client;
A function of extracting a word belonging to a concealment class for which a user has set a concealment level in advance from the input character string and replacing it with a word of the same concept to generate a pseudo character string for the input character string;
A computer program for realizing a function of sending the pseudo character string to the character input support server . A computer having a storage device storing the computer program according to claim 4 .

Images