JP6558126B2 - Information processing system and information processing method - Google Patents

Description

  The present invention relates to an information processing system and an information processing method.

  In recent years, the handling of personal information has become a problem due to the problem of information leakage and the enactment of the Personal Information Protection Law. For example, an individual such as a consumer (hereinafter sometimes referred to as a “general user”) who purchases a product or service of a company (hereinafter sometimes referred to as a “data provider”) purchases the product or service. In some cases, you may register as a member. At the time of membership registration, data such as the general user's name, age, gender, address, and e-mail address is usually registered in the data provider's system in a state in which the data is associated with the personal ID assigned to the general user ( Remembered). That is, the data provider system stores “personal information data”. Here, the “personal information data” includes, for example, a name, age, sex, address, e-mail address, and personal ID.

  Furthermore, each time a general user whose personal information data has already been registered purchases a product or service, the data provider system associates the personal ID of the general user with information about the purchased product or service. Remember. Thus, the data provider can use the collected personal information data for business activities.

  On the other hand, for example, a company other than the data provider who normally collects personal information data may desire to use the personal information data. That is, there is a possibility that the data collection entity and the data utilization entity are different. However, from the viewpoint of personal information protection, personal information data itself cannot be provided without obtaining permission from a general user. Therefore, a data provider who has successfully collected personal information data converts the personal information data into data that cannot identify an individual (hereinafter sometimes referred to as “anonymized data”), It is possible to provide.

  In general, anonymized data is given an identifier to manage each individual record. The identifier is used to specify a record to be added, updated, etc., for example, when adding a new item to the anonymized data or updating an attribute value included in the anonymized data.

  However, when providing anonymized data to a third party, if the identifier is given as it is, an individual of each record included in the anonymized data is specified. For this reason, when distributing anonymized data to a third party, in order to conceal the first identifier assigned to the anonymized data from the third party, the first identifier is converted into a second identifier. May be provided.

  In addition, the Personal Information Protection Law, which will be revised in the future, will enable the distribution of personal information that has been anonymized at a certain level of processing so that individuals cannot be identified without permission from general users. Therefore, the distribution of anonymized data is expected.

JP 2014-153944 A

  However, in the case where the anonymized data obtained by converting the identifier is provided, if the comparison information between the first identifier and the second identifier is leaked, the second identifier is given based on the second identifier assigned to the provided anonymized data. One identifier is specified, and there is a possibility that an individual is specified. Although it is conceivable that the engineer who converts the identifier deletes the reference information, it is difficult for the engineer to prove that the control information has been deleted by an appropriate procedure. If the control information is leaked due to a technical error, etc. that remains without being deleted, or the control information is taken away by a malicious engineer, the individual may be identified using the control information There is.

  In one aspect, an object is to provide an information processing system and an information processing method for preventing an individual from being specified when anonymized data is provided.

  In one aspect, an information processing system includes a first information processing apparatus that provides anonymized data and a second information processing apparatus that receives provision of anonymized data. The first information processing device is configured to generate a second identifier for the first identifier assigned to the anonymized data in which the personal information is anonymized, the anonymized data, and the second A second generation unit that generates first data associated with the identifier. The second information processing device includes a generation unit that generates a third identifier for the second identifier included in the first data acquired from the first information processing device, anonymized data, and a third And a providing unit that provides second data associated with the identifier to the data user.

  According to one embodiment, an individual is prevented from being specified when providing anonymized data.

FIG. 1 is a schematic diagram illustrating an example of the overall configuration of the system according to the first embodiment. FIG. 2 is a functional block diagram illustrating an example of a system according to the first embodiment. FIG. 3 is a diagram illustrating an example of personal information according to the first embodiment. FIG. 4 is a diagram illustrating an example of information stored in the anonymization information DB according to the first embodiment. FIG. 5 is a diagram illustrating an example of information stored in the ID management DB of the data provider server in the first embodiment. FIG. 6 is a diagram illustrating an example of information stored in the provision information DB according to the first embodiment. FIG. 7 is a diagram illustrating an example of information stored in the ID management DB of the platform server in the first embodiment. FIG. 8 is a diagram illustrating an example of information stored in the public information DB according to the first embodiment. FIG. 9 is a flowchart illustrating an example of the flow of the encryption process according to the first embodiment. FIG. 10 is a flowchart illustrating an exemplary flow of a decoding process according to the first embodiment. FIG. 11 is a diagram illustrating an example of information stored in the ID management DB according to the second embodiment. FIG. 12 is a diagram illustrating determination of the k-anonymity level in the second embodiment. FIG. 13 is a diagram illustrating an example of data including the decoded SA in the second embodiment. FIG. 14 is a flowchart illustrating an exemplary flow of a decoding process according to the second embodiment. FIG. 15 is a diagram illustrating an example of a hardware configuration.

  Embodiments of an information processing system and an information processing method disclosed in the present application will be described below in detail with reference to the drawings. The disclosed technology is not limited by the present embodiment. Moreover, you may combine suitably each Example shown below in the range which does not cause contradiction.

[overall structure]
In this embodiment, a configuration for converting an identifier in anonymized data provided by a data provider to a platform (hereinafter referred to as “PF”) will be described. FIG. 1 is a schematic diagram illustrating an example of the overall configuration of the system according to the first embodiment. As shown in FIG. 1, the system according to the first embodiment includes a data provider server 100 (hereinafter referred to as “DP server 100”) and a platform server 300 (hereinafter referred to as “PF server 300”). Data user terminal 500.

  The DP server 100 provides anonymized data after taking measures to prevent an individual from being identified. The PF server 300 provides the provided personal information to the data user terminal 500 after taking measures to prevent identification of the individual. 1 shows an example in which the DP server 100, the PF server 300, and the data user terminal 500 are one by one. However, the embodiment is not limited to this, and a configuration having a plurality of them is also possible. Good.

  In this system, the DP server 100 generates anonymized data by itself or causes a third party to generate anonymized data using, for example, personal information provided by a general user. The DP server 100 provides the PF server 300 with the generated anonymized data.

  At this time, the DP server 100 uses the first identifier (hereinafter referred to as “ID1”) assigned to each record of the anonymized data as the second identifier (hereinafter referred to as “ID2”) in order to prevent identification of the individual. Is called). The DP server 100 encrypts and stores ID reference information (hereinafter referred to as “first ID reference information”) for connecting ID1 and ID2. In this embodiment, both the DP server 100 and the PF server 300 perform encryption processing on the first ID reference information in order to increase the security of the encrypted information.

  Further, when sensitive attribute values (hereinafter referred to as “SA”) that require particularly strict confidentiality such as annual income and medical history are included in the anonymized data, the DP server 100 deletes the SA or encrypts it. Measures to prevent SA leakage are taken.

  Thereafter, the DP server 100 uses the PF for ID2, the attribute value other than SA corresponding to the ID (hereinafter referred to as “QID (Quasi IDentifier)”), and the encrypted first ID reference information. Send to server 300. Note that the DP server 100 may transmit the encrypted SA to the PF server 300 together.

  The PF server 300 that has received the data converts ID2 included in the received data into a third identifier (hereinafter referred to as “ID3”). The PF server 300 encrypts ID contrast information (hereinafter referred to as “second ID contrast information”) for linking ID2 and ID3.

  Thereafter, the PF server 300 re-encrypts the encrypted first ID reference information and transmits it to the DP server 100 together with the encrypted second ID reference information. In the present embodiment, both the DP server 100 and the PF server 300 perform the encryption process on the second ID reference information as well as the first ID reference information.

  The DP server 100 that has received the data stores the re-encrypted first ID reference information. Further, the DP server 100 re-encrypts the encrypted second ID reference information and transmits it to the PF server 300.

  The PF server 300 that has received the data stores the re-encrypted second ID reference information. Further, the PF server 300 stores ID3 and the received QID in association with each other, and provides this when receiving a request from the data user terminal 500.

  Next, addition or update of data will be described. When receiving a request to add or update data including ID3 from the data user terminal 500, the PF server 300 decrypts the first ID reference information and the second ID reference information together with the DP server 100. The PF server 300 transmits ID2 corresponding to ID3 received from the data user terminal 500 to the DP server 100, and the DP server 100 acquires ID1 addition / update information corresponding to ID2.

  Thereafter, the DP server 100 transmits the addition / update information and ID2 in association with the PF server 300, and the PF server 300 transmits the addition / update information in association with ID3 to the data user terminal 500. The configuration for decrypting and providing the encrypted SA will be described in the second embodiment.

  Next, the functional configuration of the system implemented in the present embodiment will be described. FIG. 2 is a functional block diagram illustrating an example of a system according to the first embodiment. As shown in FIG. 2, the system in the present embodiment includes a DP server 100, a PF server 300, and a data user terminal 500.

  The DP server 100 and the PF server 300 are connected to each other through the network N so that they can communicate with each other. The PF server 300 is connected to the data user terminal 500 through the network N so as to communicate with each other. For such a network N, any kind of communication network such as the Internet (Internet), LAN (Local Area Network), VPN (Virtual Private Network), etc. can be adopted regardless of wired or wireless. Although FIG. 2 shows an example in which one DP server 100, one PF server 300, and one data user terminal 500 are provided, the embodiment is not limited thereto. For example, the configuration may include a plurality of DP servers 100, PF servers 300, and data user terminals 500.

[Functional configuration of DP server]
First, the functional configuration of the DP server 100 will be described. The DP server 100 is a computer that performs processing for converting an identifier given to anonymized data and providing the converted identifier to the PF server 300. As shown in FIG. 2, the DP server 100 includes a storage unit 120 and a control unit 130. Note that the DP server 100 may include various functional units included in known computers, for example, functional units such as various input devices and audio output devices, in addition to the functional units illustrated in FIG.

  Next, each functional block of the DP server 100 will be described. The storage unit 120 is realized by, for example, a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk. The storage unit 120 includes an anonymization information DB 121, an ID management DB 123, a provision information DB 124, and an operation log DB 125. In addition, the storage unit 120 stores various information used for processing in the control unit 130.

  The anonymization information DB 121 is a storage unit that stores generated anonymization data in association with an identifier. Anonymization data is generated by, for example, performing anonymization processing such as abstracting attribute values on personal information acquired from a general user. When attribute values such as age and income included in personal information are updated, or when attribute values related to new individuals are acquired, anonymization data is also updated as appropriate.

  The outline | summary of anonymization processing is demonstrated using FIG.3 and FIG.4. FIG. 3 is a diagram illustrating an example of personal information according to the first embodiment. FIG. 4 is a diagram illustrating an example of information stored in the anonymization information DB according to the first embodiment. FIG. 3 includes items of “ID1”, “attribute 1 sex (QID)”, “attribute 2 age (QID)”, and “attribute n annual income (SA)”. On the other hand, in FIG. 4, “attribute 2 age (QID)” shown in FIG. 3 is abstracted into “attribute 2 age (QID)” shown in FIG. 4 in the anonymization process. Other items shown in FIG. 4 are the same as the items shown in FIG. 3 and 4 may include other attributes not shown.

  For example, the attribute values such as “45” and “52” shown in FIG. 3 are abstracted to “40-50 generations” in FIG. Similarly, the attribute values such as “5.5 million” and “2.4 million” shown in “attribute n annual income (SA)” in FIG. 3 are respectively “5 million yen” and “less than 3 million yen” in FIG. Abstracted. Each attribute value is uniquely identified by the identifier indicated by “ID1”.

  Moreover, in FIG. 4, the records are rearranged in random order and stored. This is to prevent an individual corresponding to each record from being estimated on the basis of the order of records such as the order of the Japanese syllabary or the order of age.

  Returning to the description of FIG. 2, the ID management DB 123 is a storage unit that stores first ID contrast information that associates ID1 and ID2. Information stored in the ID management DB 123 will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of information stored in the ID management DB of the data provider server in the first embodiment. As illustrated in FIG. 5, the ID management DB 123 stores “ID1” and “ID2” in association with each other. For example, ID1 “A123” is stored in association with ID2 “Z123”.

  5 shows an example in which ID1 and ID2 uniquely correspond to each other. However, the embodiment is not limited to this, and ID2 corresponding to ID1 is assigned to each data user or each time data is provided. A new configuration may be used. In this case, the ID management DB 123 stores information as shown in FIG. 5 in association with an identifier assigned to the data user.

  In the example shown in FIG. 5, “attribute 1 sex (QID)” and “attribute 2 age (QID)” shown in FIG. 4 are also stored together with ID1 and ID2, but “attribute n” shown in FIG. “Annual income (SA)” is deleted in this embodiment.

  Returning to the description of FIG. 2, the provision information DB 124 is a storage unit that stores information provided to the PF server 300. Information stored in the provision information DB 124 will be described with reference to FIG. FIG. 6 is a diagram illustrating an example of information stored in the provision information DB according to the first embodiment. As shown in FIG. 6, the provided information DB 124 includes “ID2”, “attribute 1 sex (QID)”, and “attribute 2 age (QID)” among the information stored in the ID management DB 123 as shown in FIG. 5. Only “ID1” is deleted.

  Returning to the description of FIG. 2, the operation log DB 125 is a storage unit that stores an acquisition request for anonymized data, an operation such as encryption, and the like. The operation log DB 125 includes, for example, that ID2 corresponding to ID1 has been generated, SA has been encrypted or decrypted, ID2 and QID have been transmitted to the PF server 300, and the first ID reference information is encrypted. An operation such as being converted to or decrypted is recorded. The operation log DB 125 records each operation history in association with the ID of the person in charge who performed the operation, the date and time when the operation was performed, and the like.

  Returning to the description of FIG. 2, the control unit 130 is realized by a program stored in an internal storage device being executed using the RAM as a work area, for example, by a CPU, an MPU (Micro Processing Unit), or the like. . Further, the control unit 130 may be realized by an integrated circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA).

  The control unit 130 includes an ID generation unit 131, an encryption processing unit 133, and a transmission / reception unit 135, and realizes or executes functions and operations of information processing described below. The internal configuration of the control unit 130 is not limited to the configuration illustrated in FIG. 2, and may be another configuration as long as the information processing described later is performed. Further, the ID generation unit 131, the encryption processing unit 133, and the transmission / reception unit 135 are an example of an electronic circuit such as a processor or an example of a process executed by the processor.

  The ID generation unit 131 is a processing unit that generates ID2 corresponding to ID1. For example, as illustrated in FIG. 5, the ID generation unit 131 generates ID2 “Z123” corresponding to ID1 “A003” and stores the ID2 in the ID management DB 123. The ID generation unit 131 is an example of a first generation unit and a second generation unit.

  The encryption processing unit 133 is a processing unit that encrypts or decrypts ID reference information that associates a plurality of IDs. Specifically, the encryption processing unit 133 encrypts information associating ID1 and ID2 as shown in FIG. 5, stores the information in the ID management DB 123, and decrypts the encrypted information. Further, as described above, the cryptographic processing unit 133 further re-encrypts the second ID reference information encrypted by the PF server 300. The encryption processing unit 133 may be configured to encrypt the entire ID management DB 123 or may be configured to encrypt a file that outputs the contents of the ID management DB 123.

  The transmission / reception unit 135 is a processing unit that transmits information to the PF server 300 or receives information from the PF server 300. For example, the transmission / reception unit 135 reads information as illustrated in FIG. 6 stored in the provision information DB 124 and transmits the information to the PF server 300. For example, the transmission / reception unit 135 receives a decryption request for encrypted ID reference information from the PF server 300 and outputs an instruction to the encryption processing unit 133.

[Functional configuration of PF server]
Next, returning to the description of FIG. 2, the functional configuration of the PF server 300 will be described. The PF server 300 is a computer that receives anonymized data from the DP server 100 and performs processing to be provided to the data user terminal 500. As illustrated in FIG. 2, the PF server 300 includes a storage unit 320 and a control unit 330. The PF server 300 may include various functional units included in known computers, for example, functional units such as various input devices and audio output devices, in addition to the functional units illustrated in FIG.

  Next, each functional block of the PF server 300 will be described. The storage unit 320 is realized by, for example, a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. The storage unit 320 includes an ID management DB 323, a public information DB 324, and an operation log DB 325. In addition, the storage unit 320 stores various information used for processing in the control unit 330.

  The ID management DB 323 is a storage unit that stores second ID contrast information that associates ID2 and ID3. Information stored in the ID management DB 323 will be described with reference to FIG. FIG. 7 is a diagram illustrating an example of information stored in the ID management DB of the platform server in the first embodiment. As illustrated in FIG. 7, the ID management DB 323 stores “ID2” and “ID3” in association with each other. For example, ID2 “Z123” is stored in association with ID3 “ABC1”.

  Returning to the description of FIG. 2, the public information DB 324 is a storage unit that stores information provided to the PF server 300. Information stored in the public information DB 324 will be described with reference to FIG. FIG. 8 is a diagram illustrating an example of information stored in the public information DB according to the first embodiment. As illustrated in FIG. 8, the public information DB 324 stores information obtained by converting “ID2” into “ID3” among the information illustrated in the provision information DB 124 illustrated in FIG. 6.

  Returning to the description of FIG. 2, the operation log DB 325 is a storage unit that stores operations such as an acquisition request for anonymized data and encryption. For example, the operation log DB 325 records operations such as the generation of ID3 corresponding to ID2 and the encryption or decryption of the second ID reference information. The operation log DB 325 also records operations such as providing anonymized data to the data user terminal 500 and receiving a request for acquiring additional information from the data user terminal 500. The operation log DB 325 records each operation history in association with the ID of the person in charge who performed the operation, the date and time when the operation was performed, and the like.

  The control unit 330 is realized, for example, by executing a program stored in an internal storage device using the RAM as a work area by a CPU, an MPU, or the like. The control unit 330 may be realized by an integrated circuit such as an ASIC or FPGA, for example.

  The control unit 330 includes an ID generation unit 331, an encryption processing unit 333, and a transmission / reception unit 335, and realizes or executes functions and operations of information processing described below. Note that the internal configuration of the control unit 330 is not limited to the configuration illustrated in FIG. 2, and may be another configuration as long as information processing described later is performed. The ID generation unit 331, the encryption processing unit 333, and the transmission / reception unit 335 are an example of an electronic circuit such as a processor or an example of a process executed by the processor.

  The ID generation unit 331 is a processing unit that generates ID3 corresponding to ID2. For example, as illustrated in FIG. 7, the ID generation unit 331 generates ID3 “ABC1” corresponding to ID2 “Z123” and stores the ID3 in the ID management DB 323. The ID generation unit 331 is an example of a generation unit.

  The encryption processing unit 333 is a processing unit that encrypts or decrypts ID reference information that associates a plurality of IDs. Specifically, the encryption processing unit 333 encrypts the second ID reference information that associates ID2 and ID3 as shown in FIG. 7, stores it in the ID management DB 323, and decrypts the encrypted information . Further, as described above, the cryptographic processing unit 333 further re-encrypts the first ID reference information encrypted by the DP server 100.

  The transmission / reception unit 335 is a processing unit that transmits / receives information between the DP server 100 and the data user terminal 500. For example, the transmission / reception unit 335 receives a combination of ID2 and QID from the DP server 100 and stores the combination in the storage unit 320. In addition, when the transmission / reception unit 335 receives a data addition or update request from the data user terminal 500, the transmission / reception unit 335 transmits the request to the DP server 100. The transmission / reception unit 335 is an example of a providing unit.

[Process flow]
Next, the flow of processing by the DP server 100 and the PF server 300 will be described. FIG. 9 is a flowchart illustrating an example of the flow of the encryption process according to the first embodiment. Note that the contents of the processing executed in each step are appropriately recorded in the operation log DB 125 or the operation log DB 325.

  First, the ID generation unit 131 of the DP server 100 rearranges the records of the anonymization data stored in the anonymization information DB 121 in no particular order (step S101). Next, the ID generation unit 131 generates ID2 corresponding to ID1 assigned to the anonymized data rearranged in any order, and stores the first ID contrast information in the ID management DB 123 (step S111).

  Next, the encryption processing unit 133 deletes the SA from the anonymization data stored in the anonymization information DB 121 (step S121). A configuration for encrypting the SA will be described in a second embodiment.

  After that, the ID generation unit 131 reads the anonymized data and the identifier from the anonymized information DB 121, replaces ID1 assigned to the anonymized data with ID2, and stores it in the provided information DB 124 (step S131). Then, the transmission / reception unit 135 transmits the ID2 and QID stored in the provision information DB 124 to the PF server 300 (step S135).

  When the transmission / reception unit 335 of the PF server 300 receives ID2 and QID from the DP server 100 (step S141), the ID generation unit 331 generates ID3 corresponding to ID2 and uses the second ID reference information as the ID management DB 323. (Step S143). Next, the encryption processing unit 333 encrypts the second ID reference information and stores it in the ID management DB 323 (step S145).

  Next, the transmission / reception unit 335 transmits the encrypted second ID reference information to the DP server 100 (step S151). When the transmission / reception unit 135 of the DP server 100 receives the encrypted second ID reference information, the encryption processing unit 133 re-encrypts the encrypted second ID reference information (step S161). Next, the encryption processing unit 133 encrypts the first ID reference information stored in the ID management DB 123 (step S163). Next, the transmission / reception unit 135 transmits the encrypted first ID reference information and the re-encrypted second ID reference information to the PF server 300 (step S165).

  When the transmission / reception unit 335 of the PF server 300 receives the encrypted first ID reference information and the re-encrypted second ID reference information, the transmission / reception unit 335 receives the re-encrypted second ID reference information as the ID. It stores in management DB323 (step S171). Next, the encryption processing unit 333 re-encrypts the encrypted first ID reference information (step S173).

  Thereafter, the transmission / reception unit 335 deletes the intermediate data used for the processing, and transmits the re-encrypted first ID reference information to the DP server 100 (step S175). The transmission / reception unit 135 of the DP server 100 that has received the re-encrypted first ID reference information stores the re-encrypted first ID reference information in the ID management DB 123 and also stores the intermediate data used for the processing. It deletes (step S181).

  Next, decryption processing for updating or adding data to be provided to the data user will be described with reference to FIG. FIG. 10 is a flowchart illustrating an exemplary flow of a decoding process according to the first embodiment. First, when the transmission / reception unit 335 of the PF server 300 receives a data update or addition request from the data user terminal 500 (step S201), does the request satisfy a condition such as a contract between the data user and the platform? Is determined (step S203). If the condition is not satisfied (step S203: No), the process ends.

  On the other hand, when the request satisfies the condition (step S203: Yes), the transmission / reception unit 335 transmits a confirmation request to the DP server 100 (step S205). When the transmission / reception unit 135 of the DP server 100 receives the confirmation request (step S221), the transmission / reception unit 135 determines whether the request satisfies a condition such as a contract between the platform and the data provider (step S223). When the condition is not satisfied (step S223: No), the transmission / reception unit 135 notifies the PF server 300 that processing is impossible (step S225), and ends the processing.

  On the other hand, when the request satisfies the condition (step S223: Yes), the encryption processing unit 133 decrypts the first ID reference information stored in the ID management DB 123 and transmits it to the PF server 300 (step S231). The transmission / reception unit 335 of the PF server 300 receives the decrypted first ID reference information, and the encryption processing unit 333 re-decrypts this (step S241). Next, the encryption processing unit 333 decrypts the second ID reference information stored in the ID management DB 323 (step S243). Next, the transmission / reception unit 335 transmits the re-decoded first ID reference information and the decoded second ID reference information to the DP server 100 (step S245).

  When the transmission / reception unit 135 of the DP server 100 receives the decrypted second ID reference information, the encryption processing unit 133 re-decrypts the received second ID reference information (step S251). Next, the ID generation unit 131 identifies ID1 corresponding to ID3 using the re-decoded first ID reference information and second ID reference information, and additional information corresponding to ID1 from the anonymization information DB 121. Alternatively, update information (hereinafter referred to as “additional information or the like”) is acquired (step S253). Next, the transmission / reception unit 135 transmits the acquired additional information and the like to the PF server 300 in association with ID2 (step S255).

  When the transmission / reception unit 335 of the PF server 300 receives additional information or the like from the DP server 100 (step S261), the ID generation unit 331 associates the additional information and the like with ID3 and provides them to the data user (step S263).

  With the configuration described above, the DP server 100 cannot associate ID1 to ID3 alone, and the PF server 300 cannot associate ID1 to ID1 alone. That is, if both the first ID reference information generated by the DP server 100 and the second ID reference information generated by the PF server 300 are not aligned, it is impossible to reconnect ID3 to ID1. Thereby, even if any one of the ID reference information leaks, it is possible to prevent an individual from being identified by the identifier assigned to the anonymized data.

  Unlike the case where the identifier itself is deleted, if the data provider and the platform agree, it is possible to reconnect the anonymized data held by the DP server 100 by associating ID3 and ID1. For this reason, the data user terminal 500 can receive provision of another item for the provided data, and can update the provided data.

  In the present embodiment, the second ID reference information encrypted by the PF server 300 is transmitted to the DP server 100, and the DP server 100 re-encrypts the information. However, the embodiment is not limited thereto. Absent. For example, the first ID reference information encrypted in advance by the DP server 100 is transmitted to the PF server 300, and the first ID reference information re-encrypted by the PF server 300, the encrypted second ID reference information, May be transmitted to the DP server 100.

  In the present embodiment, the configuration is described in which the DP server 100 converts ID1 to ID2 and does not pass ID1 to the PF server 300. However, the embodiment is not limited thereto. For example, the DP server 100 may pass ID1 to the PF server 300, and the PF server 300 may generate ID2 and ID3 corresponding to ID1. Thereby, even if it is a case where DP server 100 does not have a function which converts ID, anonymized data which gave ID converted to a data user can be provided.

  The anonymization data provided by the DP server 100 may include SA such as income and medical history. SA is required to keep secrets particularly strictly as compared with other attribute values. However, if the SA itself is deleted, if it is requested to provide the SA later, it cannot be linked with the provided data.

[overall structure]
In the following embodiment, a configuration for preventing releasable SA leakage will be described. The overall configuration of this embodiment will be described with reference to FIG. In this embodiment, the DP server 100 encrypts and holds the SA without deleting it.

  As indicated by reference numeral 1001 in FIG. 1, the PF server 300 that has received a request for additional provision of SA including ID3 from the data user terminal 500 converts ID3 included in the request into ID2, and sends the SA of the SA to the DP server 100. Request decryption. In addition, the said request is not restricted to what contains all ID3 provided to the anonymization data used as object, It may contain only some ID3.

  Upon receiving the request, the DP server 100 converts ID2 into ID1, decrypts the SA corresponding to ID1, and transmits it to the PF server 300 together with ID2. The PF server 300 transmits the received decrypted SA to the data user terminal 500 together with ID3.

  Next, the functional configuration of the system implemented in the present embodiment will be described with reference to FIG. Similarly to the system in the first embodiment, the system in the present embodiment also includes the DP server 100, the PF server 300, and the data user terminal 500, each having the same functional configuration as each computer in the first embodiment. Have. In the following, detailed description of functional blocks having the same configuration as in the first embodiment is omitted.

[Functional configuration of DP server]
First, differences in the functional configuration of the DP server 100 according to the present embodiment from the functional configuration according to the first embodiment will be described. In this embodiment, an example of information stored in the ID management DB 123 of the DP server 100 will be described with reference to FIG. FIG. 11 is a diagram illustrating an example of information stored in the ID management DB according to the second embodiment. As indicated by reference numeral 1101 in FIG. 11, the ID management DB 123 in the present embodiment includes “ID1”, “ID2”, “attribute 1 sex (QID)”, and “attribute 2 age (QID)” illustrated in FIG. In addition to the information, “attribute n annual income (CSA)” is further included. “Attribute n annual income (CSA)” is an attribute value obtained by encrypting “attribute n annual income (SA)”. For example, the record “qrq242q34” of “attribute n annual income (CSA)” indicates that the attribute value obtained by encrypting the record of “attribute n annual income (SA)” “5 million yen” shown in FIG. .

  Instead of encrypting the SA alone, the configuration may be such that the attribute value encrypted by combining the SA and other attribute values is stored as “attribute n annual income (CSA)”. For example, a configuration is conceivable in which the “annual income” that is SA and the “age” that is another attribute value are encrypted together. In this case, even if the SA is in the “5 million yen range”, the encrypted attribute values are different between “40-50s” and “30s”. Note that the encryption processing unit 133 may change the encryption key for each attribute value when encrypting the SA.

  Returning to the description of FIG. 2, in the provision information DB 124 of the DP server 100 in the present embodiment, information obtained by deleting “ID1” from the information illustrated in FIG. 11 is stored. That is, in the provided information DB 124, “ID2”, “attribute 1 sex (QID)”, “attribute 2 age (QID)”, and “attribute n annual income (CSA)” are stored in association with each other. . In this case, since “attribute n annual income (CSA)” is encrypted, the PF server 300 and the data user terminal 500 cannot grasp the annual income.

  The encryption processing unit 133 in the present embodiment reads SA from the anonymization information DB 121, encrypts the SA and other attribute values, and stores them in the ID management DB 123. For example, the encryption processing unit 133 reads and encrypts “attribute n year income (SA)” and “attribute 2 age (QID)”, and stores them in the ID management DB 123 as “attribute n year income (CSA)”. In addition, when receiving a request from the PF server 300, the encryption processing unit 133 performs a process of decrypting “attribute n annual income (CSA)”.

[Functional configuration of PF server]
Next, differences in the functional configuration of the PF server 300 in the present embodiment from the functional configuration in the first embodiment will be described. The public information DB 324 stores information obtained by converting “ID2” into “ID3” among the information stored in the provision information DB 124 of the DP server 100. That is, in the public information DB 324, “ID3”, “attribute 1 sex (QID)”, “attribute 2 age (QID)”, and “attribute n annual income (CSA)” are stored in association with each other. .

  The transmission / reception unit 335 in the present embodiment transmits data including “attribute n annual income (CSA)” to the data user terminal 500 and receives a request for SA disclosure from the data user terminal 500. Specifically, the transmission / reception unit 335 receives from the data user terminal 500 the SA item desired to be disclosed and the ID 3 of the record desired to be disclosed. The transmission / reception unit 335 that has received the request transmits a request including ID2 corresponding to ID3 to the DP server 100.

  Here, the request received from the data user terminal 500 will be described in detail. The data user terminal 500 that has received “attribute n annual income (CSA)” cannot decrypt “attribute n annual income (SA)” that is the original data from the encrypted CSA. However, in the data user terminal 500, since it is possible to count the number of individuals corresponding to each attribute value of “attribute n annual income (CSA)”, the user of the data user terminal 500 For example, a CSA requesting decryption is specified based on the aggregation result.

  In determining whether or not to allow the use of anonymized data, there is a condition whether or not there are at least k corresponding individuals for any attribute value of anonymized data. The number of persons satisfying such conditions is referred to as “k-anonymity level”. As a condition for permitting the use of anonymized data, for example, k-anonymity level “10”, for any attribute value of anonymized data, Indicates that there must be at least 10 people.

  The user of the data user terminal 500 transmits an SA disclosure request for an attribute value satisfying, for example, the k-anonymity level “10” among the attribute values of “attribute n annual income (CSA)”. FIG. 12 is a diagram illustrating determination of the k-anonymity level in the second embodiment. FIG. 12 shows how many records correspond to each attribute value of the CSA. As indicated by reference numeral 1201 in FIG. 12, for example, there are 260 records whose CSA attribute value is “qrq242q34”, and there are 5 records whose CSA attribute value is “y464w34yj”.

  In FIG. 12, the column “attribute n original data” indicates the original data of the SA before encryption corresponding to each attribute value of the CSA. For example, a record whose CSA attribute value is “qrq242q34” indicates that a record whose SA attribute value is “5 million yen level” is encrypted. In FIG. 12, the column “attribute n original data” is described for convenience of explanation, and the PF server 300 or the data user terminal 500 cannot grasp the attribute value.

  For example, as shown by reference numeral 1201 in FIG. 12, the user of the data user terminal 500 can anonymize including the decrypted attribute value without knowing what attribute value “qrq242q34” is encrypted. It can be specified that the data satisfies the k-anonymity level “10”. On the other hand, since there are only five records “y464w34yj” indicated by reference numeral 1201 in FIG. 12, the user of the data user terminal 500 indicates that the anonymized data including the decrypted attribute value is k-anonymity level “10”. Can be specified.

  As a result of the above specific, the data user terminal 500 designates ID3 corresponding to either “qrq242q34” or “53yt5ythr1” which is an attribute value that satisfies the condition regarding the k-anonymity level “10”, for example, and discloses SA Send a request for.

  As a result of the determination based on the k-anonymity level as described above, data including the decrypted SA as shown in FIG. 13 is obtained. FIG. 13 is a diagram illustrating an example of data including the decoded SA in the second embodiment. As shown in FIG. 13, for the attribute value with the number of records “260” and the attribute value with the number of records “110”, the CSA is partially decrypted and the annual income “500” which is the SA before encryption. "10,000 yen" and "6 million yen" are stored.

  On the other hand, for each attribute value having the number of records “1” and “5” in FIG. 12, the anonymized data obtained by decrypting the attribute value does not satisfy the k-anonymity level “10”, so the CSA is not decrypted. In FIG. 13, the annual income and other attribute values are “unknown”. In the example shown in FIG. 13, the attribute values with the record number “1” and the attribute values with the record number “5” are aggregated to obtain the attribute value with the record number “6”. It is displayed as.

[Process flow]
Next, the flow of processing in this embodiment will be described with reference to FIGS. Similar to the first embodiment, the contents of the processing executed in each step are appropriately recorded in the operation log DB 125 or the operation log DB 325.

  First, in the encryption process, in steps S121 and S131 in FIG. 9, the ID generation unit 131 and the encryption processing unit 133 provide the encrypted SA instead of deleting the SA as shown in the first embodiment. It memorize | stores in information DB124. Since other processes are the same as those in the first embodiment, detailed description thereof is omitted. Note that the processing related to the update or addition of data other than SA is the same as the processing shown in FIG.

  Next, processing when a data user requests SA disclosure will be described. FIG. 14 is a flowchart illustrating an exemplary flow of a decoding process according to the second embodiment. First, the PF server 300 receives an SA disclosure request including the target SA type and the target ID 3 from the data user terminal 500 (step S301).

  The transmission / reception unit 335 of the PF server 300 that has received the request determines whether the request satisfies a condition such as a contract between the data user and the platform (step S303). The transmission / reception unit 335 determines, for example, whether or not the number of records included in the encrypted SA satisfies the k-anonymity level defined in the contract or the like. If the condition is not satisfied (step S303: No), the process ends.

  On the other hand, when the request satisfies the condition (step S303: Yes), the transmission / reception unit 335 refers to the ID management DB 323 and acquires ID2 corresponding to ID3 (step S305). Thereafter, the transmission / reception unit 335 transmits an SA decryption request including ID2 to the DP server 100 (step S311). At that time, the transmission / reception unit 335 notifies the DP server 100 that the request satisfies a condition such as a k-anonymity level, for example. When the second ID reference information stored in the ID management DB 323 is encrypted, for example, processing as shown in steps S231 to S251 in FIG. 10 is performed to decrypt the second ID reference information.

  When receiving the SA decryption request (step S321), the transmission / reception unit 135 of the DP server 100 determines whether the request satisfies a condition such as a contract between the platform and the data provider (step S323). When the condition is not satisfied (step S323: No), the transmission / reception unit 135 notifies the PF server 300 that processing cannot be performed (step S325), and ends the processing.

  On the other hand, when the request satisfies the condition (step S323: Yes), the encryption processing unit 133 refers to the ID management DB 123 and acquires ID1 corresponding to the received ID2 (step S331). If the first ID reference information stored in the ID management DB 123 is encrypted, for example, the processes shown in steps S231 to S251 in FIG. 10 are performed to decrypt the first ID reference information.

  Next, the encryption processing unit 133 refers to the provided information DB 124 and decrypts the CSA corresponding to ID1 (step S333). Then, the transmission / reception unit 135 associates the decrypted SA with the received ID2 and transmits it to the PF server 300 (step S335).

  When the transmission / reception unit 335 of the PF server 300 receives ID2 and the decrypted SA (step S341), the encryption processing unit 333 refers to the ID management DB 323 and converts ID2 to ID3 (step S343). Next, the transmission / reception unit 335 transmits data in which the decrypted SA is associated with ID3 to the data user terminal 500 (step S345).

  Through the processing described above, it is possible to prevent SA leakage in providing anonymized data that can reconnect SAs. Moreover, since the number of records corresponding to each attribute value of SA can be specified based on the encrypted CSA, SA can be disclosed according to the setting of k-anonymity level.

  In a configuration in which the encryption processor 133 changes the encryption key for encrypting the SA for each attribute value, the DP server 100 provides the PF server 300 with an encryption key corresponding to the specific attribute value. Such a configuration may be adopted. By configuring the PF server 300 or the data user terminal 500 to decrypt the CSA using the provided encryption key, a specific SA can be decrypted without leakage of other SAs, and the decryption process is simplified. Can be

  In the present embodiment, the configuration has been described in which the SA is reversibly encrypted and the “attribute n annual income (CSA)” is decrypted to obtain the SA, but the embodiment is not limited thereto. For example, the encryption processing unit 133 may be configured to irreversibly encrypt the SA. By irreversibly encrypting, the number of CSA attribute values can be counted in the PF server 300 or the data user terminal 500 while further reducing the risk of decrypting the SA from the CSA. Note that when the SA is irreversibly encrypted, the DP server 100 cannot decrypt the CSA to the SA. For example, the original data corresponding to the corresponding ID1 is read from the anonymization information DB 121 and associated with the ID2 PF. Send to server.

  In the present embodiment, the configuration in which the data user terminal 500 transmits ID3 corresponding to the SA desired to be disclosed has been described, but the embodiment is not limited thereto. For example, the configuration may be such that the PF server 300 that has received the request from the data user terminal 500 specifies ID2 that satisfies the condition such as the k-anonymity level and transmits the request to the DP server 100. According to such a configuration, the PF server 300 can control the anonymized data disclosed to the data user terminal 500 based on conditions such as the k-anonymity level.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. For example, the processes shown in FIG. 9, FIG. 10 and FIG. 14 are not limited to the above order, and may be performed at the same time as long as the processing contents do not contradict each other. Good.

  In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed. Alternatively, all or part of the processing described as being performed manually can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  In each of the above-described embodiments, the DP server 100 and the PF server 300 employ a means for improving the confidentiality of information by double encryption. It is known that the strength is reduced by intercepting the encryption on the way. For example, it is known that when someone obtains an intermediate cipher and plaintext, the encryption key may be identified by Meet in the Middle Attack. Therefore, in order to improve safety, in addition to the two parties, encryption is performed by three or more parties including a third party organization that can protect confidentiality and an independent security department within the company. Also good.

  In each Example mentioned above, although demonstrated as an example implemented about the anonymization data produced | generated based on personal information, an application range is not restricted to this. For example, you may implement each Example about the other information which wants to suppress specifying the object applicable to the said information, such as information regarding corporations, such as a company.

[system]
Further, each configuration of the illustrated apparatus does not necessarily need to be physically configured as illustrated. That is, it can be configured to be distributed or integrated in arbitrary units. Furthermore, all or a part of each processing function performed in each device may be realized by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  Furthermore, various processing functions performed in each device may be executed entirely or arbitrarily on a CPU (or a microcomputer such as an MPU or MCU (Micro Controller Unit)). Various processing functions may be executed entirely or arbitrarily on a program that is analyzed and executed by a CPU (or a microcomputer such as an MPU or MCU) or hardware based on wired logic. .

  The DP server 100, the PF server 300, and the data user terminal 500 can be realized by a hardware configuration such as a computer 2000 shown in FIG. FIG. 15 is a diagram illustrating an example of a hardware configuration. As illustrated in FIG. 15, the computer 2000 includes a processor 2001, a memory 2002, and an IF 2003.

  Examples of the processor 2001 include a CPU, a DSP (Digital Signal Processor), and an FPGA. Further, examples of the memory 2002 include RAM such as SDRAM (Synchronous Dynamic Random Access Memory), ROM (Read Only Memory), flash memory, and the like.

  Various processing functions performed in the DP server 100, the PF server 300, and the data user terminal 500 are realized by executing programs stored in various memories such as a nonvolatile storage medium by a processor included in the control device. May be. That is, a program corresponding to each process executed by the ID generation units 131 and 331, the encryption processing units 133 and 333, and the transmission / reception units 135 and 335 may be recorded in the memory 2002, and each program may be executed by the processor 2001. .

DESCRIPTION OF SYMBOLS 100 Data provider server 300 Platform server 500 Data user terminal 120, 320 Storage part 121 Anonymization information DB
123, 323 ID management DB
124 Provided information DB
324 Public Information DB
125, 325 Operation log DB
130, 330 Control unit 131, 331 ID generation unit 133, 333 Cryptographic processing unit 135, 335 Transmission / reception unit

Claims (8)

In an information processing system having a first information processing device that provides anonymized data and a second information processing device that receives provision of the anonymized data,
The first information processing apparatus includes:
A first generator for generating a second identifier for the first identifier assigned to the anonymized data in which the personal information is anonymized;
A second generation unit that generates first data in which the anonymization data and the second identifier are associated with each other;
The second information processing apparatus
A generating unit that generates a third identifier for the second identifier included in the first data acquired from the first information processing apparatus;
An information processing system comprising: a providing unit that provides the data user with second data in which the anonymized data is associated with the third identifier.   The second generation unit of the first information processing apparatus irreversibly encrypts the anonymized data or a part of the anonymized data, and obtains the encrypted data from the second information processing apparatus. When the notification that the encrypted data satisfies a predetermined k-anonymity level is received, the original data of the encrypted data is provided to the second information processing apparatus. The information processing system according to claim 1. From the second information processing apparatus in which the second generation unit of the first information processing apparatus reversibly encrypts the anonymized data or a part of the anonymized data, and acquires the encrypted data. When the notification that the encrypted data satisfies a predetermined k-anonymity level is received, an encryption key for decrypting the encrypted data is provided to the second information processing apparatus. The information processing system according to claim 1.   The second generation unit of the first information processing device reversibly encrypts the first part and the second part of the anonymized data using different encryption keys, respectively, and the second information processing When receiving notification from the apparatus that the first part satisfies a predetermined k-anonymity level, an encryption key for decrypting the first part is provided to the second information processing apparatus. The information processing system according to claim 3.   Based on the number of records included in the encrypted data acquired from the first information processing apparatus by the generation unit of the second information processing apparatus, the encrypted data is predetermined k-anonymous. 3. It is determined whether or not a level is satisfied, and when the predetermined k-anonymity level is satisfied, notification is made that the encrypted data satisfies the predetermined k-anonymity level. Information processing system as described in any one of thru | or 4. The generation unit of the second information processing apparatus encrypts contrast information indicating a correspondence relationship between the second identifier and the third identifier,
The information processing system according to claim 1, wherein the first generation unit of the first information processing apparatus further re-encrypts the encrypted comparison information.   The first generation unit of the first information processing device generates the second identifier for the first identifier by rearranging the first identifiers in no particular order. The information processing system according to any one of the above. An information processing method executed by a first information processing device that provides anonymized data and a second information processing device that receives provision of the anonymized data,
The first information processing apparatus is
For the first identifier assigned to the anonymized data in which the personal information is anonymized, a second identifier is generated,
Performing a process of generating first data in which the anonymized data and the second identifier are associated with each other;
The second information processing apparatus is
Obtaining the first data;
Generating a third identifier for the second identifier included in the acquired first data;
The information processing method characterized by performing the process which provides the data user with the 2nd data which matched the said anonymization data and the said 3rd identifier.

Images