MXPA97010080A

MXPA97010080A - Protection of confidential information in a database to activate announcements objectives in a communication network

Info

Publication number: MXPA97010080A
Application number: MXPA/A/1997/010080A
Authority: MX
Inventors: Stanton Gifford Warren; Davis Griffeth Nancy; Everett Katz James
Original assignee: Bell Communications Research Inc
Priority date: 1995-06-12
Filing date: 1997-12-11
Publication date: 1998-10-15

Abstract

The present invention refers to the protection of a database, against the deduction of confidential values contained therein, this protection is achieved by dividing the database into public and private values (202), of which, some public values are they consider more important than others (203). Private attribute values are processed electronically (204-226) to reduce any high correlation between public values and private values. Specifically, the processor divides the database (204-210) into secure records and insecure records, where insecure records have highly correlated public values (216-218). The processor then selectively combines the values of public attributes, of the registers (220) to camouflage those records against the deduction of their private attribute values, beyond a threshold level of uncertainty (22).

Description

PROTECTION OF CONFIDENTIAL INFORMATION IN A DATABASE, TO ACTIVATE OBJECTIVE ANNOUNCEMENTS IN A COMMUNICATIONS NETWORK FIELD OF THE INVENTION The present invention relates to a system and method for maintaining the confidentiality of certain information in a database. In accordance with an illustrative embodiment, the database illustratively contains demographic information of users or subscribers of a communications network. The system and method can allow advertising advertisers to reach specific users, whose demographic data complies with a profile specified by the advertiser, to send them advertising via the communications network. In particular, the method and system refer to the processing of the demographic database, to ensure that the private information of the users can not be extracted by the advertisers, beyond a controllable level of uncertainty, in such a way that the Advertiser can not extract the information REF .: 26516 confidential specifies that belongs to a specific user.

BACKGROUND OF THE INVENTION The present invention is relevant to the provision of information in any type of infrastructure for information. The invention is illustrated herein, using an information infrastructure of the communications network type which can provide video programming. In a typical network, in which commercials or other video programming is provided, such as a conventional cable television network, commercials are supplied to many users or subscribers indiscriminately. This is not advantageous for users because some users are subjected to commercials in which they have no interest. Neither is it advantageous for advertisers because advertisers must pay to deliver the commercials to a large audience of users that include the users they want to reach and users who do not have interest in those commercials. In a preferred advertising strategy, advertisers focus on a selected group of users, who are more likely to be interested in commercials, and deliver commercials only to the selected group of users. Until recently, this targeted advertising was not possible in radio communications, because the communications network through which they were sent did not allow the delivery of advertisements, only to specified users. However, recent advances in communication networks have made possible that selective supply of advertising by radio broadcasters. Figure 1 represents one of those prior art communication networks 10, improved and illustrative. Illustratively, the communication network 10 can be any type of network, such as a telephone network, a computer network, a local or urban area network (LAN), a wide area network ( WAN, for its acronym in English), a cable television network, etc. As shown, network 10 interconnects sources 21 and 22, such as advertising advertisers, to destinations 31, 32, 33 and 34, such as users or subscribers. The communication network 10 can transport video, audio and other data data, from a source, for example the source 21, only to specific destinations of the destinations 31-34, for example, destinations 31 and 33. For example , the data of video, audio and other data, can be transmitted as a stream of bits which is organized in packages. Each packet contains a header portion which includes at least one identifier, for a destination 31, 32, 33 and / or 34, which is unique through network 10 (eg, identifiers for destinations 31 and 33) . These identifiers are referred to as network addresses. The packet is routed through the communications network 10, only to those destinations 31 and 33 specified by the network addresses contained in the header of the packet. To implement the directed advertising strategy, advertisers must be able to determine to which users the commercials are sent. Advantageously, the demographic data referring to the users are compiled in a database. A database is defined as a collection of data, organized according to a data model, which can be accessed via queries. The invention is illustrated herein, using a relational database model. A database by relationships, or relationship, can be organized into a two-dimensional table that contains rows and columns of information. Each column of the relationship corresponds to a particular attribute and has a domain that comprises the data values of that attribute. Each row of a relationship, which includes a value of each attribute, is known as a record. Figure 2 shows a data base, by relations, exemplary (prior art) Y. The relation Y of Figure 2 contains data belonging to a population group. The relation Y has six attributes or columns 2-1, 2-2, 2-3, 2-4, 2-5 and 2-6, to store, respectively, the name, age, weight, height, Social security number and telephone extension data values of the population. The database has twelve records 3-1, 3-2, 3-3, ..., 3-12. Each record 3-1, 3-2, 3-3, ..., 3-12 has a data value for each attribute. For example, register 3-10 has the name attribute value "reads", the age attribute value 40, the weight attribute value 171, the height attribute value 180, the attribute value of number of social insurance 999-98-7654 and the telephone extension attribute value 0123. To identify the users selected for a commercial, a profile containing queries is executed against the database. A query is used to identify the records that meet the criteria of interest in the database. A query usually includes a predicate that specifies the criteria of interest. For example, the following query executed against the relation Y: Select from A where Y. Age <; 15 O Y. Age > 50 includes the predicate "where Y. Age <15 OR Y. Age> 50" specifying that only those records that have an attribute value of age less than 15 or greater than 50 are to be identified. The advertiser can thus build a profile for the execution against the database, with relation, to identify the targeted audience of users. The problem in implementing one of those targeted advertising schemes is that users may be reluctant to describe the demographic data needed to build the database, with relation. In particular, users may be interested in: (1) direct release of unprocessed information, about an individual user, (2) deduction of non-released information, from an individual user, from information concerning the identity of the users that fit a given profile, and (3) deduction of information not released from an individual user, specific, from the knowledge of a series of profiles, together with the number of individual users who received or would receive the corresponding commercials to those profiles. The first two threats to privacy can be overcome by modifying the communications network in a similar way as has been done to protect the anonymity of users who subtract video from Hardt-Komacki & Yacobi, Securing End-User Privacy During Information Filtering, PROC. OF THE CONF. ON HIGH PERF. INFO. FILTERING, 1991. A modified network, such as that, is shown in Figure 3. As shown, the communication network 50 interconnects sources (advertisers) 61, 62, and destinations (users) 71, 72, 73 and 74 similar to network 10 of Figure 1. However, a filter station 80 and a name translator station 90 are also provided, which are connected to the communications network 50. Illustratively, filter station 80 has a memory 82 to maintain the database of user demographics. In addition, the filter station 80 has a processor 84 that can execute queries against the demographic database stored in the memory 82. Each source, such as the source 62, has a server 64 and a memory 66. The server 64 of the source 62 transmits one or more profiles (containing queries to identify particular targeted audiences) to processor 84 of filter station 80. The processor 84 executes each profile query, against the database, of relationship, stored in the memory 82 to retrieve the pseudonyms assigned to each user identified by each query. The processor 84 then transmits the corresponding pseudonyms, for each profile, back to the server 64 of the source 62 which can be stored in the memory 66 for later use. When the user-source 62 wants to transmit the commercial to the targeted destinations of users, for example destinations 72 and 74, the 64t server transmits the commercial and the pseudonyms through the network 50. The network 50 supplies the commercial and the pseudonyms to the processor 92 of the station 90 name translator. The processor 92 then translates the pseudonyms into their corresponding network addresses, for example, using information stored in the memory 94. The processor 92 of the name translating station 90 then transmits the commercial to destinations 72, 74 of the users, using the addresses of the network. In the modified communication system, the destination-user, for example destination 72, knows its own demographic information. The ante-source announcement, for example, source 62, knows its commercial, its profiles and how many users will receive the commercial. The advertiser only receives pseudonyms from individual users 71-74. Thus, the advertiser does not have the demographic information, not processed, and is not giving information to identify users 71-74 (such as network addresses). The filter station 80 contains information concerning the entire demographic database and receives the profiles sought by the advertisers. The station name translator 90 contains only the translations of the pseudonyms in addresses of the network and receives the pseudonyms and commercials. Network 50 only receives the commercial and the network addresses of the destinations. Despite those protections, the advertiser still obtains some results from the execution of the profile queries, against the demographic database, such as the number of users that fit the profile. This may be enough information to deduce personal information from the user. For example, suppose that the user knows the identities of 100 users in zip code 07090 who are collectors of stamps. Also, suppose the user selects a profile to find all the users in zip code 07090 who collect stamps and who have an annual income of $ 50,000 to $ 100,000. If 100 pseudonyms are returned to the advertiser, then the advertiser successfully deducts the salary range of all 100 stamp collectors. To the previous threat, where the results of the consultation may lead to the deduction of private information, it is referred to as "attack by an observer and follower of objectives". Established more generally, a "follower" is a special case of a linear system that involves solving the equation: HX = Q (1) where H is a matrix that represents records that satisfy corresponding queries, where each column represents a different record, each row i represents a different query and where each element, of the matrix, h_j = 1 if the record register satisfies the predicate Ci of the ies? to query, and is 0 if it is different, C is a vector that represents the predicates used in each ies? ma query, X is a vector representing the (unknown) records that satisfy the predicates C (which are going to be solved by the equation (1)), and Q is a vector of accounts or other results returned by each ie3 ma query that contains elements q_ where each q_ is the sum (or other result returned from the ies? Ma query) through an attribute of the records recovered by the third query. The prior art has proposed some solutions to protect statistical databases, of relations, of the attacks of the followers. Dobkin, Jones & Lipton, Secure Databases: Protection Against User Inference, ACM TRANS. ON DATABASE SYS., Vol. 4, No. 1, Mar., 1979, p. 97-106 proposes to restrict the overlap of the set of queries, that is, to prevent the proposition of multiple similar sets of queries, to prevent this type of attacks. However, such a control is difficult to implement because a history of all previously proposed sets of queries must be maintained and compared against the most recently proposed query. A "cell suppression" technique has also been proposed, where statistical data, or other results of the execution of the query, that can reveal sensitive information are never released. However, cell suppression techniques are used in the best way, for queries that produce two-dimensional and three-dimensional tables, but not for arbitrary queries that are of interest to implement targeted advertising. Random noise techniques have been proposed, where a random number is subtracted from the results returned by a query. This solution is not satisfactory to implement targeted advertising because the result presented to the advertiser would then be inherently inaccurate. In an alternative scheme proposed in Warner, Randomize Response: A Survey Technique for Eliminating Evasive Answer Bias, 60 J, OF THE AM. STAT. ASSOC. p. 63-69 (1965), individuals can introduce erroneous values in the database, with relation, a certain percentage of time. The problem with this strategy is that advertisers would then send commercials to the wrong audience, a certain percentage of the time. Denning, Secure Statistical Databases Under Random Sample Queries, ACM TRANS. ON DATABASE SYS., Vol. 5, No. 3, Sept. , 1980, p.291-315 describes a technique by noise, where the queries are applied only to random subsets of the records, instead of to all the records that are in the database, with relation. In addition to the specific disadvantages mentioned above, one or more of the noise addition techniques, described above, can be subverted by a variety of noise removal methods. Yu & Chin, A Study on the Protection of Statistical Datábase, PROC. ACM SIGMOD INTL CONF. ON THE MGMT. OF DATA, p. 169-181 (1977) and Chin & Ozsoyoglu, Security in Partitioned Dynamic Statistical Databases, PROC. IEEE COMPSAC CONF., P. 549-601 (1979) describes methods for dividing the database, with relation, into discrete partitions. All the above methods were developed mainly for statistical data base and do not have properties that allow the implementation of targeted advertising. In particular, the above methods do not provide accurate identification of records, which satisfy queries, or do not provide an exact count (or other result of returned queries) of those records retrieved. However both of these properties are important in targeted advertising. First, it is important to reach exactly all the users whose demographic data fit a proposed profile. Second, it is vital to obtain an accurate count of the identified users, for purposes of billing the advertiser and for purposes of deciding whether or not the profile identifies a desirable number of users for receiving the advertisement. Therefore, an object of the present invention is to overcome the disadvantages of the prior art. Another objective of the present invention is to provide a targeted advertising method, which preserves the privacy of the user's confidential information. In particular, an objective of the present invention is to reduce the ability of advertisers to deduce confidential information from users, based on the results of one or more profile queries, executed against demographic databases, with relationships.

BRIEF DESCRIPTION OF THE INVENTION These and other objects are achieved in accordance with the present invention. According to one embodiment, the present invention can maintain the confidentiality of the information in the database, for use in a communication system environment. As in the prior art communication system, this mode provides a communications network that interconnects an advertiser, users or subscribers, a filtering station and a name translating station. Illustratively, the filter station maintains a demographic database of information regarding users. However, the invention can work with databases that store any type of information and can work for databases, with relationships and without relationships. To obtain a targeted or chosen audience, for an advertising advertiser, the advertiser can propose one or more profiles that contain queries, to the filter station. The filter station executes the profile queries against the demographic database, to identify records that correspond to users that satisfy the profile of the audience reached. To preserve the anonymity of the users, the filter station transmits pseudonyms, instead of identifying information, for the users identified by the profile, with the advertiser. When the advertiser wishes to deliver a commercial to the targeted audience of users, the advertiser transmits the commercial and pseudonyms via the communications network to the name translating station. The name translating station, then translates the pseudonyms received, into network addresses, of the users, using its translation table and then transmits the commercial to the users via the communications network. As the conventional communication network, the communication network in accordance with one embodiment of the present invention, restricts the access of advertisers to the demographic database, with relation, and describes pseudonyms to advertisers, instead of the real ones. addresses of the network, of the users. This prevents: (1) description of the unprocessed information, in the database, to the advertiser, and (2) deduction of confidential information, based on the identity of the users. However, unlike the conventional communication system, the present invention is also provided to reduce the capacity of the advertiser, to deduct confidential information from the results returned by the filtering station, in response to the profile queries proposed by the advertiser. That is, the present invention protects against the attacks of the tracker and other types of threats to the confidentiality, where the user tries to deduce confidential information about the users in the database, for example, from the mere number of pseudonyms returned in response to a profile query. To achieve this protection in the present invention, the attributes are divided into two classes, namely, public attributes, for which confidentiality protection is not provided, and private attributes, for which confidentiality protection is provided. In order, to prevent an advertiser from deducting private attribute values, the database is then processed to reduce some high correlation between public attribute values, and private attribute values. It is said that a vector of one or more values of public attributes, particular, has a high concentration with a private attribute value, if: (1) the vector of the values of particular public attributes, identifies a group of records of the base of data having public attribute values, which coincide with the vector of public attribute values, and (2) the uncertainty level, considering the values of the private attribute of the identified group, is less than a predetermined threshold. Established in another way, a specific vector of public attribute values of records, can correspond to a small number of private attribute values, thus reducing the uncertainty about private attribute values, when public attribute values are known. In the worst case, the vector of public attribute values would correspond to a single, private attribute value. Thus, there could be a high level of certainty to determine the real values of private attributes, of the group of records identified by a given vector, of public attributes. Illustratively, if the number of values of private attributes, distinctly different, for the group identified by that vector, is less than a number of predetermined threshold values, and then the correlation of public attributes is unacceptably high. In the present invention, a public attribute value with an unacceptably high correlation, with one or more values of private attributes, is referred to as a "highly correlated public attribute value". According to a modality, records containing public attribute values, which are highly correlated with private attribute values, are processed in a way, either to camouflage the typical attributes of the record or to remove those identification records, in the database. The records are "camouflage" by combining the values of public attributes, specific, of the records, which are highly correlated with one or more values of specific private attributes, of the records, with other values of public attributes, of the records, for reduce the correlation. A method and system is therefore provided, where attributes are classified as private or public, and where the correlation between public and private attributes is reduced by camouflaging highly correlated public attribute values. The invention is provided for the introduction of an adjustable level of uncertainty to derive private information, from the results of queries executed against the database, with relation, of demographic data.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 represents an ordinary communications network of the prior art. Figure 2 represents a database, with relation, of demographic data. Figure 3 represents a communication network, of the prior art, with protection of the private address network, users. Figure 4 represents a communications network, in accordance with an embodiment of the present invention, with protection in the anonymity, of the private user information. Figure 5 schematically depicts a flow chart illustrating a method in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION As mentioned above, the present invention can protect the confidentiality, of virtually any type of information, in both databases, with or without relation, and in a variety of hosts including communication networks. For purposes of simplicity and clarity, the invention is further illustrated using an environment of a communications network and a database, with relation, containing demographic information. In the modality discussed later, the advertisers propose queries for the execution against the demographic database, with relation, for purposes of identifying a targeted audience, for the supply of advertising. Again, this is illustrative; The invention can also work or work in other applications where queries are proposed to achieve other goals. Figure 4 shows an illustrative communication network 100, in accordance with the present invention. As shown, the advertisers 121 and 122, the users 131, 132, 133 and 134, and a name translator station 140, which are connected to the communications network 100, are provided. In addition, a filter station 150 is provided, which is adapted in accordance with the present invention. The filter station 150 has a processor 155 and a memory 160 connected thereto. Like the processor 84 and the memory 82 (Figure 3) of the filter station 80 (Figure 3) of the conventional filter station 80 (Figure 3), the processor 155 and the memory 160 can perform various functions to prevent the description to advertisers 121-122, of the raw data. The processor 155 and 160 can also perform functions to prevent the deduction, by advertisers 121-122, of private information, from the identification of the users (from their network addresses). The processor 155 can receive information from demographic data, from the users 131-134, and can build a demographic database, with relation. Processor 155 may store the related demographic database in memory 160. Processor 155 may also receive from advertisers 121-122, such as advertiser 122, profiles containing queries for execution against the database , with relationship. In response, the processor 155 identifies the records in the database, with relation, that fit the profile. The processor 155 then transmits the identifier and the pseudonyms to the advertiser 122. The processor 155 and the memory 160 of the filtering station 150 are also capable of processing the demographic database, with relation, to reduce the advertisers' ability to deduct private information, from the results returned by the filter station 150, in response to queries from profiles proposed by the advertisers. In subsequent discussions, it is presumed that advertisers use the number of returned pseudonyms, to deduct private information, although the discussion is general enough to apply to any results returned in response to profile queries. The processing of processor 155 and memory 160 can be summarized as dividing the database into public attributes, for which it is not necessary to provide confidentiality protection, and in private attributes, for which confidentiality protection is provided. To provide protection of confidentiality, it should be noted that some of the information in the demographic database, with relation, is already assumed to be public, or otherwise not subject to protection of confidentiality. For example, consider a database of frequent aviators, containing the following attributes: zip code, telephone number, occupation, dietary restrictions, and economic status. The telephone number of an individual user can be widely published in a telephone directory. In addition, the occupation of an individual user, although not widely published, can be considered as non-confidential or non-personal. On the other hand, it can be presumed that other information such as dietary restrictions and economic level, are considered as personal and as confidential information. After dividing the database, the correlation between public attributes and private attributes is reduced by camouflaging some of the highly correlated public attribute values, and completely eliminating some records that contain highly correlated public attribute values, which are difficult to camouflage.

The processor 155 can also divide an identification attribute of the database, which uniquely identifies each record. This identification could be a network address, social security number, etc. That information can only be the subject of a profile query if that query is not executed against private attributes or is used merely to update the corresponding record in the database. Illustratively, public attributes are further divided into important public attributes and non-important public attributes. Advertisers are allowed to specify values of attributes of important public attributes, with a greater degree of certainty than non-important public attributes. Illustratively, advertisers can specify which of the attributes will be treated as important. The invention is illustrated below with division of important and non-important public attributes. In the discussion that follows, vector A represents the public attributes of a specified set or group of records and each component < Af, ..., A "> , from A represents a vector of individual public attributes. Vector A 'represents the important public attributes of a specified set or group, of records, and each component < A '_, ..., A' m > of A ', represents a vector of important, individual public attributes. Vector A "represents non-important public attributes of a specified set or group, of records, and each component <A"? , ..., A "t> of A" represents a vector of public, unimportant, individual attributes. The vector P represents the private attributes of a specified group or group, of records, and the components < P?, ..., Pq > they represent a vector of private, individual attributes. The vector K represents a vector of uncertainty thresholds for the private attributes P. Illustratively, each pulse counter component k_ of K is a threshold count of private attribute values, distinctly different, at P_, each uncertainty threshold K_ is it can dynamically set or adjust by processor 155 to adjust the level of confidentiality protection. Vectors V, V, V ", V" and U represent vectors other than particular count attribute values <v?, ..., v ">, < v 'i, ..., v' j, ..., v'm>, etc. for public attributes A, A ', or A "of a single record In this, the notation A'i = v_, ..., A' n = vn refers to a single record (that is, row of the database, with relation) for which each public attribute vector designated, for example, A '_, takes the value of the count attribute, distinct, corresponding, for example, Saw . Figure 5 is a flowchart schematically illustrating a process executed by processor 155 and memory 160 to ensure the confidentiality of demographic information from the deduction by advertisers 121-122. In a first step 202, the processor 155 divides the attributes of the database, into public attributes A?, ..., An, which contain non-confidential information, and into private attributes P?, ..., Pq, which It contains confidential information. For example, suppose the attributes are age, height, religious hobby, and salary. The attributes of age and height could be designated as public attributes while the religious affiliation and salary attributes could be designated as private attributes. Then, in steps 204-226, the processor 155 removes large correlations between the public and private attributes, of the records, in the database. In other words, consider a specific vector of values of particular attributes, V, in such a way that Ai = v., A2 = v2, ..., An = vn. This vector V identifies a group of records that have values for public attributes Ai, ..., AB that fit to V. The database is processed to ensure that for any of those groups of records, identified by any V vector there is a threshold uncertainty level k¡_ around the values of any private attribute P_ in the identified set. For example, consider a database that has only public attributes of age and occupation and only private salary range attributes. The database can have certain age and occupation vectors (for example, <Age: 35, occupation: doctor > ) for which there are relatively few different salary values (for example, salary: maximum 5%). When processing the database, certain values of the attributes are combined in an attempt to "camouflage" the records that would otherwise be easily deductible private attributes. Other records that can not be camouflaged are deleted. (As discussed in more detail later, "deleted" records can be excluded from the execution of the query and thus never receive targeted advertising.Alternatively, "deleted" records are not excluded from the execution of the query or of directed advertising However, the processor 155 must take some steps to ensure that the confidentiality of private attribute values, of those deleted records, is not compromised by the execution of the query). In steps 204-210, processor 155 divides the database into a "secure" set F and into an "unsecured" set R of records. In step 204, the processor forms each possible vector of important public attribute values V 'vector V' which includes an attribute value < v 'i, ..., v' i,. .., v'm > for each important public attribute A 'i, ..., A' j, ..., A'm. For example, the following are different vectors that can be formed in a database with important public attributes such as age, weight, and occupation and with the private salary attribute: < age = 53, occupation = doctor >; < age = 35, occupation = doctor >; < age = 35, occupation = minister >; etc. A group of registers corresponds to each of these vectors V '. That is, each record in a particular group contains the same values of important attributes as the vector V 'to which the group corresponds. For example, the vector < age = 35, occupation = minis tro > could identify the records: age = 35, occupation = minis tro, salary = 70% age = 35, occupation = mini s tro, salary = 70% age = 35, occupation = mini s tro, salary = 65% age = 35 , occupation = minis tro, salary = 35% age = 35, occupation = minis tro, salary = 40% age = 35, occupation = minis tro, salary = 40% age = 35, occupation = minis tro, salary = 15% En step 206, for each group thus formed, processor 155 compares the number of different attribute values in each of the pº private attribute P ± of the group for the corresponding uncertainty threshold Ki. If there are at least i private, distinct attribute values in the group, for each private fifth attribute P_ the processor 155 adds the group of records to the set F in step 208. Otherwise, the processor 155 adds the group of records to the set R in step 210. For example, suppose that k_ fits 4 in the previous example of age, occupation, salary. In that case there are 5 different values for the private salary attribute, say, 70%, 65%, 40%, 35% and 15%. Thus, all these records can be added to the set F. On the other hand, suppose that another group of records was identified for the vector < age = 35 occupation = doctor > , as follows: age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 10% age = 35, occupation = doctor, salary = 10% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 10% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 15% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 15% This group has only 3 different values of salary attributes, to say , 5%, 10%, and 15%. Thus, processor 155 adds these records to set R. Then, in steps 212-222, processor 155 combines public, important, selected attribute values. In step 212, the processor 155 selects an important attribute A '. Illustratively, the processor 155 selects each j S 3 as an important attribute in decreasing number of different values of different attributes, across the entire database. The processor 155 then executes the steps 214-226 with the important public attribute selected A 'j. In step 214, the processor 155 identifies each distinct value v'_ of the important, selected public attribute, A '3 in the set R. In step 216, the processor 155 then identifies each record in both sets F and R having each value of public attribute, important, v 'i (identified in the set R) for the important public attribute A' 5. For example, suppose that age is selected as the attribute A 'j. Then age = 35 is a public attribute value that is contained by records with public attribute values < age = 35, occupation = doctor > in the set R.

Age = 35 is also a public attribute value contained by the records, with public attribute values < age = 35, occupation = minis tro > in set F. Therefore, the following records are identified in sets R and F: age = 35, occupation = mini s tro, salary = 70% age = 35, occupation = mini st ro, salary = 70% age = 35, occupation = mini stro, salary = 65% age = 35, occupation = mini stro, salary = 35% age = 35, occupation = mini st ro, salary = 40% age = 35, occupation = minister, salary = 40 % age = 35, occupation = minis t ro, salary = 15% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 10 Age = 35, occupation = doctor, salary = 10% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 10% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 15% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 5% age = 35, occupation = doctor, salary = 15% Then, in step 218, the processor identifies each distinct vector v "in the identified records of sets F and R in which e vector V "includes values of important public attributes v" _, ..., v "j_ ?, v" j +?, ..., v "m in important public attributes A 'i, ..., A'3_ ?, A '3 + I, ..., A ,,, different from A'3. A group of records was identified in the sets R and F, which corresponds to each different vector V. "That is, each record in a particular group has the attribute values of the particular vector of attribute values v" to which the group corresponds . Those records are identified by the processor 155 in step 218. For example, assume that the public attributes are age, weight and height, and the private attribute is the salary. Suppose that the values v - = 35 v 3 = 53 identify the following records: age = 35, weight = 150, height = 6 feet, salary = 5% age = 53, weight = 150, height = 6 feet, salary = 10% age = 35, weight = 160, height = 6 feet, salary = 10% age = 53, weight = 160, height = 5.5 feet, salary = 15% age = 35, weight = 150, height = 5.5 feet, salary = 5% age = 53, weight = 150, height = 5.5 feet, salary = 10% age = 35, weight = 150, height = 5.5 feet, salary = 15% age = 53, weight = 160, height = 6 feet, salary = 20% The vectors V "are: <weight = 150, height = 6 feet> < weight = 160, height = 6 feet >, < weight = 150, height = 5.5 feet > and < weight = 160 , height = 5.5 ft. The groups identified are the following: weight = 150, height = 6 feet age = 35, weight = 150, height = 6 feet, salary = 5% age = 53, weight = 150, height = 6 feet, salary = 10% weight = 160, height = 6 feet age = 35, weight = 160, height = 6 feet, salary = 10% age = 53, weight = 160, height = 6 feet, salary = 20% weight = 160, height = 5.5 feet age = 53, weight = 160, height = 5.5 feet, salary = 15% weight = 150, height = 5.5 feet age = 35, weight = 150, height = 5.5 feet, salary = 5% age = 53, weight = 150, height = 5.5 feet, salary = 10% age = 35, weight = 150, height = 5.5 feet, salary = 15% Then, in step 220, if there are at least ki different attribute values private in a group, for each j_is private attribute P, the processor 155 combines all the values in the group for the important public attribute A 'J. Illustratively, each value v 'i can be combined only once. For example, suppose that k = 3 for the salary. Then the group corresponding to the vector v "= <; weight = l 50, height = 5.5 feet > satisfies the uncertainty threshold. The age attribute values are therefore combined to produce the records: age =. { 35, 53} , weight = 150, height = 5.5 feet, salary = 5% age =. { 35, 53} , weight = 150, height = 5.5 feet, salary = 10% age =. { 35, 53} , weight = 150, height = 5.5 feet, salary = 15% In step 222, processor 155 replaces a representative public attribute value, for each combination. Continuing with the example, the representative value can be the first public attribute value v'j selected, that is, age = 35, to produce the records: age = 35, weight = 150, height = 5.5 feet, salary = 5% age = 35, weight = 150, height = 5.5 feet, salary = 10% age = 35, weight = 150, height = 5.5 feet, salary = 15% In step 224, processor 155 identifies each different vector V '' ' of the important public attributes A 'in the set F. In step 226, the processor 155 also identifies each vector U of the non-important public attribute values, that is, the values u_, ..., ut such as A " t = u_, A "2 = u2, ..., A" t = ut occurring with each vector V "'of different attribute values, of the important public attributes A.' In step 226, the processor 155 combines each vector U of non-important public attribute values, with the vector v "of different attribute values, of the important public attributes A ', with which it occurs For example, suppose that set F contained the important attributes of sex and age, the attributes not important stature and weight, and the private attribute, salary Also, suppose that set F contains the following records before this step: sex = M, age = 35, weight = 180, height = 6 feet, salary = 10% sex = M, age = 35, weight = 175, height = 5 feet, salary = 15% sex = M, age = 35, weight = 180, height = 6 feet, salary = 25% sex = M, age = 35, weight = 180, height = 6 feet, salary = 15% sex = M, age = 35, weight = 175, height = 6 feet, salary = 15% sex = M, age = 35, weight = 180, height = 5 feet, salary = 10% sex = M, age = 35, weight = 175, height = 5 feet, salary = 10% sex = F, age = 35, weight = 120, height = 6 feet, salary = 10% sex = F, age = 35, weight = 120, height = 6 feet, salary = 15% sex = F, age = 35, weight = 120, height = 5 feet, salary = 25% sex = F, age = 30, weight = 110, height = 5 feet, salary = 10% sex = F, age = 30, weight = 110, height = 5 feet, salary = 15% sex = F, age = 30, weight = 120, height = 6 feet, salary = 15% sex = F, age = 30, weight = 110, height = 5 feet, salary = 25% The different vectors V "'of important public attribute values A' are < sex = F, age = 35 > , < sex = F, age = 30 > and < sex = M, age = 35 > .

The vectors U occur with V '' '= < sex = F, age = 35 > they are < weight = 12o, height = 6 feet > , < weight = 120, height = 5 feet > . The U vectors that occur with V '' '= < sex = F, age = 30 > they are < weight = 110, height = 5 feet > and < weight = 120, height = 6 feet > . The vectors U occurring with V '' '= < sex = M, age = 35 > They are < weight = 180, height = 6 feet > , < weight = 175, height = 5 feet > and < weight = 180, height = 5 feet > . The combined records are as follows: sex = M, age = 35, < weight = 180, 175 > , < height = 6.5 feet > , salary = 10% sex = M, age = 35, < weight = 180, 175 > , < height = 6.5 feet > , salary = 15% sex = M, age = 35, < weight = 180, 175 > , < height = 6.5 feet > , salary = 25% sex = M, age = 35, < weight = 180, 175 > , < height = 6.5 feet > , salary = 15% sex = M, age = 35, < weight = 180, 175 > , < height = 6.5 feet > , salary = 15% sex = M, age = 35, < weight = 180, 175 > , < height = 6.5 feet > , salary = 15% sex = M, age = 35, < weight = 180,175 > , < height = 6.5 feet > , salary = 10% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 10% sex = F, age = 35, < weight = 120,110 > , < height = 6.5 feet > , salary = 15% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 25% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 10% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 15% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 15% sex = F, age = 35, < weight = 120,110 > , < height = 6.5 feet > , salary = 25% Note that in the previous process, where public attributes are divided into important public attributes and unimportant public attributes, only important public attributes are verified to determine if they might require camouflage. Non-important public attributes are simply combined as stated in step 224. As mentioned above, advertisers illustratively specify which of the public attributes A are important public attributes A 'and which are non-important public attributes A. "This is significant because the division of public attributes into important and unimportant ones governs what public attributes are verified to determine whether they require camouflage, and what public attributes are simply combined in step 224. After executing steps 202-224, the processor 155 can store the records of the set F as the new demographic database. Illustratively, the processor 155 discards, that is, it does not execute queries against the records of the set R. Then, queries against the new demographic database can be executed. However, advertisers should be aware of the existence of merged values and should refer to the combined public attribute values to formulate profile queries. Alternatively, instead of constructing a new demographic database, with relationships, the processor 155 maintains a register in the memory 160 that indicates the division of the values of the attributes. Consider the previous database discussed in relation to step 224. The following are examples of divisions that result from steps 202-224: (1) for sex = F, age = 35, records are: sex = F, age = 35, <; weight = 120, 110 > , < height = 6.5 feet > , salary = 10% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 15% sex = F, age = 35, < weight = 120, 110 > , < height = 6.5 feet > , salary = 25% (2) for sex = F, age = 30, records are: sex = F, age = 30, < weight = 120, 110 > , < height = 6.5 feet > , salary = 10% sex = F, age = 30, < weight = 120, 110 > , < height = 6.5 feet > , salary = 15% sex = F, age = 30, < weight = 120, 110 > , < height = 6.5 feet > , salary = 15% sex = F, age = 30, < weight = 120,110 > , < height = 6.5 feet > , salary = 25% Processor 155 maintains a record containing indications of the divisions. However, if this is done, the processor 155 must perform some further processing to ensure that no profile query violates the division. That is, queries that identify all records within a division do not violate the division. However, queries that attempt to identify only some of the records within a division violate the division. Established in a more formal way, it is said that a query violates a division if the following occurs. Suppose there are two registers, represented as rows vectors of the database T? = < At = vt, ..., Ak = v_, ..., Aß-v »> and T2s = < At = U ?, ..., Aj_ * U] _, ..., AB = »um > , where both the Ti and T2 registers are in the same division. That is, for each important attribute Ai, ..., A *, V? = U ?, v2 = u2, ..., and vk = u] í. A query violates the division if it has criteria directed to both attributes, private and public, and if the query is satisfied by the record Ti but not by the record T2. To determine if a profile query violates the division, the processor 155 can execute the profile query against the demographic database, with relation. The processor 155 can then compare the records identified by the profile query with the unidentified records of the demographic database, in relation, to determine whether there is an unidentified T2 register and an identified Tx register, for which the corresponding values Attributes are found in the same divisions as described above. If a profile query violates the division, the processor 155 can completely eject the profile query. Alternatively, the processor 155 modifies the set of identified records, also identifying, ie, including the T2 records that were not initially identified by the query, to eliminate the violation of the division. However, if such modifications are made, processor 155 should notify the advertiser of the modification and its nature. Illustratively, the processor 155 accomplishes this by describing the content of the divisions of the attributes specified in the advertiser's query. For example, the processor 155 may transmit a message to the advertiser, related to the modifications. Briefly, we describe a system and method for the protection of a database, against the subtraction of confidential, attribute values found in it. A memory is provided to store the database and a processor is provided to process the database. When using the processor, the database is divided or partitioned electronically into public attributes, which contain valators of non-confidential attributes, and into private attributes, which contain private attribute values. The processor is then used to electronically process the values of private attributes, to reduce any high correlation, between the values of public attributes and the values of private attributes. Specifically, the processor can divide the database into secure records and insecure records, so that each insecure record is a member of the group: (1) identified by a vector of attribute values (ie, each group record) has values of public attributes that match or match the vector), and (2) the group has an uncertainty level as to at least one value of a private attribute that is less than a threshold level of uncertainty. The processor can then selectively combine the public attribute values of the records to camouflage those records, against the subtraction or deduction of its values of private attributes, beyond the uncertainty threshold level, or can eliminate those records from the database. This is achieved by: (1) identifying all records that contain v values of particular attributes, for a selected public attribute, and those particular values are contained by at least one record with a highly correlated public attribute value, (2) identifying groups of records that correspond to, that is, contain values of public attributes that fit or match, different vectors of values for public attributes different from the public attribute are selected, (3) combine values of the selected public attribute of each group, if there is at least one uncertainty threshold level, for each private attribute, in the group, and (4) eliminating insecure records, for which no combination can be made to camouflage insecure records. Finally, it is intended that the above discussion be merely illustrative of the invention. Persons of ordinary skill in the art can visualize numerous alternative modalities, without departing from the spirit and scope of the following claims. It is noted that in relation to this date, the best known method for carrying out the aforementioned invention is that which is clear from the present description of the invention. Having described the invention as above, the content of the following is claimed as property:

Claims

1. A method for protecting a database against the deduction of values of confidential attributes that are found therein, characterized in that it comprises the steps of: using a processor, electronically dividing the database into public attributes, which contain public attribute values , and private attributes that contain private attribute values, and use a processor, electronically process those values to reduce any high correlation between public attribute values and private attribute values.

2. The method according to claim 1, characterized in that the processing step further comprises the step of: using the processor, electronically dividing the records of the database, in a secure set and in an insecure set.

3. The method according to claim 2, characterized in that the processing step further comprises the step of: using the processor, electronically combining a plurality of values of public attributes, of records, in the secure and insecure sets.

4. The method according to claim 2, characterized in that the records are divided into the insecure set if: a vector of attribute values exists, which identifies a group of records having the vector of attribute values, for corresponding public attributes of the same, where a level of uncertainty as to a value of at least one of the private attributes of the group is less than a threshold level of uncertainty.

5. The method according to claim 4, characterized in that the level of uncertainty as to a value of a private attribute, of the group, is less than the threshold uncertainty level if the group contains fewer values than those values of the attribute. private, than a threshold number.

6. The method according to claim 2, characterized in that the public attribute values are further divided into public, important attribute values, and unimportant public attribute values, and where the records are divided into the insecure set if: there is a vector of attribute values which identifies a group of registers that have the vector of attribute values for public attributes, important, corresponding, of them, where a level of uncertainty, as to a value of less one of the attributes of the group is less than a threshold level of uncertainty.

7. The method according to claim 2, characterized in that the step of dividing the records into safe and insecure sets, further comprises the steps of: using the processor, electronically forming different possible vectors of public attribute values, for the public attributes, and use the processor, for each group of records identified by the vectors of public attribute values, electronically divide the records of the group, in the secure set, if there is at least one threshold level of uncertainty for private attribute values in the group, and divide the group's records into the insecure set.

8. The method according to claim 7, characterized in that each possible vector is formed in the forming step.

9. The method according to claim 7, characterized in that the vectors contain only important public attribute values.

10. The method according to claim 1, characterized in that the processing step further comprises the step of: using the processor, electronically combining a plurality of values of public attributes, of registers, in order to prevent the deduction, beyond a threshold level of uncertainty, of private attribute values of those records.

11. The method according to claim 10, characterized in that in the combination step only important public attribute values are combined.

12. The method according to claim 10, characterized in that it comprises the steps of: using the processor, electronically identifying all the records that contain particular values for a selected public attribute, particular values that are contained in at least one register with a value of highly correlated public attribute, use the processor, electronically identify different vectors that have a particular value for each public attribute different from the selected public attribute, and identify a group of records for each of the different vectors, where each record of the identified group has the different vector of values for public attributes of the same, different from the particular public attribute, using the processor, electronically combining the values of the selected public attributes, of one of those groups that correspond to one of those different vectors, if it exists at minus one level threshold of uncertainty for each private attribute, in the group corresponding to the different vector.

13. The method according to claim 12, characterized in that each possible different vector is identified in the identification step.

14. The method according to claim 12, characterized in that at least each register with a highly correlated attribute value is a member of a group of registers that satisfies that: there is a vector of attribute values that identifies the group of records that has the vector of attribute values, for corresponding public attributes, of the same, in which a level of uncertainty, in relation to a value of a private attribute, of the group, is less than a threshold level of uncertainty.

15. The method according to claim 10, characterized in that it further comprises the steps of: using the processor, electronically replacing a representative value for the values of public attributes, combined.

16. The method according to claim 10, characterized in that the public attributes are divided into important public attributes and unimportant public attributes, where the combination step is performed only on the public, important attribute values, and where the method it also includes the step of: using the processor, electronically identifying each different vector of public, important attribute values, and using the processor, electronically combining each different vector of non-important public attribute values, which is presented with each of the vectors other than important public attribute values.

17. The method according to claim 1, characterized in that it further comprises the steps of: using the processor, electronically storing in a memory, a database resulting from the division and processing steps, using the processor, executing the query electronically profiles of an advertiser, and using the processor, to execute the profile query electronically, against the database stored in the memory.

18. The method according to claim 1, characterized in that it further comprises the steps of: before the division and processing steps, using the processor, electronically storing a database in the memory, after those division and processing steps, using the processor, electronically store indications and modifications to the database stored in the memory, modifications that result from the steps of dividing and processing, using the processor, electronically receiving a profile query, from an advertiser, using the processor, executing electronically the query of profiles, against the database stored in memory, and using the processor, electronically reject the query if the query violates a division or partition of the database, which partition is indicated by the indications stored in the memory.

19. The method according to claim 18, characterized in that the query violates the division if: the indications indicate that the database includes a first and second records, in the same division, the profile query specifies the criteria directed to both attributes, private and public, and the query is satisfied by the first registration but not by the second registration.

20. The method according to claim 1, characterized in that it further comprises the steps of: before the division and processing steps, using the processor, electronically storing a database in the memory, And after those steps of division and processing, use the processor, electronically store the indications of the modifications made to the database stored in the memory, modifications that result from the steps of dividing and processing, using the processor, receiving electronically a query of profiles, of an advertiser, using the processor, executing the profile query electronically, against the database stored in the memory, and using the processor, if the query of the profile violates a division of the database, and the partition is indicated by the indications stored in the memory, then identifying the records of the database, which include those records that the query failed to identify and that violate the division of the database.

21. The method according to claim 1, characterized in that it also comprises the steps of: following the division and processing steps, using the processor, electronically receiving a profile query, of the advertisers, using the processor, electronically executing the query of profiles, against the database, and using the processor, electronically transmit an identifier that corresponds to the query of profiles and pseudonyms of identified records by consulting profiles, to the advertiser.

22. The method according to claim 21, characterized in that it further comprises the steps of: using the processor, electronically transmitting the identifier for the profile query and the table, to a name translating station.

23. The method according to claim 22, characterized in that it also comprises the steps of: transmitting a commercial or advertising, the pseudonyms and the identifier of the profile queries, of the advertiser, to the communications network, receiving the commercial, the pseudonyms of records and the identifier of the profile query, to the communications network, at the name translating station, at the name translating station, translate the pseudonyms of records, into network addresses, of the records, using the table, and transmitting the commercial to the users or subscribers, via the communications network, using the addresses of the network, of the registers.

24. A system to protect a database against the deduction of attribute values, confidential, that are in it, sarasterized because it includes: a memory to store the database, and a processor, to electronically divide the database into public attributes, which contain public attribute values, and private attributes that contain private attribute values, and to electronically process those values, in order to reduce any high correlation between the values of public attributes and private attribute values.

25. The system according to claim 24, sarasterized because the processor electronically divides the records of the database, in a secure set and an insecure set.

26. The system according to claim 25, characterized in that the processor electronically combines a plurality of values of public attributes, of records, in the safe and unsecured sets.

27. The system according to claim 25, characterized in that the processor divides the records into an insecure set if: there exists a vector of attribute values, for corresponding public attributes thereof, wherein a level of uncertainty, as to a value of at least one of the private attributes of the group is less than a threshold level of uncertainty.

28. The system according to claim 27, characterized in that the level of uncertainty as to a value of a private attribute of the group, is lower than the threshold level of uncertainty if the group contains a few different values of the private attribute, than a number threshold

29. The system according to claim 25, characterized in that the processor further divides the values of public attributes into values of important public attributes and unimportant public attribute values, and where the processor divides the records into the insecure set, if: there is a vector of attribute values that identifies a group of records that has the vector of attribute values, for the relevant public attributes, corresponding thereto, where a level of uncertainty, as to a value of at least one of the public attributes, of the group, is less than a threshold level of uncertainty.

30. The system according to claim 25, sarasterized because the processor electronically forms different possible vectors of public attribute values, for public attributes, and for each group of registers identified by the public attribute value vectors, electronically divide the records of the public attributes. group in a secure set if there is at least one threshold level of uncertainty for private attribute values in the group and divide the group's records into another insecure set.

31. The system according to claim 30, sarasterized because the processor electronically forms each possible vector of public attribute values.

32. The system according to claim 30, sarasterized because the vectors contain only public attribute values, important.

33. The system according to claim 23, characterized in that the processor electronically combines a plurality of values of public attributes, of registers, to prevent the deduction, beyond a threshold level of uncertainty, of private attribute values of those registers.

The system according to claim 33, aarasterized because only the values of public attributes, important, are combined by the processor.

35. The system according to claim 33, sarasterized because the processor electronically identifies all records containing particular values for an attribute of the public, selected, particular values that are contained by at least one register with a value of public attribute, highly correlated, wherein the processor electronically identifies different vectors having a particular value for each public attribute different from the selected public attribute, wherein the processor electronically identifies a group of records for each of the different vectors, wherein each record of the identified group has the different vector of values for public attributes of them, different from the particular public attribute, and where the processor electronically combines values of the selected public attribute, from one of the groups corresponding to one of those different vectors if there is at least one level u uncertainty value for each value of private attributes, in the group that corresponds to that vector.

36. The system according to claim 35, sarasterized because the processor electronically identifies each distinct vector having a particular value for each public attribute, different from the selected public attribute.

37. The system according to claim 35, sarasterized because each of the at least one register, with an attribute value, highly correlated, is a member of a group of registers, which satisfies: there is a vector of attribute values, which identifies the group of records that has the vector of attribute values, for corresponding public attributes thereof, wherein a level of uncertainty, as for a private attribute value, of the group, is less than a threshold level of uncertainty.

38. The system according to claim 33, sarasterized because the processor electronically substitutes a representative value for the values of public, combined attributes.

39. The system according to claim 33, characterized in that the processor divides the public attributes into important public attributes and unimportant public attributes, wherein the processor combines only the values of important public attributes, wherein the processor electronically identifies each different vector of important public attribute values, and where the processor electronically combines each different vector of non-important public attribute values that occur with each of the different vectors, from the values of important public attributes.

40. A communications system, characterized in that it comprises: a station filter comprising: a memory for storing a database, and a processor for electronically dividing the database into public attributes, containing public attribute values, and private attributes that they contain values of private attributes, and to electronically process those values, to reduce any high correlation between public attribute values and private attribute values, and an advertiser, to transmit a profile query, to the filter station processor.

41. The communication system according to claim 40, sarasterized because the processor electronically stores, in a memory, a database, which results from the division and processing of the database, and wherein the processor electronically executes the query of profiles, against the database stored in the memory

42. The communication system, according to claim 40, is sarasterized because before the division and processing, the database, the processor, electronically stores a database in the memory, and after the division and processing steps, the processor stores electronically indications of the modifications, in the database stored in the memory, modifications that result from the steps of dividing and processing, the processor electronically executes the query of profiles, against the database stored in the memory, and the The processor electronically rejects the query if the query violates a division of the database, and the division is indicated by the indications stored in the memory.

43. The communication system, according to claim 42, characterized in that the profile query violates the division if: the indications indicate that the database includes first and second records in the same division, the profile query specifies criteria directed to both attributes, public and private, and the query is satisfied by the first record but not by the second record.

44. The communication system according to claim 40, sarasterized because before the division and processing of the database, the processor electronically stores a database in memory, and after the steps of dividing and processing, the processor stores electronically indications of modifications made to the database, stored in the memory, modifications that result from the division and processing steps, the processor electronically executes the query of profiles, against the database stored in the memory, and, if the query of profiles violates a division of the database, partitions that are indicated by the indications stored in the memory, then the processor electronically identifies the records of that database, including those records to which it failed to identify the query, and that violate the division or partition of the database.

45. The communication system according to claim 40, aarasterized because the processor divides and electronically processes the database, the processor electronically executes the profile query against the database, and wherein the processor electronically transmits a query identifier of profiles and pseudonyms of records identified by the profile query, by the advertiser.

46. The communication system according to claim 45, characterized in that it further comprises: a name translating station, and wherein the processor electronically constructs a table for translating the pseudonyms of registers, in addresses of the network, of the registers, and transmits electronically the identifier for the profile query, and the table, to the name translator station.

47. The communication system according to claim 46, characterized in that it further comprises: a plurality of users or subscribers, each of which has an address in the network, to supply or send advertisements, and a communications network that interconnects the advertiser, the processor of the filter station, the name translating station and the plurality of users, wherein the advertiser transmits an advertisement or advertising, the pseudonyms of records and the identifier of the profile query, to the communications network , and where the name translation station receives the announcement, the pseudonyms of the records and the identifier of the profile query, from the communication network, translates the pseudonyms of records, into addresses of the network, using a table, and transmits the advertisement to individual users or subscribers, among a plurality of them, via the communications network, using the addresses of the network, of the registers.