WO2012017612A1 - 匿名化情報共有装置および匿名化情報共有方法 - Google Patents
匿名化情報共有装置および匿名化情報共有方法 Download PDFInfo
- Publication number
- WO2012017612A1 WO2012017612A1 PCT/JP2011/004144 JP2011004144W WO2012017612A1 WO 2012017612 A1 WO2012017612 A1 WO 2012017612A1 JP 2011004144 W JP2011004144 W JP 2011004144W WO 2012017612 A1 WO2012017612 A1 WO 2012017612A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- anonymization
- anonymization information
- sharing
- authentication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Definitions
- the present invention relates to an anonymization information sharing apparatus and an anonymization information sharing method in which an output source shares anonymization information anonymized with another apparatus.
- life stream service a life stream service or life log service (hereinafter referred to as "life stream service") that shares a series of information to which position information is added as the action history of the user with others. ) Is one of them.
- medical treatment information which is a treatment record of the recipient has conventionally been stored for each medical institution.
- EMR Electronic Medical Record
- medical treatment information that is the treatment record of the recipient on the network, a large investment is required. Such a system is not widespread.
- the anonymity of the output source of the anonymization information may be lost from the position information of the anonymization information or the like.
- Such a situation can be prevented by the output source of the information correcting or deleting the anonymization information according to the situation. Therefore, the output source of the anonymization information can freely perform processing regarding its own anonymization information even after being shared, and it is desirable that the anonymization information can be substantially put under its own control.
- the anonymization information sharing apparatus 10 manages a correspondence table in which each anonymization information is associated with an anonymization number.
- the anonymization information sharing device 10 discards the correspondence table as needed by the correspondence table discarding unit 13. Further, when the anonymization information sharing apparatus 10 is requested to execute a predetermined process related to the anonymization information by passing the personal ID, the anonymization number creating unit 12 recreates the anonymization number from the personal ID. Then, the anonymization information sharing apparatus 10 executes the requested process on the anonymization information associated with the re-created anonymization number.
- the anonymization information sharing apparatus 10 while maintaining the anonymity of the anonymization information for the persons other than the output source and the owner of the anonymization information with respect to the anonymization information once shared, depends on the output source Management can be continued.
- Patent Document 1 The technology described in Patent Document 1 is effective in a centrally managed network in which the holding of anonymization information and the management of anonymization number are performed with one device, such as an operation mode in which the authority is concentrated in one place such as a hospital. It is.
- Patent Document 1 is a system in which an unspecified or specified number such as twitter (registered trademark) post or browse information, as described above, or P2P (Peer to Peer) in which specific terminals communicate directly with each other.
- an unspecified or specified number such as twitter (registered trademark) post or browse information, as described above, or P2P (Peer to Peer) in which specific terminals communicate directly with each other.
- P2P Peer to Peer
- continuation of anonymization information management is difficult. This is because, in such a network, it is necessary to delete anonymization information (anonymization information whose owner is unspecified) once shared by posting or the like.
- the anonymization information sharing method is an anonymization information sharing method in which an output source shares the anonymization information anonymized with another device, and the sharing target is the sharing target information for each sharing target information. Applying a first one-way function to a combination of a part or all of the information and the processing password to generate an authentication ID, and adding the generated authentication ID to the sharing target information; Generating anonymization information, outputting the generated anonymization information and causing the other device to hold the generated anonymization information, generating a processing request including the processing password, and transmitting the processing request to the other device; And the other device hold the result of applying the first one-way function to the combination of part or all of the anonymization information held by the other device and the processing password for the device of Recognition of the anonymized information Based on the consistency of the ID, and a step of relative anonymous information is held in the other device, a request for execution of the predetermined process is permitted only to the output source.
- only the output source of the anonymization information authenticates the processing request having the processing authority for the anonymization information while maintaining the anonymized state, and performs the predetermined processing on the anonymization information. , Can be executed on the device holding the anonymization information. That is, according to the present invention, the management by the output source can be continued for the anonymization information shared by the distributed management type network.
- Block diagram showing an example of the configuration of a conventional anonymized information sharing apparatus A system configuration diagram showing an example of a configuration of an anonymization information sharing system including the anonymization information sharing device according to the first embodiment of the present invention Block diagram showing the configuration of the anonymized information sharing apparatus according to the present embodiment A diagram schematically showing an outline of processing in the first embodiment Flow chart showing the operation of the anonymized information sharing apparatus according to the first embodiment Flow chart showing anonymization information output process in the first embodiment Flow chart showing anonymization information deletion process in the first embodiment
- Block diagram showing the configuration of the anonymized information sharing apparatus according to Embodiment 2 of the present invention A diagram schematically showing anonymization of personal attribute information in the second embodiment
- a diagram schematically showing an outline of processing in the second embodiment The flowchart which shows the operation of the anonymization information sharing device which relates to the form 2 of this execution Flow chart showing anonymization information output process in the second embodiment Flow chart showing risk monitoring processing in the second embodiment Flow chart showing deletion request transmission processing according to the second embodiment
- FIG. 2 is a system configuration diagram showing an example of a configuration of an anonymization information sharing system including the anonymization information sharing device according to the first embodiment of the present invention.
- the anonymization information sharing system 100 includes first to j-th anonymization information sharing devices 300-1 to 300-j that perform wireless communication with each other via the communication network 200.
- the first to j-th anonymized information sharing devices 300-1 to 300-j transmit each other's anonymization information and share them without using a central management server or the like. That is, the anonymization information sharing system 100 is a system for sharing anonymization information in a distributed management type network.
- the first to j-th anonymized information sharing devices 300-1 to 300-j have the same configuration. Therefore, hereinafter, they are collectively referred to as the anonymization information sharing apparatus 300 as appropriate. Further, in the present embodiment, the anonymization information sharing device 300 which is an output source of anonymization information is appropriately described as the anonymization information sharing device 300s, and the anonymization information sharing device 300 which is an output destination of the anonymization information. Is described as the anonymization information sharing device 300r.
- FIG. 3 is a block diagram showing the configuration of the anonymization information sharing apparatus 300. As shown in FIG. Here, the functional units used when transmitting (outputting) the anonymization information and the functional units used when receiving (inputting) the anonymized information are illustrated separately.
- the anonymization information sharing apparatus 300s which is an output source of the anonymization information, includes an information non-sharing unit 310, an authentication ID generation unit 320, an anonymization unit 330, an information sharing unit 340, and anonymization information processing. It has a request unit 350.
- the anonymization information sharing device 300r which is the output destination of the anonymization information, includes the above-described information sharing unit 340 and an anonymization information processing unit 360.
- the information storage unit 310 stores data (data to be shared, hereinafter referred to as “personal attribute information”) which is data to be shared and to which time information and position information are added to the data main body.
- the time information and the position information are, for example, Japan Standard Time and the latitude and longitude of the current position acquired from a global positioning system (GPS) signal.
- the data body is, for example, a user's input text, biosignal information such as a pulse and blood pressure observed by a sensor, or activity amount information such as the number of steps and activity intensity.
- HL7 is a standard protocol for medical information exchange, and includes patient management, order, inquiry, finance, examination report, master file, information management, reservation, patient referral, patient care, laboratory automation, application management, personnel management, etc. It is for handling information exchange.
- the Continua Alliance has developed guidelines for interconnecting systems, focusing on three areas: preventive health and wellness, chronic disease management, and elderly independent living (Aging Independently). , It is an organization that performs connectivity verification and logo certification using actual devices.
- DICOM is a standard that defines the format of medical images developed by the American Association of Radiology (ACR) and the North American Electronics Industries Association (NEMA) and the communication protocol between medical imaging devices that handle those images. That is, DICOM is for handling medical images captured by CT (Computed Tomography), MRI (Magnetic Resonance Imaging), CR (Computed Ragiography) or the like.
- the authentication ID generation unit 320 applies a hash function, which is one of the one-way functions, to a combination of a part or all of personal attribute information, a deletion password, and a data ID for each personal attribute information. To generate an authentication ID. Then, the authentication ID generation unit 320 outputs the generated authentication ID to the anonymization unit 330, and outputs the authentication ID and the deletion password used to generate the authentication ID to the anonymization information processing request unit 350.
- a hash function which is one of the one-way functions
- the anonymization unit 330 acquires the personal attribute information stored in the information non-sharing unit 310, adds the authentication ID input from the authentication ID generation unit 320 to the personal attribute information, and generates anonymization information. Then, the anonymization unit 330 outputs the generated anonymization information to the information sharing unit 340.
- the information sharing unit 340 shares anonymization information with the information sharing unit 340 of another anonymization information sharing apparatus 300 using, for example, an arbitrary peer-to-peer (P2P) protocol.
- P2P peer-to-peer
- This deletion request is for requesting deletion of the anonymization information held by the information sharing unit 340 of the anonymization information sharing device 300r in the request destination anonymization information sharing device 300r. More specifically, when there is anonymization information whose authentication ID matches the result of applying the hash function to a part or all of the anonymization information and the deletion password, the deletion request is the anonymization information Request the deletion of
- the anonymization information sharing apparatus 300 applies the hash function to the combination of a part or all of each anonymization information held and the deletion password included in the deletion request, and the authentication ID of the anonymization information. And the corresponding anonymization information can be deleted according to the deletion request.
- the anonymization information sharing device 300 can delete such anonymization information without specifically identifying or disclosing personal information.
- the anonymization information sharing apparatus 300 enables sharing of the anonymization information on the distributed network, and a state in which the output source of the anonymization information once shared is anonymized. Allows only the output source to be deleted.
- FIG. 4 is a diagram schematically showing an outline of processing from sharing of anonymization information to deletion.
- the anonymization information sharing apparatus 300s generates a verification ID 430 by applying a hash function to a combination of a part of the personal attribute information 410, the data ID 415, and the delete password 420. Do.
- the anonymization information sharing device 300s holds, in its own information sharing unit 340, the anonymization information 440 in which the authentication ID 430 is incorporated in the personal attribute information 410, and the other anonymization information It transmits to the sharing device 300r.
- the same anonymization information 440 is held in the l information sharing unit 340 of the anonymization information sharing apparatus 300 s and the information sharing unit 340 of the anonymization information sharing apparatus 300 r.
- the anonymization information sharing device 300s of the output source receives a deletion instruction of the anonymization information 440 from the user or the like, the deletion request including the deletion password 420 is shared with other anonymization information sharing Send to device 300r.
- All the anonymization information sharing devices 300 of the anonymization information sharing system 100 use the same hash function. Then, all the anonymization information sharing devices 300 of the anonymization information sharing system 100 can extract the authentication ID 430 from the anonymization information 440, and can extract the deletion password 420 from the deletion request. Therefore, in the anonymization information sharing system 100, the anonymization information sharing apparatus 300s of the output source can delete the anonymization information 440 in response to the deletion request.
- the authentication ID 430 is generated by a hash function which is a one-way function, a third party can not identify the original deleted password from the authentication ID 430. Therefore, devices other than the output source of the shared anonymization information 440 spoof a deletion request to delete the anonymization information 440 even if the authentication ID 430 of the anonymization information 440 is known, and the anonymization information 440 Can not be removed.
- FIG. 5 is a flowchart showing the operation of the anonymization information sharing apparatus 300.
- step S1000 the anonymization unit 330 determines whether there is an instruction to output anonymization information.
- This instruction is, for example, an instruction by a user operation.
- the anonymization unit 330 receives an instruction to output anonymization information (S1000: YES)
- the process proceeds to step S2000.
- the anonymization unit 330 proceeds to step S3000 as it is.
- step S2000 the anonymization information sharing device 300s executes anonymization information output processing, and proceeds to step S3000.
- the anonymization information output process is a process of generating anonymization information and outputting the generated anonymization information to another anonymization information sharing apparatus 300 r for sharing.
- FIG. 6 is a flowchart showing anonymization information output processing.
- authentication ID generation unit 320 applies a hash function to a part of personal attribute information, a delete password prepared in advance, and a data ID to be assigned to each data corresponding to anonymization information.
- the deletion password is preferably a password different for each personal attribute information, such as, for example, a character string in which an 8-digit random number is added to the date, year, month, day and hour when the personal attribute information is registered.
- the authentication ID generation unit 320 outputs the generated authentication ID to the anonymization unit 330. Note that these processes may be performed prior to the process of step S1000 in FIG.
- the anonymization unit 330 acquires personal attribute information from the information non-sharing unit 310. Then, the anonymization unit 330 adds the authentication ID and the data ID input from the authentication ID generation unit 320 to the acquired personal attribute information to generate anonymization information.
- the data ID is preferably a password different for each personal attribute information, such as, for example, a character string in which a 3-digit serial number is added to the date, year, month, day and hour when the personal attribute information is registered. Note that these processes may be performed prior to the process of step S1000 in FIG. Then, the anonymization unit 330 outputs the generated anonymization information to the information sharing unit 340.
- step S2300 the information sharing unit 340 outputs (sends) the anonymization information newly input from the anonymization unit 330 to another anonymization information sharing apparatus 300r, and returns to the process of FIG.
- the information sharing unit 340 of the anonymization information sharing apparatus 300 s and the information sharing unit 340 of the anonymization information sharing apparatus 300 r can be performed by the processing of step S 4000 described later with another anonymization information sharing apparatus 300 r. And shared with.
- step S3000 of FIG. 5 the information sharing unit 340 determines whether anonymization information has been received from another anonymization information sharing device 300s. When the information sharing unit 340 receives the anonymization information (S3000: YES), the process proceeds to step S4000. If the information sharing unit 340 has not received the anonymization information (S3000: NO), the process proceeds directly to step S5000.
- step S5000 the anonymization information processing request unit 350 determines whether an instruction to delete the shared anonymization information has been issued.
- This instruction is, for example, an instruction by a user operation.
- the anonymization information processing request unit 350 receives an instruction to delete anonymization information (S5000: YES)
- the process proceeds to step S6000.
- the anonymization information processing request unit 350 proceeds to step S7000 as it is.
- step S7000 the anonymization information processing unit 360 determines whether a deletion request has been received from another anonymization information sharing device 300s.
- the anonymization information processing unit 360 receives the deletion request (S7000: YES)
- the process proceeds to step S8000. If the anonymization information processing unit 360 has not received the deletion request (S7000: NO), the process proceeds directly to step S9000.
- step S8000 the anonymization information sharing device 300r executes the anonymization information deletion process.
- the anonymization information deletion process is a process of appropriately deleting the anonymization information held by the information sharing unit 340 in response to the deletion request.
- FIG. 7 is a flowchart showing anonymization information deletion processing.
- step S8200 the anonymization information processing unit 360 selects one of the anonymization information held by the information sharing unit 340.
- step S8300 the anonymization information processing unit 360 generates a combination of the acquired deletion password, the data ID included in the selected anonymization information, and the personal attribute information included in the selected anonymization information. Apply the hash function.
- step S8400 the anonymization information processing unit 360 determines whether the result of applying the hash function matches the authentication ID of the anonymization information being selected. If the application result and the authentication ID match (S8400: YES), the anonymization information processing unit 360 proceeds to step S8500. When the application result and the authentication ID do not match (S8400: NO), the anonymization information processing unit 360 proceeds to step S8600.
- step S8500 the anonymization information processing unit 360 deletes the selected anonymization information from the information sharing unit 340, and the process proceeds to step S8600.
- the anonymization information is deleted according to the deletion request.
- step S8600 the anonymization information processing unit 360 determines whether or not the anonymization information held in the information sharing unit 340 has an unselected one. If there is unselected anonymization information (S8600: YES), the anonymization information processing unit 360 returns to step S8200, selects the unselected anonymization information, and repeats the process. In addition, when there is no unselected anonymization information (S8600: NO), the anonymization information processing unit 360 returns to the process of FIG. As a result, the anonymization information sharing apparatus 300 s can delete the anonymization information output by itself even when there is a plurality of anonymization information held in another anonymization information sharing apparatus 300 r.
- the target of the determination may be specified by transmitting a pair of the deletion password and the data ID and requesting deletion.
- the anonymization information sharing device 300r that has received the anonymization information can narrow down the anonymization information first based on the data ID and then apply the hash function, so the processing load and processing time are greatly reduced. Can be reduced to
- step S9000 the anonymization information sharing device 300 determines whether an instruction to end the process has been issued. This instruction is, for example, an instruction by a user operation. If the anonymization information sharing apparatus 300 has not been instructed to end the process (S9000: NO), the process returns to step S1000. When the anonymization information sharing apparatus 300 is instructed to finish the process (S9000: YES), the series of processes is finished.
- the anonymization information sharing apparatus 300 includes the deletion password of the deletion request, the data ID included in the anonymization information, and part of the personal attribute information included in the anonymization information. Apply a hash function to the combination. Then, the anonymization information sharing device 300 deletes the anonymization information based on the matching between the result and the authentication ID of the anonymization information. This enables only the output source of the anonymization information to cause the other anonymization information sharing apparatus 300r to execute predetermined processing regarding the anonymization information while holding the anonymized state. That is, the anonymization information sharing apparatus 300 according to the present embodiment can continue the management by the output source for the anonymization information shared in the distributed management type network.
- the anonymization information sharing device 300 executes the above steps and simultaneously transfers the deletion password to all or some of the anonymization information sharing devices shared by the terminal. . This can make it difficult to find which device has issued the delete request.
- FIG. 8 is a block diagram showing the configuration of the anonymized information sharing apparatus according to the second embodiment of the present invention, and corresponds to FIG. 3 of the first embodiment.
- the same parts as those in FIG. 3 are denoted by the same reference numerals, and the description thereof is omitted.
- the anonymization information sharing device 300a that is an output source of anonymization information is appropriately described as the anonymization information sharing device 300as, and the anonymization information sharing device 300a of the output destination of the anonymization information is anonymized information sharing It is written as device 300ar.
- the functional units of the anonymized information sharing apparatus 300 as that is the output source of the anonymized information are personal attribute information storage unit 370 a, data ID storage unit 380 a, and personal identification risk in addition to the respective functional units in FIG. It has a monitoring unit 390a.
- the data ID storage unit 380a stores in advance a personal password arbitrarily set by the user. In addition, the data ID storage unit 380a holds a data ID identifying each piece of information in the anonymization information sharing device 300as.
- the data ID is a part of key information when generating the one-time password, which is different for each personal attribute information, and is public key information for authenticating the operation authority of the personal attribute information.
- the data ID is created for each anonymization information sharing apparatus by an arbitrary method or an arbitrary ID system using the same method, and is stored in the data ID storage unit 380a. It is memorized.
- anonymization unit 330 converts the authentication ID into information (anonymization) such that the anonymity state is more easily maintained, and generates anonymization information.
- authentication ID generation unit 320 applies a hash function to the combination of the data ID and the personal password to generate the deletion password. Then, as in the first embodiment, authentication ID generation unit 320 applies a hash function to the combination of the generated deletion password, data ID, and part or all of the personal attribute information to perform authentication. It shall generate an ID. That is, in the present embodiment, not only the authentication ID but also the deletion password has different contents for each anonymization information.
- the anonymization information processing request unit 350 generates the deletion password by the same process as the authentication ID generation unit 320.
- the personal identification risk monitoring unit 390 a monitors the personal identification risk of the anonymized information sharing device 300 as based on the anonymization information held by the information sharing unit 340.
- the personal identification risk refers to the individual who outputs the anonymization information output from the anonymization information sharing apparatus 300 as, a high risk of identifying the anonymization information sharing apparatus 300 a linked to an individual. Shall be said. Then, when the personal identification risk is high, the personal identification risk monitoring unit 390 a instructs the anonymization information processing request unit 350 to delete the anonymized information having a high personal identification risk.
- the simplest method of realizing authentication using a delete password and an authentication ID is to use a hash value of a personal password as an authentication ID and use a personal password as a delete password.
- the anonymization information sharing apparatus 300a applies a hash function to the combination of the data ID and the personal password to generate a unique deletion password, thereby preparing and managing the deletion password for each data. There is no need to
- the anonymization information sharing device 300a can change the deletion password and the authentication ID for each anonymization information. Thereby, the anonymization information sharing device 300a can reduce the risk that the third party tracks the action based on the deletion password and the authentication ID.
- the anonymized information sharing device 300a can delete the anonymized information to reduce the personal identification risk.
- personal identification risk for example, there are no other devices that are in the same time zone at the same location as the own device, and if the anonymization information is left as it is, the anonymity of the output source of the anonymization information is It is a situation that may be lost.
- FIG. 9 is a view schematically showing anonymization of personal attribute information in the anonymization unit 330. As shown in FIG.
- the anonymization unit 330 determines the time range 521 as a representative value of the time information 511 of the personal attribute information 510 t to 510 t + m .
- the anonymization unit 330 determines a position range 522 as a representative value of the position range 512 of the first to n-th representative data 523 1 to 523 n .
- the anonymization unit 330 sets the first to nth representative data as the representative value of each of the first to nth data bodies 513 1 to 513 n of the first to nth representative data 523 1 to 523 n . Determine 523 1 to 523 n .
- the position range 522 includes, for example, latitude and longitude information G at the center position of the distribution range of position information from time t to time t + m, and a radius r from the center position of the distribution range.
- the representative data 523 is a data main body at any time, frequently appearing words or values, an average value or the like.
- FIG. 10 is a diagram schematically showing an outline of processing from sharing of anonymization information to deletion in the present embodiment, and corresponds to FIG. 4 of the first embodiment.
- the anonymization information sharing apparatus 300 as has a hash function for the combination of the data ID 620, a part or all of the personal attribute information 610 (here, representative data), and the delete password 640. Apply Thereby, the anonymization information sharing device 300 as generates an authentication ID 650.
- the anonymization information sharing device 300as of the output source instructs the personal identification risk monitoring unit 390a or the like to delete the shared anonymization information 660.
- the anonymization information sharing device 300a can make each information (hereinafter referred to as "additional information") additionally transmitted and received for use in managing the anonymization information be in an anonymized state.
- FIG. 12 is a flowchart showing anonymization information output processing according to the present embodiment, which corresponds to FIG. 6 of the first embodiment. The same steps as in FIG. 6 are assigned the same step numbers, and the explanation thereof is omitted.
- FIG. 13 is a flowchart showing the risk monitoring process.
- the personal identification risk monitoring unit 390a determines whether or not there is a group in which the number of pieces of anonymization information making up the group is equal to or smaller than a threshold k.
- the threshold k is a value that is predetermined according to the permitted personal identification risk. That is, the threshold value k is the maximum population of a group where a specific individual is likely to be identified among the groups satisfying the condition that the time range and the position range overlap.
- step S4530a the personal identification risk monitoring unit 390a instructs the anonymization information processing request unit 350 to delete the anonymization information of its own device in the group where the number of anonymization information is equal to or less than the threshold value k, as shown in FIG.
- the anonymization information sharing device 300 as can detect this and instruct deletion of the anonymization information.
- the deletion request transmission process is executed as Step S6000a.
- the deletion request transmission process is a process of transmitting a deletion request for requesting deletion of the deletion designated anonymization information to another anonymization information sharing apparatus 300ar.
- the personal identification risk monitoring unit 390a anonymizes the own device of the group Can be removed.
- the personal identification risk monitoring unit 390a widens the position range based on the number of anonymized information that the individual grasps.
- the personal identification risk monitoring unit 390a may re-set the anonymization information by re-setting various conditions at the time of creating the anonymization information, such as expanding the time range, and sharing again.
- the personal identification risk monitoring unit 390a may be used to set a position range and a time range so as to reduce the personal identification risk before generating the anonymization information.
- step S6010a the personal identification risk monitoring unit 390a acquires the data ID of the anonymized information for which deletion has been designated. Then, the personal identification risk monitoring unit 390a outputs the acquired data ID and the preset personal password to the anonymization information processing request unit 350.
- step S6020a the anonymization information processing request unit 350 applies a hash function to the combination of the input data ID and the input personal password. Thereby, the anonymization information processing request unit 350 generates a deletion password.
- step S6030a the anonymization information processing request unit 350 transmits a deletion request including the generated deletion password to the other anonymization information sharing apparatus 300ar, and returns to the processing of FIG.
- the anonymization information sharing device 300 as can delete the anonymization information for which deletion is instructed by the personal identification risk monitoring unit 390 a or the like from the information sharing unit 340 of each anonymization information sharing device 300 a.
- the anonymization information sharing apparatus 300a deletes the result of applying the one-way function to the data ID different for each anonymization information and the personal password different for each user. Used as Thereby, the anonymization information sharing apparatus 300a according to the present embodiment can ensure the anonymity of the output source of the deletion request.
- the anonymization information sharing apparatus 300a applies a one-way function to other information that is different for each anonymization information, such as only the data ID or a part or all of the personal attribute information, and the deletion password May be generated.
- the anonymization information sharing device 300a uses only the time range, the position range, or the data ID, etc. included in the anonymization information as the deletion password. You may combine them.
- the anonymization information sharing apparatus 300a may determine whether the personal identification risk is high, using a criterion other than the above-described example. For example, the anonymization information sharing device 300a determines that the personal identification risk is high when the user's action history continues for a predetermined time or more, and some anonymization information is determined so that the continuity is lost. You may delete it.
- the one-way function used when generating the delete password and the authentication ID is a hash function, but various other one-way functions can be used.
- the process performed on the shared anonymized information is not limited to deletion.
- the output of the anonymization information such as a correction to the contents of the anonymization information, a change in the management state of the anonymization information in another anonymization information sharing apparatus (prohibition of disclosure to a third party, etc.)
- Various processes that are permitted only to the original can be applied.
- An anonymization information sharing apparatus and an anonymization information sharing method according to the present invention can continue management by an output source with respect to anonymization information shared in a distributed management type network, and anonymization information sharing apparatus It is useful as an information sharing method.
- the present invention is also useful in an information sharing system for posting information to a central system when sharing information that may identify a specific individual such as user's location information.
- the present invention can be applied to the use of a position sharing type service in which the service provider does not manage the position of the user, for example, life stream service such as twitter (registered trademark).
- life stream service such as twitter (registered trademark).
- anonymization information sharing system 200 communication network 300, 300a anonymization information sharing apparatus 310 information non-sharing unit 320 authentication ID generation unit 330 anonymization unit 340 information sharing unit 350 anonymization information processing request unit 360 anonymization information processing unit 370a personal Attribute information storage unit 380a Data ID storage unit 390a Personal identification risk monitoring unit
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
図2は、本発明の実施の形態1に係る匿名化情報共有装置を含む匿名化情報共有システムの構成の一例を示すシステム構成図である。
図8は、本発明の実施の形態2に係る匿名化情報共有装置の構成を示すブロック図であり、実施の形態1の図3に対応するものである。図3と同一部分には同一符号を付し、これについての説明を省略する。また、以下、適宜、ある匿名化情報の出力元の匿名化情報共有装置300aを匿名化情報共有装置300asと表記し、その匿名化情報の出力先の匿名化情報共有装置300aを匿名化情報共有装置300arと表記する。
200 通信ネットワーク
300、300a 匿名化情報共有装置
310 情報非共有部
320 認証ID生成部
330 匿名化部
340 情報共有部
350 匿名化情報処理要求部
360 匿名化情報処理部
370a 個人属性情報蓄積部
380a データID記憶部
390a 個人識別リスク監視部
Claims (7)
- 出力元が匿名化された匿名化情報を他の装置との間で共有する匿名化情報共有装置であって、
共有化対象情報毎に、前記共有化対象情報の一部または全部と処理パスワードとの組み合わせに対して第1の一方向性関数を適用して、認証IDを生成する認証ID生成部と、
生成された前記認証IDを共有化対象情報に付加して、匿名化情報を生成する匿名化部と、
生成された前記匿名化情報を出力して前記他の装置に保持させる情報共有部と、
前記処理パスワードを含む処理要求を生成して前記他の装置へ送信し、前記他の装置に対して、前記他の装置が保持する匿名化情報の一部または全部と前記処理パスワードとの組み合わせに対して前記第1の一方向性関数を適用した結果と前記他の装置が保持する匿名化情報の認証IDとの一致性に基づき、前記他の装置に保持させた匿名化情報に対して、出力元にのみ許可される所定の処理の実行を要求する匿名化情報処理要求部と、を有する、
匿名化情報共有装置。 - 前記認証ID生成部は、
前記共有化対象情報の一部または全部と、前記処理パスワードと、データIDとの組み合わせに対して前記第1の一方向性関数を適用して、前記認証IDを生成する、
請求項1記載の匿名化情報共有装置。 - 前記認証ID生成部は、
個人パスワードと前記データIDとの組み合わせに対して第2の一方向性関数を適用して、前記処理パスワードを生成する、
請求項1記載の匿名化情報共有装置。 - 前記情報共有部は、
前記匿名化情報共有装置から出力された匿名化情報および前記他の装置から出力された匿名化情報を保持し、
前記情報共有部が保持する前記匿名化情報に基づいて、前記匿名化情報共有装置が出力した前記匿名化情報の出力元として前記匿名化情報共有装置が特定されるリスクを監視する個人識別リスク監視部、を更に有し、
前記匿名化情報処理要求部は、
前記リスクが高いとき、前記他の装置に対して前記所定の処理を要求し、
前記所定の処理は、前記リスクが低くなるような処理である、
請求項1記載の匿名化情報共有装置。 - 前記所定の処理は、前記他の装置に保持させた前記匿名化情報の削除を含む、
請求項1記載の匿名化情報共有装置。 - 出力元が匿名化された、共有化対象情報と認証IDとを含む匿名化情報を、他の装置との間で共有する匿名化情報共有装置であって、
前記他の装置から出力された前記匿名化情報を保持する情報共有部と、
前記他の装置から、処理パスワードを含む処理要求を受信したとき、前記情報共有部が保持する前記匿名化情報毎に、前記匿名化情報の共有化対象情報の一部または全部と前記処理パスワードとの組み合わせに対して第1の一方向性関数を適用した結果と、前記匿名化情報の認証IDとの一致性に基づき、前記匿名化情報に関する所定の処理を実行するか否かを判断する匿名化情報処理部と、を有する、
匿名化情報共有装置。 - 出力元が匿名化された匿名化情報を他の装置との間で共有する匿名化情報共有方法であって、
共有化対象情報毎に、前記共有化対象情報の一部または全部と処理パスワードとの組み合わせに対して第1の一方向性関数を適用して、認証IDを生成するステップと、
生成した前記認証IDを共有化対象情報に付加して、匿名化情報を生成するステップと、
生成した前記匿名化情報を出力して前記他の装置に保持させるステップと、
前記処理パスワードを含む処理要求を生成して前記他の装置へ送信し、前記他の装置に対して、前記他の装置が保持する匿名化情報の一部または全部と前記処理パスワードとの組み合わせに対して前記第1の一方向性関数を適用した結果と前記他の装置が保持する匿名化情報の認証IDとの一致性に基づき、前記他の装置に保持させた匿名化情報に対して、出力元にのみ許可される所定の処理の実行を要求するステップと、を有する、
匿名化情報共有方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/814,051 US8752149B2 (en) | 2010-08-06 | 2011-07-22 | Device for sharing anonymized information, and method for sharing anonymized information |
JP2012503824A JP5735485B2 (ja) | 2010-08-06 | 2011-07-22 | 匿名化情報共有装置および匿名化情報共有方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010177540 | 2010-08-06 | ||
JP2010-177540 | 2010-08-06 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012017612A1 true WO2012017612A1 (ja) | 2012-02-09 |
Family
ID=45559137
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2011/004144 WO2012017612A1 (ja) | 2010-08-06 | 2011-07-22 | 匿名化情報共有装置および匿名化情報共有方法 |
Country Status (3)
Country | Link |
---|---|
US (1) | US8752149B2 (ja) |
JP (1) | JP5735485B2 (ja) |
WO (1) | WO2012017612A1 (ja) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2013232068A (ja) * | 2012-04-27 | 2013-11-14 | Kddi Corp | 位置情報匿名化装置、位置情報匿名化方法およびプログラム |
JP2014044528A (ja) * | 2012-08-24 | 2014-03-13 | Kddi Corp | ユーザ非特定情報の提供記録を通知するユーザ情報管理装置、プログラム及び方法 |
JP2014109934A (ja) * | 2012-12-03 | 2014-06-12 | Fujitsu Ltd | 匿名化データ生成方法、装置及びプログラム |
WO2015033416A1 (ja) * | 2013-09-05 | 2015-03-12 | 株式会社日立製作所 | 情報処理システム及びそのデータ処理方法 |
JP2015510163A (ja) * | 2012-01-08 | 2015-04-02 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | ソーシャル・ネットワーキング・ウェブ・サービスを介した機密情報アクセスのための方法、システム、コンピュータ・プログラム |
WO2016117354A1 (ja) * | 2015-01-19 | 2016-07-28 | ソニー株式会社 | 情報処理装置および方法、並びにプログラム |
JP2020102214A (ja) * | 2018-12-19 | 2020-07-02 | キヤノンメディカルシステムズ株式会社 | 医用情報匿名化システム、及び匿名化方法設定装置 |
US20210203481A1 (en) * | 2018-05-14 | 2021-07-01 | nChain Holdings Limited | Systems and methods for storage, generation and verification of tokens used to control access to a resource |
US11809600B2 (en) | 2020-07-31 | 2023-11-07 | Snowflake Inc. | Data clean room |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013031997A1 (ja) * | 2011-09-02 | 2013-03-07 | 日本電気株式会社 | 匿名化装置、及び、匿名化方法 |
US11120163B2 (en) * | 2014-11-14 | 2021-09-14 | Oracle International Corporation | Associating anonymous information with personally identifiable information in a non-identifiable manner |
US11165771B2 (en) | 2017-11-20 | 2021-11-02 | At&T Intellectual Property I, L.P. | Proximity based data access restrictions |
US10666584B2 (en) * | 2018-10-06 | 2020-05-26 | Jiazheng Shi | Method and system for protecting messenger identity |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007058590A (ja) * | 2005-08-24 | 2007-03-08 | Nec Corp | 主体同一性判定システム、及びプログラム |
JP2008226133A (ja) * | 2007-03-15 | 2008-09-25 | Hitachi Software Eng Co Ltd | 個人情報管理システム |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE69836455T2 (de) * | 1997-08-20 | 2007-03-29 | Canon K.K. | System für elektronische Wasserzeichen, elektronisches Informationsverteilungssystem und Gerät zur Abspeicherung von Bildern |
JP2000221881A (ja) * | 1999-02-01 | 2000-08-11 | Nec Corp | 電子署名端末装置、電子署名管理装置および電子署名システム |
US20050086492A1 (en) * | 2003-08-15 | 2005-04-21 | Fiberlink Communications Corporation | System, method, apparatus and computer program product for facilitating digital communications |
US7565702B2 (en) * | 2003-11-03 | 2009-07-21 | Microsoft Corporation | Password-based key management |
US20110110568A1 (en) * | 2005-04-08 | 2011-05-12 | Gregory Vesper | Web enabled medical image repository |
GB2446199A (en) * | 2006-12-01 | 2008-08-06 | David Irvine | Secure, decentralised and anonymous peer-to-peer network |
JP5083218B2 (ja) | 2006-12-04 | 2012-11-28 | 日本電気株式会社 | 情報管理システム、匿名化方法、及び記憶媒体 |
JP2009237804A (ja) * | 2008-03-26 | 2009-10-15 | Sky Co Ltd | 電子メールシステム |
JP5008633B2 (ja) * | 2008-10-15 | 2012-08-22 | 日本電信電話株式会社 | プライバシー侵害監視装置、プライバシー侵害監視方法及びプログラム |
US8364969B2 (en) * | 2009-02-02 | 2013-01-29 | Yahoo! Inc. | Protecting privacy of shared personal information |
US8661423B2 (en) * | 2009-05-01 | 2014-02-25 | Telcordia Technologies, Inc. | Automated determination of quasi-identifiers using program analysis |
US20110078775A1 (en) * | 2009-09-30 | 2011-03-31 | Nokia Corporation | Method and apparatus for providing credibility information over an ad-hoc network |
-
2011
- 2011-07-22 US US13/814,051 patent/US8752149B2/en not_active Expired - Fee Related
- 2011-07-22 JP JP2012503824A patent/JP5735485B2/ja not_active Expired - Fee Related
- 2011-07-22 WO PCT/JP2011/004144 patent/WO2012017612A1/ja active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007058590A (ja) * | 2005-08-24 | 2007-03-08 | Nec Corp | 主体同一性判定システム、及びプログラム |
JP2008226133A (ja) * | 2007-03-15 | 2008-09-25 | Hitachi Software Eng Co Ltd | 個人情報管理システム |
Non-Patent Citations (1)
Title |
---|
KAZUKI OTSU ET AL.: "Access Seigyo Kiko o Motsu P2P File Kyoyu System", 2005 NEN SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY, vol. 1, 25 January 2005 (2005-01-25), pages 13 - 18 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015510163A (ja) * | 2012-01-08 | 2015-04-02 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | ソーシャル・ネットワーキング・ウェブ・サービスを介した機密情報アクセスのための方法、システム、コンピュータ・プログラム |
US9419967B2 (en) | 2012-01-08 | 2016-08-16 | International Business Machines Corporation | Confidential information access via social networking web site |
JP2013232068A (ja) * | 2012-04-27 | 2013-11-14 | Kddi Corp | 位置情報匿名化装置、位置情報匿名化方法およびプログラム |
JP2014044528A (ja) * | 2012-08-24 | 2014-03-13 | Kddi Corp | ユーザ非特定情報の提供記録を通知するユーザ情報管理装置、プログラム及び方法 |
JP2014109934A (ja) * | 2012-12-03 | 2014-06-12 | Fujitsu Ltd | 匿名化データ生成方法、装置及びプログラム |
WO2015033416A1 (ja) * | 2013-09-05 | 2015-03-12 | 株式会社日立製作所 | 情報処理システム及びそのデータ処理方法 |
WO2016117354A1 (ja) * | 2015-01-19 | 2016-07-28 | ソニー株式会社 | 情報処理装置および方法、並びにプログラム |
JPWO2016117354A1 (ja) * | 2015-01-19 | 2017-10-26 | ソニー株式会社 | 情報処理装置および方法、並びにプログラム |
US11838407B2 (en) | 2018-05-14 | 2023-12-05 | Nchain Licensing Ag | Computer-implemented systems and methods for using a blockchain to perform an atomic swap |
US20210203481A1 (en) * | 2018-05-14 | 2021-07-01 | nChain Holdings Limited | Systems and methods for storage, generation and verification of tokens used to control access to a resource |
US11764947B2 (en) * | 2018-05-14 | 2023-09-19 | Nchain Licensing Ag | Systems and methods for storage, generation and verification of tokens used to control access to a resource |
US11917051B2 (en) | 2018-05-14 | 2024-02-27 | Nchain Licensing Ag | Systems and methods for storage, generation and verification of tokens used to control access to a resource |
US11985225B2 (en) | 2018-05-14 | 2024-05-14 | Nchain Licensing Ag | Computer-implemented systems and methods for using veiled values in blockchain |
JP2020102214A (ja) * | 2018-12-19 | 2020-07-02 | キヤノンメディカルシステムズ株式会社 | 医用情報匿名化システム、及び匿名化方法設定装置 |
US11880485B2 (en) | 2018-12-19 | 2024-01-23 | Canon Medical Systems Corporation | Medical information anonymizing system and anonymizing method setting device |
JP7433038B2 (ja) | 2018-12-19 | 2024-02-19 | キヤノンメディカルシステムズ株式会社 | 医用情報匿名化システム、及び匿名化方法設定装置 |
US11809600B2 (en) | 2020-07-31 | 2023-11-07 | Snowflake Inc. | Data clean room |
Also Published As
Publication number | Publication date |
---|---|
US20130133050A1 (en) | 2013-05-23 |
US8752149B2 (en) | 2014-06-10 |
JPWO2012017612A1 (ja) | 2013-09-19 |
JP5735485B2 (ja) | 2015-06-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2012017612A1 (ja) | 匿名化情報共有装置および匿名化情報共有方法 | |
US11907397B2 (en) | Records access and management | |
TWI784092B (zh) | 分享電子醫療健康記錄的方法與系統 | |
KR101200814B1 (ko) | 근거리 무선 통신 기반의 개인 건강 기록 관리 방법 및 시스템 | |
CN113228023A (zh) | 培训和健康领域的统一识别协议 | |
EP3583526A1 (en) | Records access and management | |
US20150046192A1 (en) | Records access and management | |
KR20200016458A (ko) | 블록체인 기반의 phr 플랫폼 서버 운영 방법 및 phr 플랫폼 서버 운영 시스템 | |
JP2022033242A (ja) | Bcn(ブロックチェーンネットワーク)を使用したデータ利用方法、システムおよびそのプログラム | |
JP6150129B2 (ja) | 薬歴管理装置および方法、情報処理装置および方法、並びにプログラム | |
WO2018124501A1 (ko) | 응급상황에서 제3자에 대한 응급의료 정보제공 방법 | |
JP2003162578A (ja) | 緊急医療情報提供方法および緊急医療情報提供システム | |
JP2013250754A (ja) | カルテ情報地域共有システム | |
WO2016065172A1 (en) | Records access and management | |
US20100235924A1 (en) | Secure Personal Medical Process | |
KR20200134744A (ko) | 환자에 대한 진료정보 액세스 방법 및 시스템 | |
CN113722731A (zh) | 一种医疗数据共享方法、装置、电子设备及存储介质 | |
US9953188B2 (en) | System, method, and program for storing and controlling access to data representing personal behavior | |
KR100945819B1 (ko) | 휴대 단말기를 이용한 개인건강기록 서비스 방법 및 그에따른 시스템 | |
Huda et al. | Privacy-aware access to patient-controlled personal health records in emergency situations | |
KR102064970B1 (ko) | 의료 기록 관리 방법 및 장치 | |
CN109979555A (zh) | 一种病案数据管理方法 | |
JP7437592B1 (ja) | ヘルスケアデータ管理システム、ヘルスケアデータ管理方法及びヘルスケアデータ管理プログラム | |
KR102573773B1 (ko) | 개인정보 비식별 처리를 적용한 디지털 치료제 처방 데이터 교환 시스템 및 방법 | |
JP6566990B2 (ja) | 薬歴管理装置および方法、並びにプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 2012503824 Country of ref document: JP |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11814251 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13814051 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11814251 Country of ref document: EP Kind code of ref document: A1 |