WO2014185043A1 - Information processing device, information anonymization method, and recording medium - Google Patents

Information processing device, information anonymization method, and recording medium Download PDF

Info

Publication number
WO2014185043A1
WO2014185043A1 PCT/JP2014/002480 JP2014002480W WO2014185043A1 WO 2014185043 A1 WO2014185043 A1 WO 2014185043A1 JP 2014002480 W JP2014002480 W JP 2014002480W WO 2014185043 A1 WO2014185043 A1 WO 2014185043A1
Authority
WO
WIPO (PCT)
Prior art keywords
generalization
policy
information processing
processing apparatus
data
Prior art date
Application number
PCT/JP2014/002480
Other languages
French (fr)
Japanese (ja)
Inventor
隆夫 竹之内
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2015516909A priority Critical patent/JPWO2014185043A1/en
Publication of WO2014185043A1 publication Critical patent/WO2014185043A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden

Definitions

  • the present invention relates to information processing, and in particular to data anonymization.
  • the personal data includes data (sensitive data (SD: Sensitive Data) or Sensitive Data Attribute) related to the individual that you do not want to disclose. For this reason, it is necessary to protect personal privacy in order to disclose personal data.
  • sensitive data SD: Sensitive Data
  • Sensitive Data Attribute Sensitive Data Attribute
  • Anonymization technology is one technology that protects privacy.
  • the information processing apparatus related to the present invention for example, deletes an identifier (ID: Identifier) that uniquely identifies an individual from personal data and publishes the data.
  • ID Identifier
  • personal data may include data that can identify (specify) an individual when combined with other data.
  • QID quadsi-identifier
  • the information processing apparatus related to the present invention anonymizes the quasi-identifier (QID) so as to satisfy a predetermined policy for protecting the personal data to be provided.
  • K-anonymity is a policy that guarantees anonymization in which “k” or more pieces of data including the same quasi-identifier or pair of quasi-identifiers are included in each group of data.
  • I-diversity is a policy that guarantees anonymization in which “l” or more sensitive data is included in each group of data.
  • T-proximity is a policy that guarantees that the difference between the distance in the distribution of sensitive data between groups and the distance in the distribution of all attributes is equal to or less than “t”.
  • M-invariance is a policy for guaranteeing that there are “m” or more records with the same combination of quasi-identification information in the sequential disclosure of data, and that all records have different sensitive data.
  • k-anonymization is anonymization satisfying “k-anonymity”.
  • l-diversification is anonymization satisfying “l-diversity”.
  • t-proximity and m-invariant are anonymization satisfying “t-proximity” and “m-invariance”.
  • Non-Patent Document 1 Many anonymization techniques have been proposed (see, for example, Non-Patent Document 1). “Mondrian Multidimensional” described in Non-Patent Document 1 is a method of dividing quasi-identifiers into one group and then dividing the data into a plurality of groups so as to satisfy k-anonymity.
  • the number of data providers is not limited to one, and there may be a plurality of cases.
  • the information processing device of each providing source anonymizes the data individually and provides it to the user device.
  • the user device needs to receive anonymized data from a plurality of information processing devices of the providing sources and aggregate the anonymized data.
  • the data stored by the provider is not the same. Therefore, for example, when the number of data stored by the provider is different, the information processing apparatus related to the present invention anonymizes the data based on different generalization policies. Similarly, when the QIDs included in the data are different, the information processing apparatus related to the present invention anonymizes the data based on different generalization policies. And when the generalization policy of the anonymization of a provider does not correspond, the user apparatus cannot aggregate the anonymized data received from the information processing apparatuses of a plurality of providers related to the present invention.
  • Patent Literature 1 and Non-Patent Literature 1 indicate that the user device cannot aggregate the anonymized data that has been provided. There was a problem.
  • An object of the present invention is to provide an information processing apparatus, an information anonymization method, and a recording medium that solve the above-described problems.
  • An information processing apparatus is configured to determine a generalization policy cooperation determination that determines a common generalization policy that is a generalization policy for anonymizing data that is used in common with the other apparatus in cooperation with another apparatus. Means and anonymization means for anonymizing data based on the common generalization policy.
  • a common generalization policy that is a generalization policy for anonymization of data used in common with the other device is determined in cooperation with the other device, and the common generalization policy is determined. Anonymize the data based on the conversion policy.
  • a computer-readable recording medium in which a program according to an embodiment of the present invention is recorded has a common generalization policy that is a generalization policy for anonymizing data used in common with the other device in cooperation with the other device.
  • a computer apparatus is caused to execute a program including a process of determining and a process of anonymizing data based on the common generalization policy.
  • FIG. 1 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention.
  • FIG. 2 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention.
  • FIG. 3 is a block diagram illustrating an example of a configuration of a system including the information processing apparatus according to the first embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating an example of the configuration of the information processing apparatus according to the first embodiment.
  • FIG. 5 is a block diagram illustrating an example of the configuration of the information processing apparatus according to the first embodiment.
  • FIG. 6 is a flowchart illustrating an example of the operation of the information processing apparatus according to the first embodiment.
  • FIG. 7 is a diagram illustrating data for explaining the operation of the information processing apparatus according to the first embodiment.
  • FIG. 8 is a diagram illustrating data for explaining the operation of the information processing apparatus according to the first embodiment.
  • FIG. 9 is a block diagram illustrating an example of another configuration of the information processing apparatus according to the first embodiment.
  • FIG. 1 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention.
  • provider A the information processing apparatus of provider A
  • provider B the information processing apparatus of provider B
  • provider A anonymizes data 1000 on the upper left.
  • the provider A anonymizes the quasi-identifiers (QID1 and QID2) into one group like the data 1001 shown in the upper center.
  • the provider A divides QID1 into two groups (generalization width “120-125” and generalization width “126-129”) with the central value “125” of QID1 as a boundary, and on the upper right side It anonymizes like the data 1002 to show.
  • the provider B anonymizes the data 2000 on the lower left.
  • the provider B anonymizes the quasi-identifiers (QID1 and QID2) into one group like the data 2001 shown in the lower center.
  • the provider B divides QID1 into two groups (generalization width “120-124” and generalization width “125-129”) with “124” being the median value of QID1 as a boundary. It anonymizes like the data 2002 to show.
  • FIG. 2 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention.
  • the anonymized data 1002 of the provider A and the anonymized data 2002 of the provider B have different boundaries. Therefore, the user apparatus can assume a plurality of connection methods (mappings) between the group of the provider A and the group of the provider B.
  • a group with QID1 “125-129” of provider B includes a common QID with a group with QID1 “120-125” and QID1 “126-129” of provider A. For this reason, the user apparatus cannot determine which group of the provider A the group with the QID “125-129” of the provider B of the received anonymized data.
  • the information processing device related to the present invention has a problem that the user device cannot aggregate the provided anonymized data. It was.
  • the information processing apparatus related to the present invention anonymizes the data using, for example, the method described below.
  • the first method is as follows.
  • the information processing apparatus related to the present invention stores a common generalization policy in advance. And the information processing apparatus relevant to this invention anonymizes data based on the common generalization policy to preserve
  • the second method is as follows.
  • the information processing apparatus related to the present invention mutually discloses the QID. And the information processing apparatus relevant to this invention determines the policy of anonymization using QID of all the information processing apparatuses.
  • the information processing apparatus using the first method has a problem that the data to be stored cannot be anonymized optimally.
  • the information processing apparatus stores four data with QIDs “1”, “8”, “13”, and “19”.
  • the information processing apparatus satisfies “2-anonymity”.
  • the information processing apparatus can adopt, for example, generalization policies of “0-9” and “10-19” in order to anonymize the stored data. Therefore, it is assumed that the information processing apparatus stores “0-9” and “10-19” as common generalization policies in advance.
  • the information processing apparatus additionally stores data with QIDs “5”, “7”, “14”, and “17”.
  • the information processing apparatus anonymizes the data based on the generalization policies “0-5”, “6-9”, “10-14”, and “15-20”, for example, -Anonymity can be secured.
  • the information processing apparatus using the first method has determined the generalization policies (“0-9” and “10-19”) in advance. Therefore, the information processing apparatus divides the data into “1, 5, 7, 8” and “13, 14, 17, 19” according to the generalization policy. As described above, the information processing apparatus using the first method has a problem in that it cannot carry out optimal anonymization.
  • data including QID is a property for the provider. Therefore, the data provider wants to avoid disclosing data including the QID in a state where it is not anonymized to other providers.
  • the information processing apparatus using the second method has a problem that it is difficult to implement in actual operation.
  • FIG. 3 is a block diagram showing an example of the configuration of the information processing system 40 including the information processing apparatus 10 and the information processing apparatus 30 according to the first embodiment of the present invention.
  • the information processing system 40 includes an information processing device 10, a user device 20, and an information processing device 30.
  • the information processing apparatus 10, the user apparatus 20, and the information processing apparatus 30 are connected via a general communication path, for example, a network or a bus.
  • User device 20 receives anonymized data from information processing device 10 and information processing device 30. Then, the user device 20 uses the anonymized data after aggregation.
  • the user device 20 is not particularly limited as long as it is a device that processes general data. Therefore, detailed description of the user device 20 is omitted.
  • the information processing apparatus 10 anonymizes the data and transmits it to the user apparatus 20 so that the user apparatus 20 can aggregate the anonymized data.
  • the information processing apparatus 30 is the same apparatus as the information processing apparatus 10. However, the information processing apparatus 10 cooperates with other information processing apparatuses (for example, the information processing apparatus 30) as will be described later. Therefore, in order to clarify the following description of the cooperation, the information processing apparatus 30 is assigned a reference numeral different from that of the information processing apparatus 10.
  • the information processing apparatus 10 will be described as an apparatus that is a main subject of cooperation.
  • the information processing apparatus 30 will be described as an apparatus that responds to the information processing apparatus 10. That is, the information processing apparatus 30 corresponds to “another information processing apparatus 10” that responds to the information processing apparatus 10.
  • the information processing apparatus 10 and the information processing apparatus 30 are one each, the number is the illustration for the convenience of description.
  • the information processing apparatus 10 according to the present embodiment may cooperate with a plurality of information processing apparatuses 30.
  • the information processing apparatus 10 will be further described with reference to the drawings.
  • FIG. 4 is a block diagram illustrating an example of the configuration of the information processing apparatus 10 according to the present embodiment.
  • each of the information processing apparatus 10 and the information processing apparatus 30 is one, but the number of the information processing apparatuses 10 and 30 is an example as in FIG.
  • the information processing apparatus 10 anonymizes data in cooperation with the information processing apparatus 30.
  • the information processing apparatus 10 includes an anonymization unit 110 and a generalization policy cooperation determination unit 120.
  • the generalization policy cooperation determination unit 120 cooperates (communications) with the information processing apparatus 30 and determines a generalization policy to be shared (hereinafter referred to as “common generalization policy”). That is, the generalization policy cooperation determination unit 120 determines a common generalization policy in cooperation with the “other information processing apparatus 10”. It can be said that the generalization policy cooperation determination unit 120 shares the common generalization policy in cooperation with the information processing apparatus 30.
  • the common generalization policy is a generalization policy used for anonymization of data in common between the information processing apparatus 10 and the information processing apparatus 30.
  • the common generalization policy is, for example, a QID division point (boundary) or a range of data after QID division (generalization width).
  • the anonymization unit 110 anonymizes data based on the common generalization policy determined by the generalization policy cooperation determination unit 120.
  • the information processing apparatus 10 transmits the anonymized data thus anonymized to the user apparatus 20.
  • the information processing apparatus 10 and the information processing apparatus 30 have a common generalization policy for anonymization. Therefore, the user device 20 can collect the received anonymized data.
  • the information processing apparatus 10 may share a generalization policy within a predetermined range. Then, the information processing apparatus 10 may determine a generalization policy that is suitable for its own apparatus with respect to a generalization policy that is not shared (hereinafter referred to as “individual generalization policy”).
  • the information processing apparatus 10 can anonymize data based on the individual generalization policy in addition to anonymization based on the common generalization policy.
  • the generalization policy cooperation determination unit 120 may store information on data attributes in addition to the function of determining the common generalization policy in cooperation.
  • the generalization policy cooperation determination unit 120 may store information regarding the attribute type of data to be anonymized.
  • the type of attribute is not particularly limited.
  • the following attribute types can be assumed.
  • the generalization policy cooperation determination unit 120 may determine whether the generalization policy used by the anonymization unit 110 is a common generalization policy based on the stored information.
  • the anonymization unit 110 may use information stored by the generalization policy cooperation determination unit 120 for anonymization of data. For example, when deleting an identifier from data, the anonymization unit 110 may determine the attribute to be deleted based on information indicating that the attribute corresponds to the identifier stored by the generalization policy cooperation determination unit 120.
  • the information processing apparatus 10 will be further described with reference to the drawings.
  • FIG. 5 is a block diagram illustrating an example of the configuration of the information processing apparatus 10.
  • the information processing apparatus 10 includes an anonymization unit 110, a generalization policy linkage determination unit 120, a pre-anonymization data storage unit 160, an anonymized data storage unit 170, and a transmission unit 180.
  • the pre-anonymization data storage unit 160 stores pre-anonymization data.
  • the information processing device 10 transmits the pre-anonymization data to the user device 20 after anonymization.
  • the anonymization unit 110 anonymizes the data before anonymization based on the common generalization policy determined by the generalization policy cooperation determination unit 120 in anonymizing the data before anonymization. create. Moreover, as already demonstrated, the anonymization part 110 may anonymize data using an individual generalization policy in addition to a common generalization policy. Furthermore, the anonymization unit 110 may use information stored by the generalization policy cooperation determination unit 120 for anonymizing data.
  • the anonymization unit 110 stores the anonymized data in the anonymized data storage unit 170. Also, the anonymization unit 110 responds to the request from the user device 20 and sends the anonymized data to the transmission unit 180. Note that the anonymization unit 110 may store data in the middle of anonymization in the anonymized data storage unit 170.
  • the anonymized data storage unit 170 stores the anonymized data anonymized by the anonymization unit 110.
  • the transmission unit 180 transmits the anonymized data received from the anonymization unit 110 to the user device 20. Therefore, the transmission unit 180 controls communication with the user device 20.
  • the transmission unit 180 may receive the anonymized data from the anonymized data storage unit 170 without passing through the anonymization unit 110 and transmit the anonymized data to the user device 20.
  • the generalization policy cooperation determination unit 120 determines the common generalization policy used by the anonymization unit 110 with the information processing apparatus 30 as described above. Therefore, the generalization policy cooperation determination unit 120 includes an anonymity parameter storage unit 130, a common parameter setting unit 140, and a communication unit 150.
  • the anonymity parameter storage unit 130 stores information on the types of attributes already described, for example, information on the QID (common QID) that the generalization policy cooperation determination unit 120 shares with the information processing apparatus 30 in the generalization policy. That is, the anonymity parameter storage unit 130 holds information (anonymity parameters) for determining whether or not the generalization policy used by the anonymization unit 110 is a common generalization policy.
  • the anonymity parameter storage unit 130 may store other types already described, for example, information on QIDs that do not share a generalization policy, or information on other attributes.
  • the anonymity parameter storage unit 130 has information set in advance.
  • an administrator of the information processing apparatus 10 may operate the information processing apparatus 10 to store (set) information in the anonymity parameter storage unit 130.
  • the common parameter setting unit 140 determines a common generalization policy (common parameter) based on information stored in the anonymity parameter storage unit 130 in cooperation with the information processing apparatus 30.
  • the common parameter setting unit 140 will be further described under the following assumptions using a specific example.
  • the data of the information processing apparatus 10 includes QID1 and QID2 as quasi-identifiers to be anonymized.
  • the anonymity parameter storage unit 130 is set with information for determining the generalization policy of QID1 in cooperation.
  • the anonymity parameter storage unit 130 is set with information for sharing QID1.
  • information for not linking the determination of the generalization policy of QID2 is set. That is, information that the QID2 is not shared is set in the anonymity parameter storage unit 130. Therefore, QID1 is a common QID, and the generalization policy of QID1 is a common generalization policy.
  • QID2 is not a common QID, and the generalization policy of QID2 is an individual generalization policy.
  • the common parameter setting unit 140 determines whether QID1 is a common QID based on information stored by the anonymity parameter storage unit 130. In this case, QID1 is a common QID. Therefore, the common parameter setting unit 140 starts cooperation with the information processing apparatus 30 for commonization of the common generalization policy (QID1 generalization policy).
  • the common parameter setting unit 140 determines a common generalization policy used for anonymization based on the common generalization policy of the own device and the received common generalization policy. To do.
  • the common parameter setting unit 140 gives up cooperation. In this case, the information processing apparatus 10 anonymizes data as in the individual generalization policy described below.
  • the common parameter setting unit 140 determines whether QID2 is a common QID based on information stored by the anonymity parameter storage unit 130. In this case, QID2 is not a common QID. Therefore, the common parameter setting unit 140 does not cooperate with the information processing apparatus 30. In this case, the information processing apparatus 10 anonymizes the data based on the individual generalization policy (QID2 generalization policy).
  • the common parameter setting unit 140 determines whether to share the information based on information stored by the anonymity parameter storage unit 130.
  • the common parameter setting unit 140 determines that the common generalization policy of its own device is used. Is transmitted to the information processing apparatus 30. Then, the information processing apparatus 10 determines the common generalization policy used for anonymization based on the received common generalization policy and the common generalization policy of the own apparatus.
  • the common parameter setting unit 140 responds to the information processing apparatus 30. do not do. However, the information processing apparatus 10 may notify the information processing apparatus 30 that it does not cooperate.
  • a generalization policy for example, QID2 generalization policy
  • the common parameter setting unit 140 may determine whether to cooperate based on the content of the received generalization policy.
  • the communication unit 150 mediates communication with the information processing apparatus 30 of the common parameter setting unit 140. Therefore, the communication unit 150 controls communication with the communication unit 150 of the information processing device 30.
  • FIG. 6 is a flowchart illustrating an example of the anonymization operation of the information processing apparatus 10 according to the first embodiment.
  • the generalization policy is described as a QID division point (boundary) as an example. That is, the information processing apparatus 10 shares the QID division points.
  • the anonymity secured by the information processing apparatus 10 is determined in advance.
  • the common QID common QID
  • the information processing apparatus 10 knows the information processing apparatus 30 that cooperates (for example, the number of apparatuses that cooperate with each other and their addresses).
  • the anonymization unit 110 of the information processing apparatus 10 determines the QID to be divided based on the data stored by the pre-anonymization data storage unit 160 (step S210). For example, the anonymization unit 110 may select a QID having the widest value range. Alternatively, the anonymization unit 110 may select QIDs in order in a round robin manner.
  • the anonymization unit 110 sends the determined QID generalization policy to the common parameter setting unit 140.
  • the anonymization unit 110 determines the division point (boundary) of the QID, and sends the QID and the boundary to the common parameter setting unit 140 as a generalization policy.
  • the common parameter setting unit 140 determines whether or not the received QID is a common QID based on the information stored by the anonymity parameter storage unit 130 (step S220).
  • the common parameter setting unit 140 shares a generalization policy (for example, a common QID division point (boundary)) with the information processing apparatus 30 via the communication unit 150. (Step S230).
  • a generalization policy for example, a common QID division point (boundary)
  • the common parameter setting unit 140 operates as follows.
  • the common parameter setting unit 140 notifies the information processing apparatus 30 of the sharing with the QID determined in step S210 (for example, dividing the QID). That is, the common parameter setting unit 140 notifies the sharing of the QID. Then, the common parameter setting unit 140 waits for a response regarding cooperation from the information processing apparatus 30.
  • the common parameter setting unit 140 When receiving a response indicating that all information processing apparatuses 30 cooperate, the common parameter setting unit 140 notifies the information processing apparatus 30 of the common generalization policy (for example, the boundary of common QID division). Then, the common parameter setting unit 140 waits for notification of the common generalization policy from the information processing apparatus 30. When the common generalization policy is received from all the information processing devices 30, the common parameter setting unit 140 proceeds to step S240.
  • the common generalization policy for example, the boundary of common QID division
  • the information processing device 10 and the information processing device 30 responding that cooperation is performed As with, commonality of common generalization policies should be linked. However, in the case of cooperation with some information processing apparatuses 30, the information processing apparatus 10 may stop cooperation. In that case, the information processing apparatus 10 may operate in the same manner as when a response indicating that the information processing apparatuses 30 described below do not cooperate is received.
  • the common parameter setting unit 140 may operate similarly to the case of the individual generalization policy described later. For example, the common parameter setting unit 140 returns the generalization policy received from the anonymization unit 110 to the anonymization unit 110.
  • the common parameter setting unit 140 need not be limited to the transmission of the cooperation notification as the start of communication in the common cooperation of common generalization policies.
  • the common parameter setting unit 140 may determine a common generalization policy to be negotiated with the information processing apparatus 30 in advance and shared in common without determining a generalization policy to be shared in advance.
  • the common parameter setting unit 140 may transmit the common generalization policy and the cooperation notification together without transmitting the common generalization policy and the notification of commonization of the QID as a separate notification.
  • the information processing apparatus 10 may determine in advance that the transmission of the common generalization policy also serves as a notification of cooperation.
  • the common parameter setting unit 140 determines a generalization policy used for data anonymization based on the received common generalization policies (step S240). For example, when the common generalization policy is a QID boundary, the information processing apparatus 10 may use an average value of the received QID boundary as the generalization policy.
  • the information processing apparatus 30 also determines a generalization policy based on the received common generalization policy. Therefore, the information processing apparatus 10 and the information processing apparatus 30 calculate the same generalization policy (for example, a QID boundary) as the generalization policy used for anonymization.
  • a generalization policy for example, a QID boundary
  • the information processing apparatus 10 and the information processing apparatus 30 determine the generalization policy for anonymization in cooperation.
  • the common parameter setting unit 140 After determining the generalization policy, the common parameter setting unit 140 returns the determined generalization policy to the anonymization unit 110.
  • the common parameter setting unit 140 may not receive the common generalization policy from the information processing apparatus 30 due to, for example, a network failure or a failure of the information processing apparatus 30.
  • the common parameter setting unit 140 may return the boundary received from the anonymization unit 110 to the anonymization unit 110 as the generalization policy. That is, the information processing apparatus 10 may anonymize data using the generalization policy determined by the anonymization unit 110 when the generalization policy cannot be determined in cooperation.
  • the information processing apparatus 10 may notify the user apparatus 20 of the failure.
  • the common parameter setting unit 140 returns the boundary received from the anonymization unit 110 to the anonymization unit 110 as a generalization policy.
  • the anonymization unit 110 divides the QID based on the generalization policy received from the common parameter setting unit 140 (step S250).
  • the information processing apparatus 10 cooperates with the information processing apparatus 30 and anonymizes data based on the common generalization policy.
  • the information processing apparatus 10 does not cooperate with the information processing apparatus 30 and anonymizes the data based on the generalization policy determined by the own apparatus.
  • the anonymization unit 110 confirms the anonymity of the data (step S260).
  • the anonymization unit 110 proceeds to the division of the next QID (step S210).
  • the information processing apparatus 10 repeats the division as long as the anonymity is satisfied.
  • the anonymization unit 110 cancels the immediately preceding division and ends the anonymization process (step S270).
  • the information processing apparatus 10 When the previous division is a common QID, the information processing apparatus 10 notifies the linked information processing apparatus 30 of the cancellation of generalization.
  • the information processing apparatus 10 may change the division point in cooperation with the information processing apparatus 30.
  • the information processing apparatus 10 may notify the information processing apparatus 30 of the end of cooperation after the anonymization process is completed.
  • the information processing apparatus 10 determines a generalization policy in cooperation with the information processing apparatus 30 in the case of a generalization policy to be shared in anonymization.
  • FIG. 7 is a diagram illustrating data for explaining the operation of determining the generalization policy of the information processing apparatus 10.
  • FIG. 7 shows the data of the information processing apparatus 10 (apparatus A in FIG. 7), for example.
  • the lower part of FIG. 7 shows data of another information processing apparatus 10 (that is, information processing apparatus 30 and apparatus B of FIG. 7).
  • QID1 shown in FIG. 7 is a common QID.
  • the anonymization unit 110 first anonymizes data 3000 and data 4000 into data 3001 and data 4001 in the most anonymized state. That is, the anonymization unit 110 anonymizes each QID into one group.
  • the data 3001 and data 4001 shown in the center of FIG. 7 are the first anonymized states of QID1 and QID2.
  • the anonymization unit 110 determines the dividing point (boundary) of QID1. For example, the anonymization unit 110 of the device A determines the average “125” of QID1 of the data 3001 as the boundary. Similarly, the anonymization unit 110 of the device B determines the average “124” of QID1 of the data 4001 as a boundary.
  • the information processing apparatus 10 calculates the average of QID1 as a boundary.
  • the information processing apparatus 10 has no particular limitation on how to determine the boundary.
  • the information processing apparatus 10 may use the average of the groups having the largest size (the number of records is large) among the groups of QID1 as a boundary.
  • the data 3001 and the data 4001 shown in FIG. 7 are in the initial state, the number of groups is 1, and the size of the group is 5. That is, the group of the device A and the device B shown in FIG. 7 is the largest group. Then, the devices A and B calculate the average of the largest group, and determine “125” and “124” as the boundaries, respectively.
  • the information processing apparatus 10 need not be limited to the average of the group having the largest size (the number of records is large) as a boundary.
  • the information processing apparatus 10 may use the median value of the group as the boundary.
  • the information processing apparatus 10 may select another group such as a group having a wide range.
  • the anonymization unit 110 sends QID1 and the boundary to the common parameter setting unit 140.
  • the common parameter setting unit 140 determines whether QID1 is a common QID.
  • QID1 is a common QID.
  • the common parameter setting unit 140 of the device A and the common parameter setting unit 140 of the device B communicate with each other via the communication unit 150 at the boundary of QID1 that is the common generalization policy.
  • apparatus A transmits an average “125” of QID1 and receives an average “124” of QID1 of apparatus B.
  • the common parameter setting unit 140 returns the determined generalization policy (common generalization policy) to the anonymization unit 110.
  • the anonymization unit 110 anonymizes data based on the received generalization policy (here, the boundary “124” of QID1).
  • FIG. 8 is a diagram illustrating data for explaining the anonymization operation of the information processing apparatus 10 according to the present embodiment.
  • the data 3002 of the device A and the data 4002 of the device B are displayed side by side so that the data can be easily compared.
  • the data boundary of the anonymized data 3002 of the device A and the anonymized data 4002 of the device B match. Therefore, the user device 20 can collect data.
  • the information processing apparatus 10 anonymizes data.
  • the information processing apparatus 10 can aggregate the data after the user apparatus 20 is anonymized, and can obtain an effect of providing the data by anonymizing the data appropriately for the data provider.
  • the generalization policy cooperation determination unit 120 of the information processing apparatus 10 determines a common generalization policy to be shared in cooperation with the information processing apparatus 30 (that is, another information processing apparatus 10) in anonymization. Furthermore, the generalization policy cooperation determination unit 120 notifies the optimal generalization policy at that time determined by the anonymization unit 110. Therefore, the generalization policy cooperation determination unit 120 can determine a more appropriate generalization policy as compared to the case where the generalization policy is determined in advance. And it is because the anonymization part 110 of the information processing apparatus 10 can anonymize data based on the common generalization policy determined in cooperation. Therefore, the user device 20 can aggregate the data after anonymization.
  • the information processing apparatus 10 can be anonymized without transmitting data to the information processing apparatus 30.
  • the information processing apparatus 10 can determine the common generalization policy by transmitting the common generalization policy to the information processing apparatus 30. And the information processing apparatus 10 can anonymize data based on a common generalization policy. Thus, the information processing apparatus 10 can anonymize the data without transmitting the data to the information processing apparatus 30.
  • the information processing device 10 needs to set the data value of the common generalization policy to the same generalized value (global recoding: Global (Re-Coding). is there.
  • the information processing apparatus 10 does not need to anonymize the data value of the individual generalization policy so as to satisfy the global recoding.
  • the information processing apparatus 10 may set the data value of the individual generalization policy as a different generalized value (local recoding: Local Re-Coding).
  • the information processing apparatus 10 may be anonymized using data (name, preference, etc.) that can be categorized in addition to numerical data that allows easy range setting and size determination.
  • the information processing apparatus 10 may apply a conceptual tree classification system (taxonomy) to the data and anonymize the data.
  • taxonomy conceptual tree classification system
  • the information processing apparatus 10 is not limited to the top-down anonymization method that repeats the division as illustrated in FIG. 6, and may use a bottom-up anonymization method that repeats the combination. Alternatively, the information processing apparatus 10 may combine top down and bottom up.
  • the information processing apparatus 10 and the information processing apparatus 30 may have overlapping requests from both.
  • the information processing apparatus 10 may determine the common generalization policy in cooperation based on the operation described above.
  • the information processing apparatus 10 and the information processing apparatus 30 need to select the common QID.
  • the information processing apparatus 10 and the information processing apparatus 30 may determine which common QID is used by arbitrating. Alternatively, the information processing apparatus 10 and the information processing apparatus 30 may set a priority order when cooperation requests overlap in advance.
  • the information processing apparatus 10 may arbitrate and determine the common QID determined in cooperation.
  • the information processing apparatus 10 may determine a predetermined priority order of the common QID in advance. For example, the information processing apparatus 10 may adopt a common QID having the largest number of cooperation requests as a common QID.
  • the information processing apparatus 10 and the information processing apparatus 30 transmit a common generalization policy of the determined common QID. Subsequent operations may be the same as those already described.
  • the configuration of the information processing apparatus 10 is not limited to the above description.
  • the information processing apparatus 10 may divide each component into a plurality of components.
  • the information processing apparatus 10 does not need to be configured by one apparatus.
  • the information processing apparatus 10 may be configured using a device including the anonymization unit 110 connected via a network and a device including the generalization policy cooperation determination unit 120.
  • the information processing apparatus 10 may configure either or both of the pre-anonymization data storage unit 160 and the anonymized data storage unit 170 as an external storage device.
  • the information processing apparatus 10 may be configured with a plurality of components by one apparatus.
  • the information processing apparatus 10 may be realized as a computer apparatus including a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory).
  • the information processing apparatus 10 may further be realized as a computer apparatus including an input / output connection circuit (IOC: Input Output Circuit) and a network interface circuit (NIC: Network Interface Circuit).
  • IOC Input Output Circuit
  • NIC Network Interface Circuit
  • FIG. 9 is a block diagram illustrating an example of a configuration of an information processing device 60 that is a modification of the information processing device 10 of the present embodiment.
  • the information processing device 60 includes a CPU 610, a ROM 620, a RAM 630, an internal storage device 640, an IOC 650, and a NIC 680, and constitutes a computer.
  • CPU 610 reads a program from ROM 620.
  • the CPU 610 controls the RAM 630, the internal storage device 640, the IOC 650, and the NIC 680 based on the read program. And CPU610 controls these structures and implement
  • the CPU 610 may use the RAM 630 as a temporary program storage when realizing each function.
  • the CPU 610 may read the program included in the storage medium 700 storing the program so as to be readable by a computer using a storage medium reading device (not shown). Alternatively, the CPU 610 may receive a program from an external device (not shown) via the NIC 680.
  • ROM 620 stores programs executed by CPU 610 and fixed data.
  • the ROM 620 is, for example, a P-ROM (Programmable-ROM) or a flash ROM.
  • the RAM 630 temporarily stores programs executed by the CPU 610 and data.
  • the RAM 630 is, for example, a D-RAM (Dynamic-RAM).
  • the internal storage device 640 stores data and programs stored in the information processing device 60 for a long time. Further, the internal storage device 640 may operate as a temporary storage device for the CPU 610.
  • the internal storage device 640 is, for example, a hard disk device, a magneto-optical disk device, an SSD (Solid State Drive), or a disk array device.
  • the IOC 650 mediates data between the CPU 610, the input device 660, and the display device 670.
  • the IOC 650 is, for example, an IO interface card.
  • the input device 660 is a device that receives an input instruction from an operator of the information processing apparatus 60.
  • the input device 660 is, for example, a keyboard, a mouse, or a touch panel.
  • the display device 670 is a device that displays information to the operator of the information processing apparatus 60.
  • the display device 670 is a liquid crystal display, for example.
  • the NIC 680 relays data exchange with an external device via a network.
  • the NIC 680 is, for example, a LAN (Local Area Network) card.
  • the information processing apparatus 60 configured as described above can obtain the same effects as the information processing apparatus 10.
  • the information processing apparatus 10 anonymizes data based on the generalization policy shared with the information processing apparatus 30.
  • the common generalization policy may be different from the optimal generalization policy for the information processing apparatus 10.
  • the information processing apparatus 10 differs in the degree of difficulty (degree of difficulty) of data anonymization according to, for example, the data amount (data size) or anonymity of data to be handled.
  • the difficulty level is an index indicating the difficulty of ensuring the anonymity of data.
  • the difficulty level is an index that increases in value as it is difficult to ensure data anonymity.
  • the difficulty level may be an index that decreases in value as it is difficult to ensure anonymity of data.
  • the information processing apparatus 10 that handles data having a small data size has fewer boundary candidates than the information processing apparatus 10 that handles data having a large data size.
  • the information processing apparatus 10 determines that the boundary of the data that can be divided is Limited to around the median.
  • the information processing apparatus 10 having a small data size has a higher degree of difficulty in securing anonymity than the information processing apparatus 10 having a large data size.
  • the information processing apparatus 10 has different degrees of difficulty in securing anonymity even if the data size is the same.
  • the information processing apparatus 30 communicates with the information processing apparatus 30 information regarding the difficulty level or difficulty level of ensuring anonymity.
  • the data size is an example of a factor that determines the difficulty level of securing data.
  • the data size is an example of an index whose value decreases as it is difficult to ensure data anonymity.
  • K-Anonymity is more difficult to secure as the value of “k” is larger. Therefore, the value of “k” in k-anonymity is an example of a factor that determines the difficulty of securing data. Note that the value of “k” for k-anonymity is an example of an index whose value increases as it is difficult to ensure data anonymity.
  • the generalization policy cooperation determination part 120 of the information processing apparatus 10 which concerns on this embodiment determines a common generalization policy in consideration of the information regarding the difficulty level or difficulty level of anonymity.
  • the configuration of the information processing apparatus 10 of the present embodiment is the same as that of the first embodiment, and thus the description of the configuration is omitted. Also, description of operations similar to those in the first embodiment will be omitted, and operations unique to the present embodiment will be described.
  • the data size (number of records) of device A is “100”.
  • the data size (number of records) of device B is “10”.
  • “5-anonymity” is secured.
  • the data can be divided into two groups with a data size (number of records) of “5” as a group after division.
  • the device B cannot satisfy “5-anonymity” of the data in the divided group.
  • the generalization policy linkage determination unit 120 of the information processing apparatus 10 does not determine the generalization policy that is shared based on both generalization policies as the generalization policy. .
  • the generalization policy linkage determination unit 120 of the information processing apparatus 10 shares the generalization policy of the information processing apparatus 10 (apparatus B) with a small data size (number of records). Determined as generalization policy.
  • the generalization policy cooperation determination unit 120 of the information processing apparatus 10 may change the generalization policy determination method as the anonymization process progresses. That is, the information processing apparatus 10 is not limited to the data size to be stored, and may use the divided data size.
  • the generalization policy cooperation determination unit 120 of the information processing device 10 may determine a common generalization policy based on the generalization policies of all the information processing devices 10.
  • the data size (number of records) after division is a predetermined multiple (for example, “k” of “k ⁇ anonymity”) to be secured (for example, “k” of “k-anonymity”). 3 times).
  • the generalization policy cooperation determination unit 120 of the information processing apparatus 10 may prioritize the generalization policy of the information processing apparatus 10 whose data size (number of records) has been reduced, and use the common generalization policy.
  • the opposite case is a case where the data size (number of records) after the division of any one of the information processing apparatuses 10 becomes smaller than a predetermined multiple for the anonymity to be secured.
  • the generalization policy linkage determination unit 120 of the information processing device 10 may handle the generalization policies of the information processing devices 10 in consideration of the data size, instead of handling them to the same extent.
  • the information processing apparatus 10 may set a weight based on the data size of each information processing apparatus 10 (for example, a weight inversely proportional to the data size).
  • the information processing apparatus 10 multiplies the boundary value by a weight that is inversely proportional to the data size, as shown in the following formula (1), and sets the boundary value in the generalization policy (the point of division) ) May be determined.
  • the boundary value (edge1) in the device A is “120”, and the boundary value (edge2) in the device B is “126”.
  • the boundary value of Equation (1) is as follows.
  • the boundary value obtained using Equation (1) is close to the boundary value of device A having a small data size. That is, priority is given to the boundary of the device A where it is difficult to ensure anonymization. As a result, in the device A having a small data size, many divisions are possible. That is, the generalization policy of apparatus A is given priority.
  • the information processing apparatus 10 may operate as follows, for example.
  • the information processing apparatus 10 may prioritize the generalization policy of the information processing apparatus 10 having a large “k” value.
  • the information processing apparatus 10 may cooperate in consideration of the difficulty level of anonymity. For example, when ensuring “k-anonymity”, the information processing apparatus 10 may use the value of “k” as a weight.
  • the information processing apparatus 10 may use the following mathematical formula (2).
  • Equation (2) is as follows.
  • the boundary value obtained using Equation (2) is close to the boundary value of the device A having high anonymity (“k” is large). That is, priority is given to the boundary of the device A where it is difficult to ensure anonymization. As a result, in the device A that is difficult to anonymize, many divisions are possible.
  • the information processing apparatus 10 may combine the above.
  • the information processing apparatus 10 may use the difficulty level of ensuring anonymity even in the selection of the common QID described in the modification of the first embodiment.
  • the information processing apparatus 10 of the present embodiment can obtain the effect of setting an appropriate generalization policy even when the difficulty level of ensuring anonymity is different in the information processing apparatus 10. it can.
  • the information processing apparatus 10 changes the priority generalization policy determination method based on the degree of difficulty in securing anonymity.
  • the information processing apparatus 10 determines a generalization policy to be prioritized based on the data size of the data to be anonymized (data size to be stored or data size after division) or anonymity.
  • the information processing apparatus 10 selects the generalization policy of the information processing apparatus 10 having a small data size or high anonymity.
  • the information processing apparatus 10 gives priority to the generalization policy of the information processing apparatus 10 having a small data size or high anonymity.
  • the information processing apparatus 10 according to the present embodiment can easily ensure anonymization of the information processing apparatus 10 that is difficult to anonymize.
  • Appendix 1 A generalization policy linkage determining means for determining a common generalization policy that is a generalization policy of anonymization of data used in common with the other device in cooperation with another device; And an anonymizing means for anonymizing data based on the common generalization policy.
  • the generalization policy linkage determination means is The information processing apparatus according to appendix 1, wherein a generalization policy of at least some attributes of the data to be anonymized is determined as the common generalization policy.
  • the anonymization means is The information processing apparatus according to claim 2, wherein in addition to the common generalization policy, the attribute generalization policy is configured to anonymize data based on at least a part of an attribute generalization policy that is not included in the common generalization policy. .
  • the generalization policy linkage determination means is The information processing apparatus according to appendix 2 or appendix 3, wherein the attribute used as the common generalization policy is determined as the other apparatus.
  • the common generalization policy is a quasi-identifier generalization policy;
  • the information processing apparatus according to any one of Supplementary Note 1 to Supplementary Note 4, wherein the common generalization policy includes a generalization width and / or a boundary of the reference identifier.
  • the generalization policy linkage determination means is The common generalization policy is determined based on the degree of difficulty, which is an index indicating the difficulty of securing anonymization of data to be secured in the own device and the other device when anonymizing data.
  • the information processing apparatus according to any one of the above.
  • Appendix 7 The information processing apparatus according to appendix 6, wherein the difficulty level is calculated based on anonymized data size or anonymity.
  • the generalization policy linkage determination means is Anonymity parameter storage means for holding anonymity parameters that are information for determining whether the generalization policy used by the anonymization means is the common generalization policy;
  • a common parameter setting means for determining a common generalization policy in cooperation with the other device;
  • the information processing apparatus according to any one of appendix 1 to appendix 7, further comprising: a communication unit that mediates communication between the common parameter setting unit and the other device.
  • the pre-anonymization data storage means for storing the pre-anonymization data to be anonymized by the anonymization means, Anonymized data storage means for storing anonymized data anonymized by the anonymization means,
  • the information processing apparatus according to any one of Supplementary Note 1 to Supplementary Note 8, comprising: transmission means for transmitting the anonymized data to a user device.
  • the generalization policy linkage determination means is The information processing apparatus according to any one of Supplementary Note 1 to Supplementary Note 9, wherein an apparatus that prioritizes cooperation in determining the common generalization policy of a plurality of apparatuses or an attribute of a generalization policy that is prioritized is determined in advance.
  • Appendix 12 A process of determining a common generalization policy that is a generalization policy of anonymization of data used in common with the other device in cooperation with another device;
  • a computer-readable recording medium storing a program for causing a computer device to execute processing for anonymizing data based on the common generalization policy.

Abstract

In order to allow a user device to integrate anonymized data and allow data to be appropriately anonymized for the provider as well, an information processing device according to the present invention comprises: a generalization policy coordination determination means which in coordination with another device determines a common generalization policy, which is a generalization policy for anonymization of data, shared with the other device; and an anonymization means for anonymizing the data on the basis of the common generalization policy.

Description

情報処理装置、情報匿名化方法、及び、記録媒体Information processing apparatus, information anonymization method, and recording medium
 本発明は、情報処理に関し、特に、データの匿名化に関する。 The present invention relates to information processing, and in particular to data anonymization.
 近年、多くの個人データが、電子データ化されている。 In recent years, a lot of personal data has been converted to electronic data.
 データの電子データ化に伴い、個人データの2次利用の要求が、拡大している。 Demand for secondary use of personal data is expanding with the conversion of data to electronic data.
 しかし、個人データは、個人に関連した公開したくないデータ(センシティブデータ(SD:Sensitive Data)、又は、センシティブ属性(Sensitive Attribute))を含む。そのため、個人データの公開には、個人のプライバシーの保護が必要である。 However, the personal data includes data (sensitive data (SD: Sensitive Data) or Sensitive Data Attribute) related to the individual that you do not want to disclose. For this reason, it is necessary to protect personal privacy in order to disclose personal data.
 匿名化技術は、プライバシーを保護する技術の1つである。データを提供する提供者(提供元)の情報処理装置は、データを匿名化して、データを利用する利用者の装置(以下、「利用者装置」と言う)に送信する。 Anonymization technology is one technology that protects privacy. An information processing device of a provider (provider) that provides data anonymizes the data and transmits the data to a user device that uses the data (hereinafter referred to as “user device”).
 本発明に関連する情報処理装置は、例えば、個人データから、個人を一意に識別する識別子(ID:Identifier)を削除して、データを公開する。 The information processing apparatus related to the present invention, for example, deletes an identifier (ID: Identifier) that uniquely identifies an individual from personal data and publishes the data.
 しかし、個人データは、他のデータとの組み合わせると、個人を識別(特定)できるデータを含む場合がある。「準識別子(QID:Quasi-Identifier)」とは、このように、他のデータと組み合わせると個人を識別できるデータである。 However, personal data may include data that can identify (specify) an individual when combined with other data. Thus, the “quasi-identifier (QID)” is data that can identify an individual when combined with other data.
 そのため、本発明に関連する情報処理装置は、提供する個人データを保護するための所定の方針を満たすように、準識別子(QID)を匿名化する。 Therefore, the information processing apparatus related to the present invention anonymizes the quasi-identifier (QID) so as to satisfy a predetermined policy for protecting the personal data to be provided.
 匿名化の方針(汎化方針)は、幾つか提案されている。 Several anonymization policies (generalization policies) have been proposed.
 例えば、「k-匿名性」及び「l-多様性」は、広く用いられている(例えば、特許文献1を参照)。「k-匿名性」は、データの各グループにおいて、同じ準識別子又は準識別子の組を含むデータが、「k」個以上含まれる匿名化を保証する方針である。「l-多様性」は、データの各グループにおいて、センシティブデータが、「l」個以上含まれる匿名化を保証する方針である。 For example, “k-anonymity” and “l-diversity” are widely used (see, for example, Patent Document 1). “K-anonymity” is a policy that guarantees anonymization in which “k” or more pieces of data including the same quasi-identifier or pair of quasi-identifiers are included in each group of data. “I-diversity” is a policy that guarantees anonymization in which “l” or more sensitive data is included in each group of data.
 その他、例えば、「t-近接性」及び「m-不変性」が、提案されている。「t-近接性」は、グループ間のセンシティブデータの分布における距離と、全属性の分布における距離との差が、「t」以下であることを保証する方針である。「m-不変性」は、データの逐次開示において、同じ準識別情報の組合せのレコードが「m」個以上あり、全てのレコードで違うセンシティブデータを持つことを保証する方針である。 Others, for example, “t-proximity” and “m-invariance” have been proposed. “T-proximity” is a policy that guarantees that the difference between the distance in the distribution of sensitive data between groups and the distance in the distribution of all attributes is equal to or less than “t”. “M-invariance” is a policy for guaranteeing that there are “m” or more records with the same combination of quasi-identification information in the sequential disclosure of data, and that all records have different sensitive data.
 そして、匿名化の方針は、組み合わせて用いられる場合もある。 And anonymization policies may be used in combination.
 なお、「k-匿名化」は、「k-匿名性」を満足する匿名化である。また、「l-多様化」は、「l-多様性」を満足する匿名化である。同様に、「t-近接化」及び「m-不変化」は、「t-近接性」及び「m-不変性」を満足する匿名化である。 Note that “k-anonymization” is anonymization satisfying “k-anonymity”. Further, “l-diversification” is anonymization satisfying “l-diversity”. Similarly, “t-proximity” and “m-invariant” are anonymization satisfying “t-proximity” and “m-invariance”.
 また、匿名化の手法は、多く提案されている(例えば、非特許文献1を参照)。非特許文献1に記載の「Mondrian Multidimensional」は、準識別子を1つのグループにまとめた後、k-匿名性を満足するように、データを複数のグループに分割する手法である。 Many anonymization techniques have been proposed (see, for example, Non-Patent Document 1). “Mondrian Multidimensional” described in Non-Patent Document 1 is a method of dividing quasi-identifiers into one group and then dividing the data into a plurality of groups so as to satisfy k-anonymity.
特開2011-170632号公報JP 2011-170632 A
 しかし、データの提供者(提供元)は、1つに限らず、複数の場合がある。 However, the number of data providers (providers) is not limited to one, and there may be a plurality of cases.
 各提供元の情報処理装置は、データを個別に匿名化して、利用者装置に提供する。 The information processing device of each providing source anonymizes the data individually and provides it to the user device.
 そのため、データの提供元が複数ある場合、利用者装置は、複数の提供元の情報処理装置から匿名化済みデータを受信し、匿名化済みデータを集約する必要がある。 Therefore, when there are a plurality of data providing sources, the user device needs to receive anonymized data from a plurality of information processing devices of the providing sources and aggregate the anonymized data.
 しかし、提供元が保存するデータは、同じではない。そのため、例えば、提供元が保存するデータの数が異なる場合、本発明に関連する情報処理装置は、異なる汎化方針を基に、データを匿名化する。同様に、データが含むQIDが異なる場合、本発明に関連する情報処理装置は、異なる汎化方針を基に、データを匿名化する。そして、提供元の匿名化の汎化方針が一致しない場合、利用者装置は、本発明に関連する複数の提供元の情報処理装置から受信した匿名化済みデータを集約できない。 However, the data stored by the provider is not the same. Therefore, for example, when the number of data stored by the provider is different, the information processing apparatus related to the present invention anonymizes the data based on different generalization policies. Similarly, when the QIDs included in the data are different, the information processing apparatus related to the present invention anonymizes the data based on different generalization policies. And when the generalization policy of the anonymization of a provider does not correspond, the user apparatus cannot aggregate the anonymized data received from the information processing apparatuses of a plurality of providers related to the present invention.
 このように、複数の提供元の情報処理装置がデータを提供する場合、特許文献1及び非特許文献1に記載の手法は、利用者装置が、提供を受けた匿名化済みデータを集約できないという問題点があった。 As described above, when a plurality of information processing devices provided by a provider provide data, the methods described in Patent Literature 1 and Non-Patent Literature 1 indicate that the user device cannot aggregate the anonymized data that has been provided. There was a problem.
 本発明の目的は、上述した課題を解決する情報処理装置、情報匿名化方法、及び、記録媒体を提供することにある。 An object of the present invention is to provide an information processing apparatus, an information anonymization method, and a recording medium that solve the above-described problems.
 本発明における一形態の情報処理装置は、他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定する汎化方針連携決定手段と、前記共通汎化方針を基にデータを匿名化する匿名化手段とを含む。 An information processing apparatus according to an aspect of the present invention is configured to determine a generalization policy cooperation determination that determines a common generalization policy that is a generalization policy for anonymizing data that is used in common with the other apparatus in cooperation with another apparatus. Means and anonymization means for anonymizing data based on the common generalization policy.
 本発明における一形態の情報匿名化方法は、他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定し、前記共通汎化方針を基にデータを匿名化する。 In one form of the information anonymization method according to the present invention, a common generalization policy that is a generalization policy for anonymization of data used in common with the other device is determined in cooperation with the other device, and the common generalization policy is determined. Anonymize the data based on the conversion policy.
 本発明における一形態のプログラムを記録したコンピュータ読み取り可能な記録媒体は、他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定する処理と、 前記共通汎化方針を基にデータを匿名化する処理とを含むプログラムをコンピュータ装置に実行させる。 A computer-readable recording medium in which a program according to an embodiment of the present invention is recorded has a common generalization policy that is a generalization policy for anonymizing data used in common with the other device in cooperation with the other device. A computer apparatus is caused to execute a program including a process of determining and a process of anonymizing data based on the common generalization policy.
 本発明によれば、利用者装置が匿名化後のデータを集約できる匿名化データを提供できる。 According to the present invention, it is possible to provide anonymized data that allows a user device to aggregate data after anonymization.
図1は、本発明に関連する情報処理装置の動作を説明するためのデータを示す図である。FIG. 1 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention. 図2は、本発明に関連する情報処理装置の動作を説明するためのデータを示す図である。FIG. 2 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention. 図3は、本発明における第1の実施形態に係る情報処理装置を含むシステムの構成の一例を示すブロック図である。FIG. 3 is a block diagram illustrating an example of a configuration of a system including the information processing apparatus according to the first embodiment of the present invention. 図4は、第1の実施形態に係る情報処理装置の構成の一例を示すブロック図である。FIG. 4 is a block diagram illustrating an example of the configuration of the information processing apparatus according to the first embodiment. 図5は、第1の実施形態に係る情報処理装置の構成の一例を示すブロック図である。FIG. 5 is a block diagram illustrating an example of the configuration of the information processing apparatus according to the first embodiment. 図6は、第1の実施形態に係る情報処理装置の動作の一例を示すフローチャートである。FIG. 6 is a flowchart illustrating an example of the operation of the information processing apparatus according to the first embodiment. 図7は、第1の実施形態に係る情報処理装置の動作を説明するためのデータを示す図である。FIG. 7 is a diagram illustrating data for explaining the operation of the information processing apparatus according to the first embodiment. 図8は、第1の実施形態に係る情報処理装置の動作を説明するためのデータを示す図である。FIG. 8 is a diagram illustrating data for explaining the operation of the information processing apparatus according to the first embodiment. 図9は、第1の実施形態に係る情報処理装置の別の構成の一例を示すブロック図である。FIG. 9 is a block diagram illustrating an example of another configuration of the information processing apparatus according to the first embodiment.
 次に、本発明の実施形態について図面を参照して説明する。 Next, an embodiment of the present invention will be described with reference to the drawings.
 本発明の実施形態を説明する前に、本発明に関連する情報処理装置の動作について説明する。 Before describing the embodiment of the present invention, the operation of the information processing apparatus related to the present invention will be described.
 図1は、本発明に関連する情報処理装置の動作を説明するためのデータを示す図である。 FIG. 1 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention.
 なお、説明の便宜のため、以下の説明において、提供元Aの情報処理装置を、「提供元A」と言う。同様に、提供元Bの情報処理装置を、「提供元B」と言う。 For convenience of explanation, the information processing apparatus of provider A is referred to as “provider A” in the following description. Similarly, the information processing apparatus of provider B is referred to as “provider B”.
 提供元Aは、上段左のデータ1000を匿名化するとする。まず、提供元Aは、上段中央に示すデータ1001のように、準識別子(QID1とQID2)を1つのグループに匿名化する。そして、提供元Aは、QID1の中央値である「125」を境界として、QID1を2つのグループ(汎化幅「120-125」と汎化幅「126-129」)に分け、上段右に示すデータ1002のように匿名化する。 Suppose that provider A anonymizes data 1000 on the upper left. First, the provider A anonymizes the quasi-identifiers (QID1 and QID2) into one group like the data 1001 shown in the upper center. Then, the provider A divides QID1 into two groups (generalization width “120-125” and generalization width “126-129”) with the central value “125” of QID1 as a boundary, and on the upper right side It anonymizes like the data 1002 to show.
 一方、提供元Bは、下段左のデータ2000を匿名化するとする。まず、提供元Bは、下段中央に示すデータ2001のように、準識別子(QID1とQID2)を1つのグループに匿名化する。そして、提供元Bは、QID1の中央値である「124」を境界として、QID1を2つのグループ(汎化幅「120-124」と汎化幅「125-129」)に分け、下段右に示すデータ2002のように匿名化する。 Meanwhile, it is assumed that the provider B anonymizes the data 2000 on the lower left. First, the provider B anonymizes the quasi-identifiers (QID1 and QID2) into one group like the data 2001 shown in the lower center. Then, the provider B divides QID1 into two groups (generalization width “120-124” and generalization width “125-129”) with “124” being the median value of QID1 as a boundary. It anonymizes like the data 2002 to show.
 図2は、本発明に関連する情報処理装置の動作を説明するためのデータを示す図である。 FIG. 2 is a diagram showing data for explaining the operation of the information processing apparatus related to the present invention.
 図2に示すように、提供元Aの匿名化済みデータ1002と提供元Bの匿名化済みデータ2002は、境界が異なる。そのため、利用者装置は、提供元Aのグループと提供元Bのグループとの繋げ方(マッピング)を、複数想定できる。 As shown in FIG. 2, the anonymized data 1002 of the provider A and the anonymized data 2002 of the provider B have different boundaries. Therefore, the user apparatus can assume a plurality of connection methods (mappings) between the group of the provider A and the group of the provider B.
 例えば、提供元BのQID1が「125-129」のグループは、提供元AのQID1が「120-125」及びQID1が「126-129」のグループと、共通のQIDを含む。そのため、利用者装置は、受信した匿名化済みデータの提供元BのQID「125-129」のグループを、提供元Aのどちらのグループに繋げるかを決定できない。 For example, a group with QID1 “125-129” of provider B includes a common QID with a group with QID1 “120-125” and QID1 “126-129” of provider A. For this reason, the user apparatus cannot determine which group of the provider A the group with the QID “125-129” of the provider B of the received anonymized data.
 このように、複数の提供元の情報処理装置がデータを提供する場合、本発明に関連する情報処理装置は、利用者装置が、提供を受けた匿名化済みデータを集約できないという問題点があった。 As described above, when a plurality of information processing devices provided by a provider provide data, the information processing device related to the present invention has a problem that the user device cannot aggregate the provided anonymized data. It was.
 そこで、本発明に関連する情報処理装置は、例えば、次に説明する手法を用いて、データを匿名化する。 Therefore, the information processing apparatus related to the present invention anonymizes the data using, for example, the method described below.
 第1の手法は、次のとおりである。 The first method is as follows.
 第1の手法において、本発明に関連する情報処理装置は、予め、共通の汎化方針を保存する。そして、本発明に関連する情報処理装置は、保存する共通の汎化方針を基に、データを匿名化する。 In the first method, the information processing apparatus related to the present invention stores a common generalization policy in advance. And the information processing apparatus relevant to this invention anonymizes data based on the common generalization policy to preserve | save.
 第2の手法は、次のとおりである。 The second method is as follows.
 第2の手法において、本発明に関連する情報処理装置は、QIDを相互に開示する。そして、本発明に関連する情報処理装置は、すべての情報処理装置のQIDを用いて、匿名化の方針を決定する。 In the second method, the information processing apparatus related to the present invention mutually discloses the QID. And the information processing apparatus relevant to this invention determines the policy of anonymization using QID of all the information processing apparatuses.
 しかし、第1の手法を用いる情報処理装置は、保存するデータを、最適には匿名化できないという問題点があった。 However, the information processing apparatus using the first method has a problem that the data to be stored cannot be anonymized optimally.
 具体的に例を用いて説明する。 Specific explanation will be given using an example.
 例えば、情報処理装置は、QIDが「1」、「8」、「13」、「19」の4つのデータを保存するとする。そして、情報処理装置は、「2-匿名性」を満たすとする。 For example, it is assumed that the information processing apparatus stores four data with QIDs “1”, “8”, “13”, and “19”. The information processing apparatus satisfies “2-anonymity”.
 この場合、情報処理装置は、保存するデータを匿名化するために、例えば、「0-9」と「10-19」との汎化方針を採用できる。そこで、情報処理装置は、予め、共通の汎化方針として、「0-9」と「10-19」を保存するとする。 In this case, the information processing apparatus can adopt, for example, generalization policies of “0-9” and “10-19” in order to anonymize the stored data. Therefore, it is assumed that the information processing apparatus stores “0-9” and “10-19” as common generalization policies in advance.
 しかし、その後、情報処理装置は、QIDが「5」、「7」、「14」、及び「17」のデータを追加保存したとする。 However, after that, the information processing apparatus additionally stores data with QIDs “5”, “7”, “14”, and “17”.
 すると、情報処理装置は、例えば、「0-5」、「6-9」、「10-14」、及び「15-20」との汎化方針を基に、データを匿名化して、「2-匿名性」を確保できる。 Then, the information processing apparatus anonymizes the data based on the generalization policies “0-5”, “6-9”, “10-14”, and “15-20”, for example, -Anonymity can be secured.
 しかし、第1の手法を用いる情報処理装置は、予め、汎化方針(「0-9」と「10-19」)を決定している。そのため、情報処理装置は、汎化方針に従い、データを「1、5、7、8」と「13、14、17、19」とに分割する。このように、第1の手法を用いる情報処理装置は、最適な匿名化を実施できないという問題点があった。 However, the information processing apparatus using the first method has determined the generalization policies (“0-9” and “10-19”) in advance. Therefore, the information processing apparatus divides the data into “1, 5, 7, 8” and “13, 14, 17, 19” according to the generalization policy. As described above, the information processing apparatus using the first method has a problem in that it cannot carry out optimal anonymization.
 また、QIDを含むデータは、提供元にとって財産である。そのため、データの提供元は、他の提供元に、匿名化しない状態でのQIDを含むデータの開示を避けたい。 Also, data including QID is a property for the provider. Therefore, the data provider wants to avoid disclosing data including the QID in a state where it is not anonymized to other providers.
 つまり、第2の手法を用いる情報処理装置は、実際の運用において、実施が難しいという問題点があった。 That is, the information processing apparatus using the second method has a problem that it is difficult to implement in actual operation.
 次に、本発明における実施形態について、図面を参照して説明する。 Next, an embodiment of the present invention will be described with reference to the drawings.
 なお、各図面は、本発明の実施形態を説明するものである。ただし、本発明は、各図面の記載に限られるわけではない。また、各図面の同様の構成には、同じ番号を付し、その繰り返しの説明を、省略する場合がある。 Each drawing explains an embodiment of the present invention. However, the present invention is not limited to the description of each drawing. Moreover, the same number is attached | subjected to the same structure of each drawing, and the repeated description may be abbreviate | omitted.
 (第1の実施形態)
 図3は、本発明における第1の実施形態に係る情報処理装置10及び情報処理装置30を含む情報処理システム40の構成の一例を示すブロック図である。 (First embodiment)
FIG. 3 is a block diagram showing an example of the configuration of the information processing system 40 including the information processing apparatus 10 and the information processing apparatus 30 according to the first embodiment of the present invention.
 情報処理システム40は、情報処理装置10と、利用者装置20と、情報処理装置30とを含む。情報処理装置10、利用者装置20、及び情報処理装置30は、一般的な通信路、例えば、ネットワーク又はバスを介して接続する。 The information processing system 40 includes an information processing device 10, a user device 20, and an information processing device 30. The information processing apparatus 10, the user apparatus 20, and the information processing apparatus 30 are connected via a general communication path, for example, a network or a bus.
 利用者装置20は、情報処理装置10及び情報処理装置30から匿名化済みデータを受信する。そして、利用者装置20は、匿名化済みデータを、集約した後、利用する。利用者装置20は、一般的なデータを処理する装置であれば特に制限はない。そのため、利用者装置20の詳細な説明を省略する。 User device 20 receives anonymized data from information processing device 10 and information processing device 30. Then, the user device 20 uses the anonymized data after aggregation. The user device 20 is not particularly limited as long as it is a device that processes general data. Therefore, detailed description of the user device 20 is omitted.
 情報処理装置10は、利用者装置20が匿名化済みデータを集約できるように、データを匿名化し、利用者装置20に送信する。 The information processing apparatus 10 anonymizes the data and transmits it to the user apparatus 20 so that the user apparatus 20 can aggregate the anonymized data.
 情報処理装置30は、情報処理装置10と同様の装置である。ただし、情報処理装置10は、後ほど説明するとおり、他の情報処理装置(例えば、情報処理装置30)と連携する。そこで、以下の連携の説明を明確にするため、情報処理装置30は、情報処理装置10と異なる符号を付した。 The information processing apparatus 30 is the same apparatus as the information processing apparatus 10. However, the information processing apparatus 10 cooperates with other information processing apparatuses (for example, the information processing apparatus 30) as will be described later. Therefore, in order to clarify the following description of the cooperation, the information processing apparatus 30 is assigned a reference numeral different from that of the information processing apparatus 10.
 そのため、連携の説明において、情報処理装置10は、連携の主体となる装置として説明する。また、情報処理装置30は、情報処理装置10に応答する装置として説明する。つまり、情報処理装置30は、情報処理装置10に応答する「他の情報処理装置10」に相当する。 Therefore, in the description of cooperation, the information processing apparatus 10 will be described as an apparatus that is a main subject of cooperation. The information processing apparatus 30 will be described as an apparatus that responds to the information processing apparatus 10. That is, the information processing apparatus 30 corresponds to “another information processing apparatus 10” that responds to the information processing apparatus 10.
 従って、以下の説明において、情報処理装置10及び情報処理装置30の構成及び動作は、相互に入れ替えても良い。 Therefore, in the following description, the configurations and operations of the information processing apparatus 10 and the information processing apparatus 30 may be interchanged.
 また、以下の説明において、情報処理装置10と情報処理装置30とを区別する必要がない場合、情報処理装置10として説明する。 In the following description, when there is no need to distinguish between the information processing apparatus 10 and the information processing apparatus 30, the information processing apparatus 10 will be described.
 なお、図3において、情報処理装置10と情報処理装置30は、それぞれ1台であるが、その台数は、説明の便宜のための例示である。本実施形態の情報処理装置10は、複数の情報処理装置30と連携しても良い。情報処理装置30も、同様である。つまり、本実施形態に係る情報処理装置10及び情報処理装置30を含む情報処理システム40は、複数の情報処理装置10及び複数の情報処理装置30を含んでも良い。 In addition, in FIG. 3, although the information processing apparatus 10 and the information processing apparatus 30 are one each, the number is the illustration for the convenience of description. The information processing apparatus 10 according to the present embodiment may cooperate with a plurality of information processing apparatuses 30. The same applies to the information processing apparatus 30. That is, the information processing system 40 including the information processing apparatus 10 and the information processing apparatus 30 according to the present embodiment may include a plurality of information processing apparatuses 10 and a plurality of information processing apparatuses 30.
 図面を参照して、情報処理装置10について更に説明する。 The information processing apparatus 10 will be further described with reference to the drawings.
 図4は、本実施形態の情報処理装置10の構成の一例を示すブロック図である。 FIG. 4 is a block diagram illustrating an example of the configuration of the information processing apparatus 10 according to the present embodiment.
 なお、図4において、情報処理装置10及び情報処理装置30は、それぞれ1台であるが、その台数は、図3と同様に例示である。 In FIG. 4, each of the information processing apparatus 10 and the information processing apparatus 30 is one, but the number of the information processing apparatuses 10 and 30 is an example as in FIG.
 情報処理装置10は、情報処理装置30と連携してデータを匿名化する。 The information processing apparatus 10 anonymizes data in cooperation with the information processing apparatus 30.
 そのため、図4に示すように、情報処理装置10は、匿名化部110と、汎化方針連携決定部120とを含む。 Therefore, as illustrated in FIG. 4, the information processing apparatus 10 includes an anonymization unit 110 and a generalization policy cooperation determination unit 120.
 汎化方針連携決定部120は、情報処理装置30と連携(通信)し、共通化する汎化方針(以下、「共通汎化方針」と言う)を決定する。つまり、汎化方針連携決定部120は、「他の情報処理装置10」と連携して共通汎化方針を決定する。なお、汎化方針連携決定部120は、情報処理装置30と連携して、共通汎化方針を共通化するとも言える。 The generalization policy cooperation determination unit 120 cooperates (communications) with the information processing apparatus 30 and determines a generalization policy to be shared (hereinafter referred to as “common generalization policy”). That is, the generalization policy cooperation determination unit 120 determines a common generalization policy in cooperation with the “other information processing apparatus 10”. It can be said that the generalization policy cooperation determination unit 120 shares the common generalization policy in cooperation with the information processing apparatus 30.
 ここで、共通汎化方針とは、情報処理装置10と情報処理装置30とで共通してデータの匿名化に使用する汎化方針である。共通汎化方針は、例えば、QIDの分割点(境界)又はQIDの分割後のデータの範囲(汎化幅)である。 Here, the common generalization policy is a generalization policy used for anonymization of data in common between the information processing apparatus 10 and the information processing apparatus 30. The common generalization policy is, for example, a QID division point (boundary) or a range of data after QID division (generalization width).
 匿名化部110は、汎化方針連携決定部120が決定した共通汎化方針を基に、データを匿名化する。 The anonymization unit 110 anonymizes data based on the common generalization policy determined by the generalization policy cooperation determination unit 120.
 情報処理装置10は、このように匿名化した匿名化済みデータを、利用者装置20に送信する。 The information processing apparatus 10 transmits the anonymized data thus anonymized to the user apparatus 20.
 情報処理装置10及び情報処理装置30は、匿名化のための汎化方針が共通である。そのため、利用者装置20は、受信した匿名化済みデータを集約できる。 The information processing apparatus 10 and the information processing apparatus 30 have a common generalization policy for anonymization. Therefore, the user device 20 can collect the received anonymized data.
 なお、情報処理装置10は、すべての汎化方針を、共通化する必要はない。 Note that the information processing apparatus 10 does not need to share all generalization policies.
 情報処理装置10は、所定の範囲の汎化方針を共通化しても良い。そして、情報処理装置10は、共通化しない汎化方針(以下、「個別汎化方針」と言う)については、自装置に適するように汎化方針を決定しても良い。 The information processing apparatus 10 may share a generalization policy within a predetermined range. Then, the information processing apparatus 10 may determine a generalization policy that is suitable for its own apparatus with respect to a generalization policy that is not shared (hereinafter referred to as “individual generalization policy”).
 つまり、情報処理装置10は、共通汎化方針に基づく匿名化に加え、個別汎化方針を基づいてデータを匿名化できる。 That is, the information processing apparatus 10 can anonymize data based on the individual generalization policy in addition to anonymization based on the common generalization policy.
 また、汎化方針連携決定部120は、共通汎化方針を連携して決定する機能に加え、データの属性に関する情報を保存しても良い。 Also, the generalization policy cooperation determination unit 120 may store information on data attributes in addition to the function of determining the common generalization policy in cooperation.
 例えば、汎化方針連携決定部120は、匿名化するデータの属性の種類に関する情報を保存しても良い。ここで、属性の種類は、特に制限はない。例えば、次のような属性の種類が想定できる。 For example, the generalization policy cooperation determination unit 120 may store information regarding the attribute type of data to be anonymized. Here, the type of attribute is not particularly limited. For example, the following attribute types can be assumed.
 (1)識別子
 (2)汎化方針を共通化するQID(共通QID)
 (3)汎化方針を共通化しないQID
 (4)その他
 汎化方針連携決定部120は、保存された上記情報を基に、匿名化部110が用いる汎化方針が、共通汎化方針か否かを判断しても良い。 (1) Identifier (2) QID for sharing generalization policy (common QID)
(3) QIDs that do not share a generalization policy
(4) Others The generalization policy cooperation determination unit 120 may determine whether the generalization policy used by the anonymization unit 110 is a common generalization policy based on the stored information.
 なお、匿名化部110は、データの匿名化に、汎化方針連携決定部120が保存する情報を用いても良い。例えば、データから識別子を削除する場合、匿名化部110は、汎化方針連携決定部120が保存する識別子に相当する属性であるとの情報を基に、削除する属性を判別しても良い。 The anonymization unit 110 may use information stored by the generalization policy cooperation determination unit 120 for anonymization of data. For example, when deleting an identifier from data, the anonymization unit 110 may determine the attribute to be deleted based on information indicating that the attribute corresponds to the identifier stored by the generalization policy cooperation determination unit 120.
 図面を参照して、情報処理装置10について、更に説明する。 The information processing apparatus 10 will be further described with reference to the drawings.
 図5は、情報処理装置10の構成の一例を示すブロック図である。 FIG. 5 is a block diagram illustrating an example of the configuration of the information processing apparatus 10.
 図5において、図4と同様の構成には同様の番号を付している。 In FIG. 5, the same components as those in FIG. 4 are given the same numbers.
 情報処理装置10は、匿名化部110と、汎化方針連携決定部120と、匿名化前データ保存部160と、匿名化済みデータ保存部170と、送信部180とを含む。 The information processing apparatus 10 includes an anonymization unit 110, a generalization policy linkage determination unit 120, a pre-anonymization data storage unit 160, an anonymized data storage unit 170, and a transmission unit 180.
 匿名化前データ保存部160は、匿名化前データを保存する。情報処理装置10は、匿名化前データを匿名化後、利用者装置20に送信する。 The pre-anonymization data storage unit 160 stores pre-anonymization data. The information processing device 10 transmits the pre-anonymization data to the user device 20 after anonymization.
 匿名化部110は、既に説明したとおり、匿名化前データを匿名化において、汎化方針連携決定部120が決定した共通汎化方針を基に匿名化前データを匿名化し、匿名化済みデータを作成する。また、既に説明したとおり、匿名化部110は、共通汎化方針に加え、個別汎化方針を用いてデータを匿名化しても良い。さらに、匿名化部110は、データを匿名化に、汎化方針連携決定部120が保存する情報を用いても良い。 As described above, the anonymization unit 110 anonymizes the data before anonymization based on the common generalization policy determined by the generalization policy cooperation determination unit 120 in anonymizing the data before anonymization. create. Moreover, as already demonstrated, the anonymization part 110 may anonymize data using an individual generalization policy in addition to a common generalization policy. Furthermore, the anonymization unit 110 may use information stored by the generalization policy cooperation determination unit 120 for anonymizing data.
 そして、匿名化部110は、匿名化済みデータを、匿名化済みデータ保存部170に保存する。また、匿名化部110は、利用者装置20からの要求に対応し、匿名化済みデータを送信部180に送る。なお、匿名化部110は、匿名化の途中のデータを、匿名化済みデータ保存部170に保存しても良い。 And the anonymization unit 110 stores the anonymized data in the anonymized data storage unit 170. Also, the anonymization unit 110 responds to the request from the user device 20 and sends the anonymized data to the transmission unit 180. Note that the anonymization unit 110 may store data in the middle of anonymization in the anonymized data storage unit 170.
 匿名化済みデータ保存部170は、匿名化部110が匿名化した匿名化済みデータを保存する。 The anonymized data storage unit 170 stores the anonymized data anonymized by the anonymization unit 110.
 送信部180は、匿名化部110から受け取った匿名化済みデータを利用者装置20に送信する。そのため、送信部180は、利用者装置20との通信を制御する。なお、送信部180は、匿名化部110を介さず、匿名化済みデータ保存部170から匿名化済みデータを受け取り、匿名化済みデータを利用者装置20に送信しても良い。 The transmission unit 180 transmits the anonymized data received from the anonymization unit 110 to the user device 20. Therefore, the transmission unit 180 controls communication with the user device 20. The transmission unit 180 may receive the anonymized data from the anonymized data storage unit 170 without passing through the anonymization unit 110 and transmit the anonymized data to the user device 20.
 汎化方針連携決定部120は、既に説明したとおり、情報処理装置30との間で、匿名化部110が用いる共通汎化方針を決定する。そのため、汎化方針連携決定部120は、匿名性パラメータ保存部130と、共通パラメータ設定部140と、通信部150とを含む。 The generalization policy cooperation determination unit 120 determines the common generalization policy used by the anonymization unit 110 with the information processing apparatus 30 as described above. Therefore, the generalization policy cooperation determination unit 120 includes an anonymity parameter storage unit 130, a common parameter setting unit 140, and a communication unit 150.
 匿名性パラメータ保存部130は、既に説明した属性の種類に関する情報、例えば、汎化方針連携決定部120が情報処理装置30と汎化方針を共通化するQID(共通QID)に関する情報を保存する。つまり、匿名性パラメータ保存部130は、匿名化部110が用いる汎化方針が、共通汎化方針であるか否か判定するための情報(匿名性パラメータ)を保持する。なお、匿名性パラメータ保存部130は、既に説明したその他の種類、例えば、汎化方針を共通化しないQIDに関する情報、又は、その他の属性に関する情報を保存しても良い。 The anonymity parameter storage unit 130 stores information on the types of attributes already described, for example, information on the QID (common QID) that the generalization policy cooperation determination unit 120 shares with the information processing apparatus 30 in the generalization policy. That is, the anonymity parameter storage unit 130 holds information (anonymity parameters) for determining whether or not the generalization policy used by the anonymization unit 110 is a common generalization policy. The anonymity parameter storage unit 130 may store other types already described, for example, information on QIDs that do not share a generalization policy, or information on other attributes.
 なお、本説明において、匿名性パラメータ保存部130は、予め、情報が設定されているとする。例えば、情報処理装置10の管理者などが、情報処理装置10を操作して、匿名性パラメータ保存部130に、情報を保存(設定)すれば良い。 In this description, it is assumed that the anonymity parameter storage unit 130 has information set in advance. For example, an administrator of the information processing apparatus 10 may operate the information processing apparatus 10 to store (set) information in the anonymity parameter storage unit 130.
 共通パラメータ設定部140は、情報処理装置30と連携し、匿名性パラメータ保存部130が保存する情報を基に、共通汎化方針(共通パラメータ)を決定する。 The common parameter setting unit 140 determines a common generalization policy (common parameter) based on information stored in the anonymity parameter storage unit 130 in cooperation with the information processing apparatus 30.
 具体例を用いて、共通パラメータ設定部140について更に次の仮定の下に説明する。 The common parameter setting unit 140 will be further described under the following assumptions using a specific example.
 第1に、情報処理装置10のデータは、匿名化する対象の準識別子として、QID1とQID2とを含む。第2に、匿名性パラメータ保存部130には、QID1の汎化方針を、連携して決定するための情報が、設定されている。つまり、匿名性パラメータ保存部130には、QID1を共通化するという情報が、設定されている。第3に、匿名性パラメータ保存部130には、QID2の汎化方針の決定を連携しないための情報が、設定されている。つまり、匿名性パラメータ保存部130には、QID2を共通化しないという情報が、設定されている。したがって、QID1は、共通QIDであり、QID1の汎化方針は、共通汎化方針である。また、QID2は、共通QIDでなく、QID2の汎化方針は、個別汎化方針である。 First, the data of the information processing apparatus 10 includes QID1 and QID2 as quasi-identifiers to be anonymized. Second, the anonymity parameter storage unit 130 is set with information for determining the generalization policy of QID1 in cooperation. In other words, the anonymity parameter storage unit 130 is set with information for sharing QID1. Thirdly, in the anonymity parameter storage unit 130, information for not linking the determination of the generalization policy of QID2 is set. That is, information that the QID2 is not shared is set in the anonymity parameter storage unit 130. Therefore, QID1 is a common QID, and the generalization policy of QID1 is a common generalization policy. QID2 is not a common QID, and the generalization policy of QID2 is an individual generalization policy.
 まず、情報処理装置10が、連携を開始する場合について説明する。 First, the case where the information processing apparatus 10 starts cooperation will be described.
 QID1を用いてデータを匿名化する場合について説明する。 A case where data is anonymized using QID1 will be described.
 まず、共通パラメータ設定部140は、匿名性パラメータ保存部130が保存する情報を基に、QID1が共通QIDであるか否かを判定する。今の場合、QID1は、共通QIDである。そこで、共通パラメータ設定部140は、情報処理装置30と、共通汎化方針(QID1の汎化方針)の共通化のための連携を開始する。 First, the common parameter setting unit 140 determines whether QID1 is a common QID based on information stored by the anonymity parameter storage unit 130. In this case, QID1 is a common QID. Therefore, the common parameter setting unit 140 starts cooperation with the information processing apparatus 30 for commonization of the common generalization policy (QID1 generalization policy).
 情報処理装置30から共通汎化方針を受信した場合、共通パラメータ設定部140は、自装置の共通汎化方針と受信した共通汎化方針とを基に、匿名化に用いる共通汎化方針を決定する。 When the common generalization policy is received from the information processing device 30, the common parameter setting unit 140 determines a common generalization policy used for anonymization based on the common generalization policy of the own device and the received common generalization policy. To do.
 情報処理装置30から共通汎化方針を受信できない場合、共通パラメータ設定部140は、連携を諦める。この場合、情報処理装置10は、以下で説明する個別汎化方針と同様に、データを匿名化する。 If the common generalization policy cannot be received from the information processing apparatus 30, the common parameter setting unit 140 gives up cooperation. In this case, the information processing apparatus 10 anonymizes data as in the individual generalization policy described below.
 一方、QID2の用いる場合について説明する。 On the other hand, the case where QID2 is used will be described.
 共通パラメータ設定部140は、QID2が共通QIDであるか否かを、匿名性パラメータ保存部130が保存する情報を基に判定する。今の場合、QID2は、共通QIDではない。そこで、共通パラメータ設定部140は、情報処理装置30と連携しない。この場合、情報処理装置10は、個別汎化方針(QID2の汎化方針)を基に、データを匿名化する。 The common parameter setting unit 140 determines whether QID2 is a common QID based on information stored by the anonymity parameter storage unit 130. In this case, QID2 is not a common QID. Therefore, the common parameter setting unit 140 does not cooperate with the information processing apparatus 30. In this case, the information processing apparatus 10 anonymizes the data based on the individual generalization policy (QID2 generalization policy).
 次に、情報処理装置10が連携の依頼を受けた場合、つまり、情報処理装置30が連携を開始した場合について説明する。 Next, a case where the information processing apparatus 10 receives a request for cooperation, that is, a case where the information processing apparatus 30 starts cooperation will be described.
 まず、情報処理装置30から連携の通知を受けた場合、共通パラメータ設定部140は、匿名性パラメータ保存部130が保存する情報を基に、共通化するか否かを判断する。 First, when a notification of cooperation is received from the information processing apparatus 30, the common parameter setting unit 140 determines whether to share the information based on information stored by the anonymity parameter storage unit 130.
 そして、情報処理装置30から共通化可能な汎化方針(共通汎化方針:例えば、QID1の汎化方針)での連携を受信した場合、共通パラメータ設定部140は、自装置の共通汎化方針を、情報処理装置30に送信する。そして、情報処理装置10は、受信した共通汎化方針と自装置の共通汎化方針とを基に、匿名化に用いる共通汎化方針を決定する。 When the information processing apparatus 30 receives a link based on a generalization policy that can be shared (common generalization policy: for example, QID1 generalization policy), the common parameter setting unit 140 determines that the common generalization policy of its own device is used. Is transmitted to the information processing apparatus 30. Then, the information processing apparatus 10 determines the common generalization policy used for anonymization based on the received common generalization policy and the common generalization policy of the own apparatus.
 一方、情報処理装置30から共通化できない汎化方針(個別汎化方針:例えば、QID2の汎化方針)での連携の通知を受けた場合、共通パラメータ設定部140は、情報処理装置30に応答しない。ただし、情報処理装置10は、情報処理装置30に、連携しないことを通知しても良い。 On the other hand, if the information processing apparatus 30 receives a notification of cooperation in a generalization policy (individual generalization policy: for example, QID2 generalization policy) that cannot be shared, the common parameter setting unit 140 responds to the information processing apparatus 30. do not do. However, the information processing apparatus 10 may notify the information processing apparatus 30 that it does not cooperate.
 なお、共通パラメータ設定部140は、受信した汎化方針の内容を基に、連携するか否かを決めても良い。 Note that the common parameter setting unit 140 may determine whether to cooperate based on the content of the received generalization policy.
 通信部150は、共通パラメータ設定部140の情報処理装置30との通信を仲介する。そのため、通信部150は、情報処理装置30の通信部150との通信を制御する。 The communication unit 150 mediates communication with the information processing apparatus 30 of the common parameter setting unit 140. Therefore, the communication unit 150 controls communication with the communication unit 150 of the information processing device 30.
 次に、情報処理装置10における共通汎化方針を基にした匿名化の動作について、図面を参照して説明する。 Next, anonymization operation based on the common generalization policy in the information processing apparatus 10 will be described with reference to the drawings.
 図6は、第1の実施形態に係る情報処理装置10の匿名化動作の一例を示すフローチャートである。 FIG. 6 is a flowchart illustrating an example of the anonymization operation of the information processing apparatus 10 according to the first embodiment.
 なお、図6の説明において、汎化方針は、一例としてQIDの分割点(境界)として説明する。つまり、情報処理装置10は、QIDの分割点を共通化する。 In the description of FIG. 6, the generalization policy is described as a QID division point (boundary) as an example. That is, the information processing apparatus 10 shares the QID division points.
 また、情報処理装置10が確保する匿名性は、予め決められているとする。また、共通化するQID(共通QID)は、予め、匿名性パラメータ保存部130に保存済みとする。 Further, it is assumed that the anonymity secured by the information processing apparatus 10 is determined in advance. In addition, it is assumed that the common QID (common QID) is stored in the anonymity parameter storage unit 130 in advance.
 また、情報処理装置10は、連携する情報処理装置30(例えば、連携する装置の数とそのアドレス)を知っているとする。 Further, it is assumed that the information processing apparatus 10 knows the information processing apparatus 30 that cooperates (for example, the number of apparatuses that cooperate with each other and their addresses).
 まず、情報処理装置10の匿名化部110は、匿名化前データ保存部160が保存するデータを基に、分割するQIDを決定する(ステップS210)。例えば、匿名化部110は、最も値の範囲(レンジ)が広いQIDを選択しても良い。あるいは、匿名化部110は、ラウンドロビン式に、順番にQIDを選択しても良い。 First, the anonymization unit 110 of the information processing apparatus 10 determines the QID to be divided based on the data stored by the pre-anonymization data storage unit 160 (step S210). For example, the anonymization unit 110 may select a QID having the widest value range. Alternatively, the anonymization unit 110 may select QIDs in order in a round robin manner.
 次に、匿名化部110は、決定したQIDの汎化方針を共通パラメータ設定部140に送る。例えば、匿名化部110は、QIDの分割点(境界)を決定し、QIDと境界とを、汎化方針として、共通パラメータ設定部140に送付する。 Next, the anonymization unit 110 sends the determined QID generalization policy to the common parameter setting unit 140. For example, the anonymization unit 110 determines the division point (boundary) of the QID, and sends the QID and the boundary to the common parameter setting unit 140 as a generalization policy.
 共通パラメータ設定部140は、匿名性パラメータ保存部130が保存する情報を基に、受信したQIDが共通QIDであるか否かを判定する(ステップS220)。 The common parameter setting unit 140 determines whether or not the received QID is a common QID based on the information stored by the anonymity parameter storage unit 130 (step S220).
 共通QIDの場合(ステップS220で「YES」)、共通パラメータ設定部140は、通信部150を介して、汎化方針(例えば、共通QIDの分割点(境界))を、情報処理装置30と共通化する(ステップS230)。 In the case of a common QID (“YES” in step S220), the common parameter setting unit 140 shares a generalization policy (for example, a common QID division point (boundary)) with the information processing apparatus 30 via the communication unit 150. (Step S230).
 例えば、共通パラメータ設定部140は、次のように動作する。 For example, the common parameter setting unit 140 operates as follows.
 共通パラメータ設定部140は、情報処理装置30に、ステップS210で決定したQIDでの共通化(例えば、QIDを分割すること)を通知する。つまり、共通パラメータ設定部140は、QIDでの共通化の連携を通知する。そして、共通パラメータ設定部140は、情報処理装置30から、連携についての応答を待つ。 The common parameter setting unit 140 notifies the information processing apparatus 30 of the sharing with the QID determined in step S210 (for example, dividing the QID). That is, the common parameter setting unit 140 notifies the sharing of the QID. Then, the common parameter setting unit 140 waits for a response regarding cooperation from the information processing apparatus 30.
 すべての情報処理装置30から連携するとの応答を受けた場合、共通パラメータ設定部140は、共通汎化方針(例えば、共通QIDの分割の境界)を、情報処理装置30に通知する。そして、共通パラメータ設定部140は、情報処理装置30から共通汎化方針の通知を待つ。すべての情報処理装置30から共通汎化方針を受信すると、共通パラメータ設定部140は、ステップS240に進む。 When receiving a response indicating that all information processing apparatuses 30 cooperate, the common parameter setting unit 140 notifies the information processing apparatus 30 of the common generalization policy (for example, the boundary of common QID division). Then, the common parameter setting unit 140 waits for notification of the common generalization policy from the information processing apparatus 30. When the common generalization policy is received from all the information processing devices 30, the common parameter setting unit 140 proceeds to step S240.
 一部の情報処理装置30から連携するとの応答を受け、その他の情報処理装置30から連携しないとの応答を受けた場合、情報処理装置10は、連携するとの応答した情報処理装置30と、上記と同様に、共通汎化方針の共通化を連携すれば良い。ただし、一部の情報処理装置30との連携の場合、情報処理装置10は、連携をやめても良い。その場合、情報処理装置10は、次に説明するすべての情報処理装置30から連携しないとの応答を受けた場合と同様に動作すれば良い。 When receiving a response indicating cooperation from some information processing devices 30 and receiving a response indicating not cooperation from other information processing devices 30, the information processing device 10 and the information processing device 30 responding that cooperation is performed As with, commonality of common generalization policies should be linked. However, in the case of cooperation with some information processing apparatuses 30, the information processing apparatus 10 may stop cooperation. In that case, the information processing apparatus 10 may operate in the same manner as when a response indicating that the information processing apparatuses 30 described below do not cooperate is received.
 すべての情報処理装置30から連携しないとの応答を受けた場合、共通パラメータ設定部140は、後ほど説明する個別汎化方針の場合と同様に動作すれば良い。例えば、共通パラメータ設定部140は、匿名化部110から受け取った汎化方針を、匿名化部110に戻す。 When receiving a response indicating that the information processing apparatuses 30 do not cooperate with each other, the common parameter setting unit 140 may operate similarly to the case of the individual generalization policy described later. For example, the common parameter setting unit 140 returns the generalization policy received from the anonymization unit 110 to the anonymization unit 110.
 なお、共通パラメータ設定部140は、共通汎化方針の共通化の連携において、通信の開始として、連携の通知の送信に限る必要はない。共通パラメータ設定部140は、例えば、予め、共通化する汎化方針を決めず、情報処理装置30と、交渉して、連携して共通化する共通汎化方針を決めても良い。あるいは、共通パラメータ設定部140は、共通汎化方針と別の通知としてQIDの共通化の連携の通知を送信せず、共通汎化方針と連携の通知とを合わせて送信しても良い。あるいは、情報処理装置10は、予め、共通汎化方針の送信が、連携の通知を兼ねると決めておいても良い。 It should be noted that the common parameter setting unit 140 need not be limited to the transmission of the cooperation notification as the start of communication in the common cooperation of common generalization policies. For example, the common parameter setting unit 140 may determine a common generalization policy to be negotiated with the information processing apparatus 30 in advance and shared in common without determining a generalization policy to be shared in advance. Alternatively, the common parameter setting unit 140 may transmit the common generalization policy and the cooperation notification together without transmitting the common generalization policy and the notification of commonization of the QID as a separate notification. Alternatively, the information processing apparatus 10 may determine in advance that the transmission of the common generalization policy also serves as a notification of cooperation.
 すべての共通汎化方針を受信後、共通パラメータ設定部140は、受け取った共通汎化方針を基に、データの匿名化に用いる汎化方針を決定する(ステップS240)。例えば、共通汎化方針がQIDの境界の場合、情報処理装置10は、受信したQIDの境界の平均値を汎化方針としても良い。 After receiving all the common generalization policies, the common parameter setting unit 140 determines a generalization policy used for data anonymization based on the received common generalization policies (step S240). For example, when the common generalization policy is a QID boundary, the information processing apparatus 10 may use an average value of the received QID boundary as the generalization policy.
 情報処理装置30も、受信した共通汎化方針を基に汎化方針を決定する。そのため、情報処理装置10及び情報処理装置30は、匿名化に用いる汎化方針として、同じ汎化方針(例えば、QIDの境界)を算出する。 The information processing apparatus 30 also determines a generalization policy based on the received common generalization policy. Therefore, the information processing apparatus 10 and the information processing apparatus 30 calculate the same generalization policy (for example, a QID boundary) as the generalization policy used for anonymization.
 このように、情報処理装置10及び情報処理装置30は、匿名化のための汎化方針を連携して決定する。 In this way, the information processing apparatus 10 and the information processing apparatus 30 determine the generalization policy for anonymization in cooperation.
 汎化方針の決定後、共通パラメータ設定部140は、決定した汎化方針を匿名化部110に返す。 After determining the generalization policy, the common parameter setting unit 140 returns the determined generalization policy to the anonymization unit 110.
 なお、例えば、ネットワークの障害又は情報処理装置30の障害のため、共通パラメータ設定部140は、情報処理装置30から共通汎化方針を受け取れない場合がある。 Note that the common parameter setting unit 140 may not receive the common generalization policy from the information processing apparatus 30 due to, for example, a network failure or a failure of the information processing apparatus 30.
 そこで、情報処理装置30から共通汎化方針が送られてこない場合、共通パラメータ設定部140は、匿名化部110から受け取った境界を、汎化方針として、匿名化部110に返しても良い。つまり、情報処理装置10は、汎化方針を連携して決定できない場合、匿名化部110が決定した汎化方針を用いてデータを匿名化しても良い。 Therefore, when the common generalization policy is not sent from the information processing apparatus 30, the common parameter setting unit 140 may return the boundary received from the anonymization unit 110 to the anonymization unit 110 as the generalization policy. That is, the information processing apparatus 10 may anonymize data using the generalization policy determined by the anonymization unit 110 when the generalization policy cannot be determined in cooperation.
 あるいは、情報処理装置10は、利用者装置20に、障害を通知しても良い。 Alternatively, the information processing apparatus 10 may notify the user apparatus 20 of the failure.
 一方、受信したQIDが、共通QIDでない場合(ステップS220で「NO」)、共通パラメータ設定部140は、匿名化部110から受け取った境界を、汎化方針として、匿名化部110に戻す。 On the other hand, when the received QID is not a common QID (“NO” in step S220), the common parameter setting unit 140 returns the boundary received from the anonymization unit 110 to the anonymization unit 110 as a generalization policy.
 匿名化部110は、共通パラメータ設定部140から受け取った汎化方針を基に、QIDを分割する(ステップS250)。 The anonymization unit 110 divides the QID based on the generalization policy received from the common parameter setting unit 140 (step S250).
 つまり、共通QID場合、情報処理装置10は、情報処理装置30と連携し、共通汎化方針を基に、データを匿名化する。一方、共通QIDでない場合、情報処理装置10は、情報処理装置30と連携しないで、自装置が決定した汎化方針を基に、データを匿名化する。 That is, in the case of the common QID, the information processing apparatus 10 cooperates with the information processing apparatus 30 and anonymizes data based on the common generalization policy. On the other hand, if it is not the common QID, the information processing apparatus 10 does not cooperate with the information processing apparatus 30 and anonymizes the data based on the generalization policy determined by the own apparatus.
 分割後、匿名化部110は、データの匿名性を確認する(ステップS260)。 After the division, the anonymization unit 110 confirms the anonymity of the data (step S260).
 匿名性を満たす場合(ステップS260で「YES」)、匿名化部110は、次のQIDの分割に進む(ステップS210)。情報処理装置10は、匿名性を満たす限り、分割を繰り返す。 If the anonymity is satisfied (“YES” in step S260), the anonymization unit 110 proceeds to the division of the next QID (step S210). The information processing apparatus 10 repeats the division as long as the anonymity is satisfied.
 匿名性を満たさない場合(ステップS260で「NO」)、匿名化部110は、直前の分割をキャンセルし、匿名化処理を終了する(ステップS270)。 If the anonymity is not satisfied (“NO” in step S260), the anonymization unit 110 cancels the immediately preceding division and ends the anonymization process (step S270).
 そして、前回の分割が共通QIDの場合、情報処理装置10は、連携した情報処理装置30に、汎化のキャンセルを通知する。 When the previous division is a common QID, the information processing apparatus 10 notifies the linked information processing apparatus 30 of the cancellation of generalization.
 ただし、前回の分割が共通QIDの場合、情報処理装置10は、情報処理装置30と連携し、分割点を変更しても良い。 However, when the previous division is a common QID, the information processing apparatus 10 may change the division point in cooperation with the information processing apparatus 30.
 また、情報処理装置10は、匿名化処理の終了後、情報処理装置30に連携の終了を通知しても良い。 Further, the information processing apparatus 10 may notify the information processing apparatus 30 of the end of cooperation after the anonymization process is completed.
 このように、情報処理装置10は、匿名化において、共通化する汎化方針の場合、情報処理装置30と連携し、汎化方針を決定する。 As described above, the information processing apparatus 10 determines a generalization policy in cooperation with the information processing apparatus 30 in the case of a generalization policy to be shared in anonymization.
 図7は、情報処理装置10の汎化方針を決定する動作を説明のためのデータを示す図である。 FIG. 7 is a diagram illustrating data for explaining the operation of determining the generalization policy of the information processing apparatus 10.
 図7の上段が、例えば、情報処理装置10(図7の装置A)のデータを示す。図7の下段が、別の情報処理装置10(つまり情報処理装置30であり、図7の装置B)のデータを示す。 7 shows the data of the information processing apparatus 10 (apparatus A in FIG. 7), for example. The lower part of FIG. 7 shows data of another information processing apparatus 10 (that is, information processing apparatus 30 and apparatus B of FIG. 7).
 なお、本説明において、情報処理装置10は、共通化するQIDを事前に連絡済みとして説明する。具体的には、図7に示すQID1が、共通QIDである。 In this description, the information processing apparatus 10 will be described assuming that the QID to be shared has been communicated in advance. Specifically, QID1 shown in FIG. 7 is a common QID.
 匿名化部110は、まず、データ3000及びデータ4000を、最も匿名化した状態のデータ3001及びデータ4001に匿名化する。つまり、匿名化部110は、各QIDを1つのグループに匿名化する。 The anonymization unit 110 first anonymizes data 3000 and data 4000 into data 3001 and data 4001 in the most anonymized state. That is, the anonymization unit 110 anonymizes each QID into one group.
 図7の中央に示すデータ3001及びデータ4001が、QID1及びQID2の最初の匿名化状態である。 The data 3001 and data 4001 shown in the center of FIG. 7 are the first anonymized states of QID1 and QID2.
 次に、匿名化部110は、QID1の分割点(境界)を決定する。例えば、装置Aの匿名化部110は、データ3001のQID1の平均「125」を境界と決定する。同様に、装置Bの匿名化部110は、データ4001のQID1の平均「124」を境界と決定する。 Next, the anonymization unit 110 determines the dividing point (boundary) of QID1. For example, the anonymization unit 110 of the device A determines the average “125” of QID1 of the data 3001 as the boundary. Similarly, the anonymization unit 110 of the device B determines the average “124” of QID1 of the data 4001 as a boundary.
 なお、この説明では、情報処理装置10は、境界として、QID1の平均を算出した。しかし、情報処理装置10は、境界の決め方を特に制限はない。 In this description, the information processing apparatus 10 calculates the average of QID1 as a boundary. However, the information processing apparatus 10 has no particular limitation on how to determine the boundary.
 例えば、情報処理装置10は、QID1の各グループの中で最もサイズが大きな(レコード数が多い)グループの平均を境界としてもよい。図7に示すデータ3001及びデータ4001は、最初の状態で、グループ数が1つであり、グループのサイズは5である。つまり、図7に示す装置A及び装置Bのグループは、それぞれ、最もサイズが大きなグループである。そして、装置Aと装置Bは、最もサイズが大きなグループの平均を算出し、境界として、それぞれ「125」と「124」とを決定した。 For example, the information processing apparatus 10 may use the average of the groups having the largest size (the number of records is large) among the groups of QID1 as a boundary. The data 3001 and the data 4001 shown in FIG. 7 are in the initial state, the number of groups is 1, and the size of the group is 5. That is, the group of the device A and the device B shown in FIG. 7 is the largest group. Then, the devices A and B calculate the average of the largest group, and determine “125” and “124” as the boundaries, respectively.
 また、情報処理装置10は、境界として、一番サイズが大きな(レコード数が多い)グループの平均に限る必要はない。例えば、情報処理装置10は、境界として、グループの中央値を用いても良い。あるいは、情報処理装置10は、範囲が広いグループなど、別のグループを選択しても良い。 Further, the information processing apparatus 10 need not be limited to the average of the group having the largest size (the number of records is large) as a boundary. For example, the information processing apparatus 10 may use the median value of the group as the boundary. Alternatively, the information processing apparatus 10 may select another group such as a group having a wide range.
 次に、匿名化部110は、QID1と境界とを共通パラメータ設定部140に送る。 Next, the anonymization unit 110 sends QID1 and the boundary to the common parameter setting unit 140.
 共通パラメータ設定部140は、QID1が共通QIDか否か判定する。ここで、QID1は、共通QIDである。 The common parameter setting unit 140 determines whether QID1 is a common QID. Here, QID1 is a common QID.
 そこで、装置Aの共通パラメータ設定部140及び装置Bの共通パラメータ設定部140は、共通汎化方針であるQID1の境界を、通信部150を介して、相互に通信する。例えば、装置Aは、QID1の平均「125」を送信し、装置BのQID1の平均「124」を受信する。 Therefore, the common parameter setting unit 140 of the device A and the common parameter setting unit 140 of the device B communicate with each other via the communication unit 150 at the boundary of QID1 that is the common generalization policy. For example, apparatus A transmits an average “125” of QID1 and receives an average “124” of QID1 of apparatus B.
 そして、共通パラメータ設定部140は、自装置の共通汎化方針と、受け取ったすべての共通汎化方針、つまりすべてのQID1の境界を基に、共通汎化方針を決定する。例えば、装置Aと装置Bは、それぞれの境界の平均(124=(124+125)/2の小数点以下切捨て)を共通汎化方針とする。 Then, the common parameter setting unit 140 determines a common generalization policy based on the common generalization policy of its own device and all received common generalization policies, that is, all QID1 boundaries. For example, apparatus A and apparatus B use the average of their boundaries (124 = (124 + 125) / 2 rounded down to the nearest decimal point) as a common generalization policy.
 そして、共通パラメータ設定部140は、決定した汎化方針(共通汎化方針)を、匿名化部110に返す。 Then, the common parameter setting unit 140 returns the determined generalization policy (common generalization policy) to the anonymization unit 110.
 匿名化部110は、受け取った汎化方針(ここでは、QID1の境界「124」)を基にデータを匿名化する。 The anonymization unit 110 anonymizes data based on the received generalization policy (here, the boundary “124” of QID1).
 図7の右に示すデータ3002及びデータ4002が、共通汎化方針(QID1の「124」)を基に匿名化されたデータである。 7 is data anonymized based on the common generalization policy (QID1 “124”).
 図8は、本実施形態の情報処理装置10の匿名化動作を説明するためのデータを示す図である。図8は、データの比較が容易なように、装置Aのデータ3002と装置Bのデータ4002とを並べて表示する。 FIG. 8 is a diagram illustrating data for explaining the anonymization operation of the information processing apparatus 10 according to the present embodiment. In FIG. 8, the data 3002 of the device A and the data 4002 of the device B are displayed side by side so that the data can be easily compared.
 図8から明らかなように、装置Aの匿名化済みデータ3002と装置Bの匿名化済みデータ4002とは、データの境界が一致している。そのため、利用者装置20は、データを集約できる。 As is clear from FIG. 8, the data boundary of the anonymized data 3002 of the device A and the anonymized data 4002 of the device B match. Therefore, the user device 20 can collect data.
 このように、本実施形態の情報処理装置10は、データを匿名化する。 Thus, the information processing apparatus 10 according to the present embodiment anonymizes data.
 本実施形態の情報処理装置10の効果について説明する。 The effect of the information processing apparatus 10 of this embodiment will be described.
 情報処理装置10は、利用者装置20が匿名化後のデータを集約でき、データの提供元にとってもデータを適切に匿名化して提供する効果を得ることができる。 The information processing apparatus 10 can aggregate the data after the user apparatus 20 is anonymized, and can obtain an effect of providing the data by anonymizing the data appropriately for the data provider.
 その理由は、次のとおりである。 The reason is as follows.
 情報処理装置10の汎化方針連携決定部120は、匿名化において、共通化する共通汎化方針を情報処理装置30(つまり、他の情報処理装置10)と連携し、決定する。さらに、汎化方針連携決定部120は、匿名化部110が決定したその時点での最適な汎化方針を通知する。そのため、汎化方針連携決定部120は、予め汎化方針を決定する場合に比べ、より適切な汎化方針を決定できる。そして、情報処理装置10の匿名化部110は、連携して決定した共通汎化方針を基に、データを匿名化できるためである。そのため、利用者装置20は、匿名化後のデータを集約できる。 The generalization policy cooperation determination unit 120 of the information processing apparatus 10 determines a common generalization policy to be shared in cooperation with the information processing apparatus 30 (that is, another information processing apparatus 10) in anonymization. Furthermore, the generalization policy cooperation determination unit 120 notifies the optimal generalization policy at that time determined by the anonymization unit 110. Therefore, the generalization policy cooperation determination unit 120 can determine a more appropriate generalization policy as compared to the case where the generalization policy is determined in advance. And it is because the anonymization part 110 of the information processing apparatus 10 can anonymize data based on the common generalization policy determined in cooperation. Therefore, the user device 20 can aggregate the data after anonymization.
 また、情報処理装置10は、データを情報処理装置30に送信しなくても匿名化できる。 Further, the information processing apparatus 10 can be anonymized without transmitting data to the information processing apparatus 30.
 その理由は、次のとおりである。 The reason is as follows.
 情報処理装置10は、情報処理装置30に共通汎化方針を送信し、共通汎化方針を決定できる。そして、情報処理装置10は、共通汎化方針を基にデータを匿名化できる。このように、情報処理装置10は、データを情報処理装置30に送信しなくても、データを匿名化できるためである。 The information processing apparatus 10 can determine the common generalization policy by transmitting the common generalization policy to the information processing apparatus 30. And the information processing apparatus 10 can anonymize data based on a common generalization policy. Thus, the information processing apparatus 10 can anonymize the data without transmitting the data to the information processing apparatus 30.
 <変形例1>
 以上の説明に含まれない、情報処理装置10の動作の変形例を説明する。 <Modification 1>
A modification of the operation of the information processing apparatus 10 that is not included in the above description will be described.
 利用者装置20が、データを集約するため、情報処理装置10は、共通汎化方針のデータの値を、同じ汎化後の値とすること(グローバルリコーディング:Global Re-Coding)が必要である。 Since the user device 20 aggregates data, the information processing device 10 needs to set the data value of the common generalization policy to the same generalized value (global recoding: Global (Re-Coding). is there.
 一方、情報処理装置10は、個別汎化方針のデータの値を、グローバルリコーディングを満足するように匿名化する必要はない。情報処理装置10は、個別汎化方針のデータ値を、異なる汎化後の値(ローカルリコーディング:Local Re-Coding)としても良い。 On the other hand, the information processing apparatus 10 does not need to anonymize the data value of the individual generalization policy so as to satisfy the global recoding. The information processing apparatus 10 may set the data value of the individual generalization policy as a different generalized value (local recoding: Local Re-Coding).
 また、情報処理装置10は、範囲の設定や大小判定が容易な数値データに加え、カテゴリ分類できるデータ(名称や嗜好など)を用いて匿名化しても良い。 Further, the information processing apparatus 10 may be anonymized using data (name, preference, etc.) that can be categorized in addition to numerical data that allows easy range setting and size determination.
 また、データが、カテゴリ分類できるデータの場合、情報処理装置10は、データに概念木の分類体系(タキソノミ:taxonomy)を適用し、匿名化しても良い。 In addition, when the data is data that can be classified into categories, the information processing apparatus 10 may apply a conceptual tree classification system (taxonomy) to the data and anonymize the data.
 また、情報処理装置10は、図6に示すような分割を繰り返すトップダウン(Top down)の匿名化手法に限らず、結合を繰り返すボトムアップ(Bottom up)の匿名化手法を用いても良い。あるいは、情報処理装置10は、トップダウンとボトムアップを組み合わせても良い。 Further, the information processing apparatus 10 is not limited to the top-down anonymization method that repeats the division as illustrated in FIG. 6, and may use a bottom-up anonymization method that repeats the combination. Alternatively, the information processing apparatus 10 may combine top down and bottom up.
 <変形例2>
 情報処理装置10と情報処理装置30は、両方からの連携の依頼が、重なる場合がある。 <Modification 2>
The information processing apparatus 10 and the information processing apparatus 30 may have overlapping requests from both.
 情報処理装置10の共通QIDと情報処理装置30の共通QIDが同じ場合、情報処理装置10は、既に説明した動作を基に、共通汎化方針を連携して決定すれば良い。 When the common QID of the information processing apparatus 10 and the common QID of the information processing apparatus 30 are the same, the information processing apparatus 10 may determine the common generalization policy in cooperation based on the operation described above.
 しかし、情報処理装置10が連携において通知する共通QIDと情報処理装置30が通知する共通QIDとが異なる場合、情報処理装置10及び情報処理装置30は、共通QIDの選択が必要である。 However, when the common QID notified by the information processing apparatus 10 in cooperation with the common QID notified by the information processing apparatus 30 is different, the information processing apparatus 10 and the information processing apparatus 30 need to select the common QID.
 情報処理装置10と情報処理装置30は、どちらの共通QIDを用いるかを調停して、決定しても良い。あるいは、情報処理装置10と情報処理装置30は、予め、連携の依頼が重なった場合の優先順位を設定しても良い。 The information processing apparatus 10 and the information processing apparatus 30 may determine which common QID is used by arbitrating. Alternatively, the information processing apparatus 10 and the information processing apparatus 30 may set a priority order when cooperation requests overlap in advance.
 また、3台以上の装置からの連携の依頼が重なった場合、情報処理装置10は、連携して決定する共通QIDを、調停して決定しても良い。 In addition, when requests for cooperation from three or more devices overlap, the information processing apparatus 10 may arbitrate and determine the common QID determined in cooperation.
 ただし、調停は、装置が多くなると決定まで多くの時間が必要となる。そこで、情報処理装置10は、予め、共通QIDの所定の優先順位を決めておいても良い。例えば、情報処理装置10は、最も連携の依頼の数が多い共通QIDを、共通化するQIDとして、採用しても良い。 However, mediation requires a lot of time until the decision is made as the number of devices increases. Therefore, the information processing apparatus 10 may determine a predetermined priority order of the common QID in advance. For example, the information processing apparatus 10 may adopt a common QID having the largest number of cooperation requests as a common QID.
 なお、連携に使用する共通QIDを決定後、情報処理装置10及び情報処理装置30は、決定した共通QIDの共通汎化方針を送信する。それ以降の動作は、既に説明した動作と同様で良い。 In addition, after determining the common QID used for cooperation, the information processing apparatus 10 and the information processing apparatus 30 transmit a common generalization policy of the determined common QID. Subsequent operations may be the same as those already described.
 <変形例3>
 情報処理装置10の構成は、これまでの説明に限らない。情報処理装置10は、各構成要素を複数の構成要素に分けても良い。 <Modification 3>
The configuration of the information processing apparatus 10 is not limited to the above description. The information processing apparatus 10 may divide each component into a plurality of components.
 さらに、情報処理装置10は、1つの装置で構成される必要はない。例えば、情報処理装置10は、ネットワークを介して接続した匿名化部110を含む装置と、汎化方針連携決定部120を含む装置とを用いて構成されても良い。 Furthermore, the information processing apparatus 10 does not need to be configured by one apparatus. For example, the information processing apparatus 10 may be configured using a device including the anonymization unit 110 connected via a network and a device including the generalization policy cooperation determination unit 120.
 あるいは、情報処理装置10は、匿名化前データ保存部160と匿名化済みデータ保存部170とのいずれか、又は、両方を外部の記憶装置として構成しても良い。 Alternatively, the information processing apparatus 10 may configure either or both of the pre-anonymization data storage unit 160 and the anonymized data storage unit 170 as an external storage device.
 また、情報処理装置10は、複数の構成要素を1つの装置で構成しても良い。 In addition, the information processing apparatus 10 may be configured with a plurality of components by one apparatus.
 例えば、情報処理装置10は、CPU(Central Processing Unit)と、ROM(Read Only Memory)と、RAM(Random Access Memory)とを含むコンピュータ装置として実現しても良い。情報処理装置10は、さらに、入出力接続回路(IOC:Input Output Circuit)と、ネットワークインターフェース回路(NIC:Network Interface Circuit)とを含むコンピュータ装置として実現しても良い。 For example, the information processing apparatus 10 may be realized as a computer apparatus including a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory). The information processing apparatus 10 may further be realized as a computer apparatus including an input / output connection circuit (IOC: Input Output Circuit) and a network interface circuit (NIC: Network Interface Circuit).
 図9は、本実施形態の情報処理装置10の変形例である情報処理装置60の構成の一例を示すブロック図である。 FIG. 9 is a block diagram illustrating an example of a configuration of an information processing device 60 that is a modification of the information processing device 10 of the present embodiment.
 情報処理装置60は、CPU610と、ROM620と、RAM630と、内部記憶装置640と、IOC650と、NIC680とを含み、コンピュータを構成している。 The information processing device 60 includes a CPU 610, a ROM 620, a RAM 630, an internal storage device 640, an IOC 650, and a NIC 680, and constitutes a computer.
 CPU610は、ROM620からプログラムを読み込む。そして、CPU610は、読み込んだプログラムに基づいて、RAM630と、内部記憶装置640と、IOC650と、NIC680とを制御する。そして、CPU610は、これらの構成を制御し、図4に示す、匿名化部110と、汎化方針連携決定部120としての各機能を実現する。CPU610は、各機能を実現する際に、RAM630をプログラムの一時記憶として使用しても良い。 CPU 610 reads a program from ROM 620. The CPU 610 controls the RAM 630, the internal storage device 640, the IOC 650, and the NIC 680 based on the read program. And CPU610 controls these structures and implement | achieves each function as the anonymization part 110 and the generalization policy cooperation determination part 120 which are shown in FIG. The CPU 610 may use the RAM 630 as a temporary program storage when realizing each function.
 また、CPU610は、コンピュータで読み取り可能にプログラムを記憶した記憶媒体700が含むプログラムを、図示しない記憶媒体読み取り装置を用いて読み込んでも良い。あるいは、CPU610は、NIC680を介して、図示しない外部の装置からプログラムを受け取っても良い。 Further, the CPU 610 may read the program included in the storage medium 700 storing the program so as to be readable by a computer using a storage medium reading device (not shown). Alternatively, the CPU 610 may receive a program from an external device (not shown) via the NIC 680.
 ROM620は、CPU610が実行するプログラム及び固定的なデータを記憶する。ROM620は、例えば、P-ROM(Programmable-ROM)やフラッシュROMである。 ROM 620 stores programs executed by CPU 610 and fixed data. The ROM 620 is, for example, a P-ROM (Programmable-ROM) or a flash ROM.
 RAM630は、CPU610が実行するプログラムやデータを一時的に記憶する。RAM630は、例えば、D-RAM(Dynamic-RAM)である。 The RAM 630 temporarily stores programs executed by the CPU 610 and data. The RAM 630 is, for example, a D-RAM (Dynamic-RAM).
 内部記憶装置640は、情報処理装置60が長期的に保存するデータやプログラムを記憶する。また、内部記憶装置640は、CPU610の一時記憶装置として動作しても良い。内部記憶装置640は、例えば、ハードディスク装置、光磁気ディスク装置、SSD(Solid State Drive)又はディスクアレイ装置である。 The internal storage device 640 stores data and programs stored in the information processing device 60 for a long time. Further, the internal storage device 640 may operate as a temporary storage device for the CPU 610. The internal storage device 640 is, for example, a hard disk device, a magneto-optical disk device, an SSD (Solid State Drive), or a disk array device.
 IOC650は、CPU610と、入力機器660及び表示機器670とのデータを仲介する。IOC650は、例えば、IOインターフェースカードである。 The IOC 650 mediates data between the CPU 610, the input device 660, and the display device 670. The IOC 650 is, for example, an IO interface card.
 入力機器660は、情報処理装置60の操作者からの入力指示を受け取る機器である。入力機器660は、例えば、キーボード、マウス又はタッチパネルである。 The input device 660 is a device that receives an input instruction from an operator of the information processing apparatus 60. The input device 660 is, for example, a keyboard, a mouse, or a touch panel.
 表示機器670は、情報処理装置60の操作者に情報を表示する機器である。表示機器670は、例えば、液晶ディスプレイである。 The display device 670 is a device that displays information to the operator of the information processing apparatus 60. The display device 670 is a liquid crystal display, for example.
 NIC680は、ネットワークを介した外部の装置とのデータのやり取りを中継する。NIC680は、例えば、LAN(Local Area Network)カードである。 NIC 680 relays data exchange with an external device via a network. The NIC 680 is, for example, a LAN (Local Area Network) card.
 このように構成された情報処理装置60は、情報処理装置10と同様の効果を得ることができる。 The information processing apparatus 60 configured as described above can obtain the same effects as the information processing apparatus 10.
 その理由は、次のとおりである。 The reason is as follows.
 情報処理装置60のCPU610は、プログラムに基づいて情報処理装置10と同様の機能を実現できるためである。 This is because the CPU 610 of the information processing apparatus 60 can realize the same function as the information processing apparatus 10 based on the program.
 (第2の実施形態)
 情報処理装置10は、情報処理装置30と共通化した汎化方針を基に、データを匿名化する。 (Second Embodiment)
The information processing apparatus 10 anonymizes data based on the generalization policy shared with the information processing apparatus 30.
 しかし、共通化した汎化方針は、情報処理装置10にとって最適な汎化方針と異なる場合がある。 However, the common generalization policy may be different from the optimal generalization policy for the information processing apparatus 10.
 また、情報処理装置10は、例えば、扱うデータのデータ量(データサイズ)又は匿名性に従い、データの匿名化の難易の程度(難易度)が異なる。 Moreover, the information processing apparatus 10 differs in the degree of difficulty (degree of difficulty) of data anonymization according to, for example, the data amount (data size) or anonymity of data to be handled.
 言い換えると、難易度とは、データの匿名性の確保の難しさを示す指標である。例えば、難易度は、データの匿名性の確保が難しいほど、値が大きくなる指標である。あるいは、難易度は、データの匿名性の確保が難しいほど、値が小さくなる指標でも良い。 In other words, the difficulty level is an index indicating the difficulty of ensuring the anonymity of data. For example, the difficulty level is an index that increases in value as it is difficult to ensure data anonymity. Alternatively, the difficulty level may be an index that decreases in value as it is difficult to ensure anonymity of data.
 例えば、データサイズが小さいデータを扱う情報処理装置10は、データサイズが大きなデータ扱う情報処理装置10より、採用できる境界の候補が少ない。特に、情報処理装置10が扱うデータのデータ量が「k-匿名性」の「k」の値に対して2倍程度の場合、情報処理装置10は、分割可能なデータの境界が、データの中央値付近に限られる。 For example, the information processing apparatus 10 that handles data having a small data size has fewer boundary candidates than the information processing apparatus 10 that handles data having a large data size. In particular, when the amount of data handled by the information processing apparatus 10 is about twice the value of “k” of “k-anonymity”, the information processing apparatus 10 determines that the boundary of the data that can be divided is Limited to around the median.
 つまり、情報処理装置10が保存するデータサイズが異なる場合、データサイズが小さい情報処理装置10は、データサイズが大きい情報処理装置10に比べ、匿名性の確保の難易度が高くなる。 That is, when the data size stored in the information processing apparatus 10 is different, the information processing apparatus 10 having a small data size has a higher degree of difficulty in securing anonymity than the information processing apparatus 10 having a large data size.
 あるいは、情報処理装置10が確保する匿名性が異なる場合、情報処理装置10は、データのサイズが同程度でも、匿名性の確保の難易度が異なる。 Alternatively, when the anonymity secured by the information processing apparatus 10 is different, the information processing apparatus 10 has different degrees of difficulty in securing anonymity even if the data size is the same.
 そこで、本実施形態に係る情報処理装置10は、共通汎化方針を連携して決定するとき、情報処理装置30と、匿名性の確保の難易度又は難易度に関する情報を通信する。 Therefore, when the information processing apparatus 10 according to the present embodiment determines the common generalization policy in cooperation, the information processing apparatus 30 communicates with the information processing apparatus 30 information regarding the difficulty level or difficulty level of ensuring anonymity.
 匿名性の確保の難易度を決定する要因は、特に制限はない。例えば、上記のデータサイズ及び匿名性は、匿名性の難易度を決定する要因の一例である。 There are no particular restrictions on the factors that determine the level of difficulty in securing anonymity. For example, the above data size and anonymity are examples of factors that determine the difficulty level of anonymity.
 データサイズは、大きくなると、匿名性の確保が容易になる。そのため、データサイズは、データの確保の難易度を決定する要因の一例である。なお、データサイズは、データの匿名性の確保が難しいほど、値が小さくなる指標の一例である。 * As the data size increases, it becomes easier to ensure anonymity. Therefore, the data size is an example of a factor that determines the difficulty level of securing data. The data size is an example of an index whose value decreases as it is difficult to ensure data anonymity.
 k-匿名性は、「k」の値が大きいほど、匿名性の確保が難しい。そのため、k-匿名性の「k」の値は、データの確保の難易度を決定する要因の一例である。なお、k-匿名性の「k」の値は、データの匿名性の確保が難しいほど、値が大きくなる指標の一例である。 K-Anonymity is more difficult to secure as the value of “k” is larger. Therefore, the value of “k” in k-anonymity is an example of a factor that determines the difficulty of securing data. Note that the value of “k” for k-anonymity is an example of an index whose value increases as it is difficult to ensure data anonymity.
 そして、本実施形態に係る情報処理装置10の汎化方針連携決定部120は、匿名性の難易度又は難易度に関する情報を考慮して、共通汎化方針を決定する。 And the generalization policy cooperation determination part 120 of the information processing apparatus 10 which concerns on this embodiment determines a common generalization policy in consideration of the information regarding the difficulty level or difficulty level of anonymity.
 なお、本実施形態の情報処理装置10の構成は、第1の実施形態と同様のため、構成の説明を省略する。また、第1の実施形態と同様の動作の説明を省略し、本実施形態に特有の動作について説明する。 Note that the configuration of the information processing apparatus 10 of the present embodiment is the same as that of the first embodiment, and thus the description of the configuration is omitted. Also, description of operations similar to those in the first embodiment will be omitted, and operations unique to the present embodiment will be described.
 以下、具体的な動作の例として、データサイズとしてデータのレコード数を考慮して、共通汎化方針を決定する場合について説明する。 Hereinafter, as a specific example of the operation, a case where the common generalization policy is determined in consideration of the number of data records as the data size will be described.
 例えば、装置Aのデータサイズ(レコード数)が、「100」とする。一方、装置Bのデータサイズ(レコード数)は、「10」とする。そして、「5-匿名性」を確保する場合を想定する。 For example, assume that the data size (number of records) of device A is “100”. On the other hand, the data size (number of records) of device B is “10”. Assume that “5-anonymity” is secured.
 装置Bは、最適に分割した場合、分割後のグループとして、データサイズ(レコード数)が「5」の2つのグループに、データを分割できる。しかし、境界が変更され、分割後のグループに含まれるデータサイズ(レコード数)が変更されると、装置Bは、分割後のグループにおいて、データの「5-匿名性」を満足できない。 When the device B is optimally divided, the data can be divided into two groups with a data size (number of records) of “5” as a group after division. However, when the boundary is changed and the data size (number of records) included in the divided group is changed, the device B cannot satisfy “5-anonymity” of the data in the divided group.
 従って、本実施形態の情報処理装置10(上記の装置Aと装置B)の汎化方針連携決定部120は、両方の汎化方針を基に共通化した汎化方針を汎化方針として決定しない。本実施形態の情報処理装置10(上記の装置Aと装置B)の汎化方針連携決定部120は、データサイズ(レコード数)が少ない情報処理装置10(装置B)の汎化方針を、共通汎化方針として決定する。 Therefore, the generalization policy linkage determination unit 120 of the information processing apparatus 10 (the above-described device A and device B) of the present embodiment does not determine the generalization policy that is shared based on both generalization policies as the generalization policy. . The generalization policy linkage determination unit 120 of the information processing apparatus 10 (the apparatuses A and B) according to the present embodiment shares the generalization policy of the information processing apparatus 10 (apparatus B) with a small data size (number of records). Determined as generalization policy.
 なお、情報処理装置10の汎化方針連携決定部120は、匿名化処理の進捗に伴い、汎化方針の決定方法を変更しても良い。つまり、情報処理装置10は、保存するデータサイズに限らず、分割後のデータサイズを用いても良い。 Note that the generalization policy cooperation determination unit 120 of the information processing apparatus 10 may change the generalization policy determination method as the anonymization process progresses. That is, the information processing apparatus 10 is not limited to the data size to be stored, and may use the divided data size.
 例えば、次に示す場合、情報処理装置10の汎化方針連携決定部120は、すべての情報処理装置10の汎化方針を基に、共通汎化方針を決定しても良い。この場合とは、すべての情報処理装置10において、分割後のデータサイズ(レコード数)が、確保する匿名性(例えば、「k-匿名性」の「k」)に対して所定の倍数(例えば、3倍)より多い場合である。一方、反対の場合、情報処理装置10の汎化方針連携決定部120は、データサイズ(レコード数)が少なくなった情報処理装置10の汎化方針を優先し、共通汎化方針としても良い。ここで、反対の場合とは、いずれかの情報処理装置10の分割後のデータサイズ(レコード数)が、確保する匿名性に対する所定の倍数より小さくなった場合である。 For example, in the following case, the generalization policy cooperation determination unit 120 of the information processing device 10 may determine a common generalization policy based on the generalization policies of all the information processing devices 10. In this case, in all the information processing apparatuses 10, the data size (number of records) after division is a predetermined multiple (for example, “k” of “k−anonymity”) to be secured (for example, “k” of “k-anonymity”). 3 times). On the other hand, in the opposite case, the generalization policy cooperation determination unit 120 of the information processing apparatus 10 may prioritize the generalization policy of the information processing apparatus 10 whose data size (number of records) has been reduced, and use the common generalization policy. Here, the opposite case is a case where the data size (number of records) after the division of any one of the information processing apparatuses 10 becomes smaller than a predetermined multiple for the anonymity to be secured.
 あるいは、情報処理装置10の汎化方針連携決定部120は、各情報処理装置10の汎化方針を同程度に扱うのではなく、データサイズを考慮して扱っても良い。 Alternatively, the generalization policy linkage determination unit 120 of the information processing device 10 may handle the generalization policies of the information processing devices 10 in consideration of the data size, instead of handling them to the same extent.
 例えば、情報処理装置10は、共通化する汎化方針を決定する場合、各情報処理装置10のデータサイズを基にした重み(例えば、データサイズに反比例する重み)を設定しても良い。 For example, when determining the generalization policy to be shared, the information processing apparatus 10 may set a weight based on the data size of each information processing apparatus 10 (for example, a weight inversely proportional to the data size).
 より具体的に説明すると、例えば、情報処理装置10は、次に示す数式(1)のように、境界の値にデータサイズに反比例する重みを掛け、汎化方針における境界値(分割を行う点)を決定しても良い。 More specifically, for example, the information processing apparatus 10 multiplies the boundary value by a weight that is inversely proportional to the data size, as shown in the following formula (1), and sets the boundary value in the generalization policy (the point of division) ) May be determined.
 [数1]
 境界値={(1/size1)×edge1+(1/size2)×edge2}
     /{(1/size1)+(1/size2)} ・・・ (1)
 ここで、「size1」は、ある装置A(例えば、情報処理装置10)のデータサイズである。「size2」は、他方の装置B(例えば、情報処理装置30)のデータサイズである。また、「edge1」は、装置Aにおける境界値である。「edge2」は、装置Bにおける境界値である。なお、情報処理装置10が2台より多い場合、情報処理装置10は、数式(1)において、「size」及び「edge」の項の数を増やした数式を用いれば良い。 [Equation 1]
Boundary value = {(1 / size1) × edge1 + (1 / size2) × edge2}
/ {(1 / size1) + (1 / size2)} (1)
Here, “size1” is the data size of a certain device A (for example, the information processing device 10). “Size2” is the data size of the other device B (for example, the information processing device 30). “Edge1” is a boundary value in the device A. “Edge2” is a boundary value in the device B. Note that when there are more than two information processing apparatuses 10, the information processing apparatus 10 may use a mathematical formula in which the number of terms “size” and “edge” is increased in the mathematical formula (1).
 ここで、例えば、装置Aのデータサイズ(size1)が、「100」であり、装置Bのデータサイズ(size2)が、「200」とする。つまり、装置Aのデータサイズは、装置Bのデータサイズより小さい。また、装置Aでの境界値(edge1)が、「120」であり、装置Bでの境界値(edge2)が、「126」とする。この場合、数式(1)の境界値は、次のようになる。 Here, for example, it is assumed that the data size (size 1) of the device A is “100” and the data size (size 2) of the device B is “200”. That is, the data size of device A is smaller than the data size of device B. Further, the boundary value (edge1) in the device A is “120”, and the boundary value (edge2) in the device B is “126”. In this case, the boundary value of Equation (1) is as follows.
 境界値={(1/100)×120+(1/200)×126}
     /{(1/100)+(1/200)}
    =122
 数式(1)を用いて得られる境界値は、データサイズが小さい装置Aの境界値に近くなる。つまり、匿名化の確保が難しい装置Aの境界が、優先される。その結果、データサイズが小さい装置Aにおいて、多くの分割が、可能となる。つまり、装置Aの汎化方針が、優先される。 Boundary value = {(1/100) × 120 + (1/200) × 126}
/ {(1/100) + (1/200)}
= 122
The boundary value obtained using Equation (1) is close to the boundary value of device A having a small data size. That is, priority is given to the boundary of the device A where it is difficult to ensure anonymization. As a result, in the device A having a small data size, many divisions are possible. That is, the generalization policy of apparatus A is given priority.
 また、確保する匿名性を考慮する場合、情報処理装置10は、例えば、次のように動作すれば良い。 Moreover, when considering the anonymity to be secured, the information processing apparatus 10 may operate as follows, for example.
 例えば、情報処理装置10は、「k-匿名性」を確保する場合、「k」の値が大きな情報処理装置10の汎化方針を優先しても良い。 For example, when ensuring “k-anonymity”, the information processing apparatus 10 may prioritize the generalization policy of the information processing apparatus 10 having a large “k” value.
 なお、情報処理装置10は、匿名性の難易度を考慮して連携しても良い。例えば、情報処理装置10は、「k-匿名性」を確保する場合、「k」の値を重みとして使用しても良い。 Note that the information processing apparatus 10 may cooperate in consideration of the difficulty level of anonymity. For example, when ensuring “k-anonymity”, the information processing apparatus 10 may use the value of “k” as a weight.
 例えば、情報処理装置10は、次に示す数式(2)を用いても良い。 For example, the information processing apparatus 10 may use the following mathematical formula (2).
 [数2]
 境界値=(k1×edge1+k2×edge2)/(k1+k2) ・・・ (2)
 ここで、「k1」は、ある装置Aの「k-匿名性」の「k」の値である。「k2」は、他方の装置Bの「k-匿名性」の「k」の値である。「edge1」と「edge2」は、数式(1)と同じである。なお、情報処理装置10が2台より多い場合、情報処理装置10は、数式(2)において、「edge」及び「k」の項の数を増やした数式を用いれば良い。 [Equation 2]
Boundary value = (k1 * edge1 + k2 * edge2) / (k1 + k2) (2)
Here, “k1” is the value of “k” of “k-anonymity” of a device A. “K2” is the value of “k” of “k-anonymity” of the other device B. “Edge1” and “edge2” are the same as in equation (1). When there are more than two information processing apparatuses 10, the information processing apparatus 10 may use a mathematical expression in which the number of terms “edge” and “k” is increased in mathematical expression (2).
 例えば、装置Aの「k1」が、「10」であり、装置Bの「k2」が、「2」とする。つまり、装置Aは、装置Bより匿名性が高いとする。また、境界値は、上記と同様とする。この場合、数式(2)の境界値は、次のようになる。 For example, “k1” of the device A is “10”, and “k2” of the device B is “2”. That is, it is assumed that device A is more anonymous than device B. The boundary value is the same as described above. In this case, the boundary value of Equation (2) is as follows.
 境界値=(10×120+2×126)/(10+2)=121
 数式(2)を用いて得られる境界値は、匿名性が高い(「k」が大きい)装置Aの境界値に近くなる。つまり、匿名化の確保が難しい装置Aの境界が、優先される。その結果、匿名化が難しい装置Aにおいて、多くの分割が、可能となる。 Boundary value = (10 × 120 + 2 × 126) / (10 + 2) = 121
The boundary value obtained using Equation (2) is close to the boundary value of the device A having high anonymity (“k” is large). That is, priority is given to the boundary of the device A where it is difficult to ensure anonymization. As a result, in the device A that is difficult to anonymize, many divisions are possible.
 なお、情報処理装置10は、上記を組み合わせても良い。 Note that the information processing apparatus 10 may combine the above.
 また、情報処理装置10は、第1の実施形態の変形例で説明した、共通QIDの選択においても、匿名性の確保の難易度を用いても良い。 Further, the information processing apparatus 10 may use the difficulty level of ensuring anonymity even in the selection of the common QID described in the modification of the first embodiment.
 第2の実施形態の情報処理装置10の効果を説明する。 The effect of the information processing apparatus 10 of the second embodiment will be described.
 本実施形態の情報処理装置10は、第1の実施形態の効果に加え、情報処理装置10において匿名性の確保の難易度が異なる場合でも、適切な汎化方針を設定する効果を得ることができる。 In addition to the effects of the first embodiment, the information processing apparatus 10 of the present embodiment can obtain the effect of setting an appropriate generalization policy even when the difficulty level of ensuring anonymity is different in the information processing apparatus 10. it can.
 その理由は、次のとおりである。 The reason is as follows.
 情報処理装置10は、匿名性の確保の難易度を基に、優先する汎化方針の決定方法を変更する。 The information processing apparatus 10 changes the priority generalization policy determination method based on the degree of difficulty in securing anonymity.
 具体的には、例えば、情報処理装置10は、匿名化するデータのデータサイズ(保存するデータサイズ又は分割後のデータサイズ)又は匿名性を基に、優先する汎化方針を決定する。 Specifically, for example, the information processing apparatus 10 determines a generalization policy to be prioritized based on the data size of the data to be anonymized (data size to be stored or data size after division) or anonymity.
 特に、情報処理装置10は、データサイズが小さな又は匿名性が高い情報処理装置10の汎化方針を選択する。あるいは、情報処理装置10は、データサイズが小さな又は匿名性が高い情報処理装置10の汎化方針を優先する。その結果、本実施形態の情報処理装置10は、匿名化が難しい情報処理装置10の匿名化の確保を容易にできるためである。 In particular, the information processing apparatus 10 selects the generalization policy of the information processing apparatus 10 having a small data size or high anonymity. Alternatively, the information processing apparatus 10 gives priority to the generalization policy of the information processing apparatus 10 having a small data size or high anonymity. As a result, the information processing apparatus 10 according to the present embodiment can easily ensure anonymization of the information processing apparatus 10 that is difficult to anonymize.
 以上、実施形態を参照して本願発明を説明したが、本願発明は上記実施形態に限定されるものではない。本願発明の構成や詳細には、本願発明のスコープ内で当業者が理解し得る様々な変更をすることができる。 The present invention has been described above with reference to the embodiments, but the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.
 この出願は、2013年 5月15日に出願された日本出願特願2013-103192を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2013-103192 filed on May 15, 2013, the entire disclosure of which is incorporated herein.
 上記の実施形態の一部又は全部は、以下の付記のようにも記載されうるが、以下には限られない。 Some or all of the above embodiments can be described as in the following supplementary notes, but are not limited thereto.
 (付記1)
 他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定する汎化方針連携決定手段と、
 前記共通汎化方針を基にデータを匿名化する匿名化手段と
 を含む情報処理装置。 (Appendix 1)
A generalization policy linkage determining means for determining a common generalization policy that is a generalization policy of anonymization of data used in common with the other device in cooperation with another device;
And an anonymizing means for anonymizing data based on the common generalization policy.
 (付記2)
 前記汎化方針連携決定手段が、
 前記匿名化するデータの少なくとも一部の属性の汎化方針を前記共通汎化方針に決定する
 付記1に記載の情報処理装置。 (Appendix 2)
The generalization policy linkage determination means is
The information processing apparatus according to appendix 1, wherein a generalization policy of at least some attributes of the data to be anonymized is determined as the common generalization policy.
 (付記3)
 前記匿名化手段が、
 前記共通汎化方針に加え、前記属性の汎化方針において、前記共通汎化方針に含まれない属性の汎化方針の少なくとも一部を基にデータを匿名化する
 付記2に記載の情報処理装置。 (Appendix 3)
The anonymization means is
The information processing apparatus according to claim 2, wherein in addition to the common generalization policy, the attribute generalization policy is configured to anonymize data based on at least a part of an attribute generalization policy that is not included in the common generalization policy. .
 (付記4)
 前記汎化方針連携決定手段が、
 前記共通汎化方針として用いる属性を前記他の装置と決定する
 付記2又は付記3に記載の情報処理装置。 (Appendix 4)
The generalization policy linkage determination means is
The information processing apparatus according to appendix 2 or appendix 3, wherein the attribute used as the common generalization policy is determined as the other apparatus.
 (付記5)
 前記共通汎化方針が、準識別子の汎化方針であり、
 前記共通汎化方針が、前記基準識別子の汎化幅及び/又は境界を含む
 付記1乃至付記4のいずれか1つに記載の情報処理装置。 (Appendix 5)
The common generalization policy is a quasi-identifier generalization policy;
The information processing apparatus according to any one of Supplementary Note 1 to Supplementary Note 4, wherein the common generalization policy includes a generalization width and / or a boundary of the reference identifier.
 (付記6)
 前記汎化方針連携決定手段が、
 データを匿名化する場合の自装置及び前記他の装置における確保するデータの匿名化の確保の難しさを示す指標である難易度を基に前記共通汎化方針を決定する
 付記1乃至付記5のいずれか1つに記載の情報処理装置。 (Appendix 6)
The generalization policy linkage determination means is
The common generalization policy is determined based on the degree of difficulty, which is an index indicating the difficulty of securing anonymization of data to be secured in the own device and the other device when anonymizing data. The information processing apparatus according to any one of the above.
 (付記7)
 前記難易度を、匿名化するデータサイズ又は匿名性を基に算出する
 付記6に記載の情報処理装置。 (Appendix 7)
The information processing apparatus according to appendix 6, wherein the difficulty level is calculated based on anonymized data size or anonymity.
 (付記8)
 前記汎化方針連携決定手段が、
 匿名化手段が用いる汎化方針が前記共通汎化方針であるか否かを判定するための情報である匿名性パラメータを保持する匿名性パラメータ保存手段と、
 前記他の装置と共通汎化方針を連携して決定する共通パラメータ設定手段と、
 前記共通パラメータ設定手段と前記他の装置との通信を仲介する通信手段と
 を含む
 付記1乃至付記7のいずれか1つに記載の情報処理装置。 (Appendix 8)
The generalization policy linkage determination means is
Anonymity parameter storage means for holding anonymity parameters that are information for determining whether the generalization policy used by the anonymization means is the common generalization policy;
A common parameter setting means for determining a common generalization policy in cooperation with the other device;
The information processing apparatus according to any one of appendix 1 to appendix 7, further comprising: a communication unit that mediates communication between the common parameter setting unit and the other device.
 (付記9)
 前記匿名化手段が匿名化する匿名化前データを保存する匿名化前データ保存手段と、
 前記匿名化手段が匿名化した匿名化済みデータを保存する匿名化済みデータ保存手段と、
 前記匿名化済みデータを利用者装置に送信する送信手段と
 を含む付記1乃至付記8のいずれか1つに記載の情報処理装置。 (Appendix 9)
The pre-anonymization data storage means for storing the pre-anonymization data to be anonymized by the anonymization means,
Anonymized data storage means for storing anonymized data anonymized by the anonymization means,
The information processing apparatus according to any one of Supplementary Note 1 to Supplementary Note 8, comprising: transmission means for transmitting the anonymized data to a user device.
 (付記10)
 前記汎化方針連携決定手段が、
 予め複数の装置の前記共通汎化方針の決定の連携を場合に優先する装置又は優先する汎化方針の属性を決めておく
 付記1乃至付記9のいずれか1つに記載の情報処理装置。 (Appendix 10)
The generalization policy linkage determination means is
The information processing apparatus according to any one of Supplementary Note 1 to Supplementary Note 9, wherein an apparatus that prioritizes cooperation in determining the common generalization policy of a plurality of apparatuses or an attribute of a generalization policy that is prioritized is determined in advance.
 (付記11)
 他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定し、
 前記共通汎化方針を基にデータを匿名化する
 情報匿名化方法。 (Appendix 11)
Determine a common generalization policy that is a generalization policy of anonymization of data used in common with other devices in cooperation with other devices,
An information anonymization method for anonymizing data based on the common generalization policy.
 (付記12)
 他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定する処理と、
 前記共通汎化方針を基にデータを匿名化する処理と
 をコンピュータ装置に実行させるプログラムを記録したコンピュータ読み取り可能な記録媒体。 (Appendix 12)
A process of determining a common generalization policy that is a generalization policy of anonymization of data used in common with the other device in cooperation with another device;
A computer-readable recording medium storing a program for causing a computer device to execute processing for anonymizing data based on the common generalization policy.
 10 情報処理装置
 20 利用者装置
 30 情報処理装置
 40 情報処理システム
 60 情報処理装置
 110 匿名化部
 120 汎化方針連携決定部
 130 匿名性パラメータ保存部
 140 共通パラメータ設定部
 150 通信部
 160 匿名化前データ保存部
 170 匿名化済みデータ保存部
 180 送信部
 610 CPU
 620 ROM
 630 RAM
 640 内部記憶装置
 650 IOC
 660 入力機器
 670 表示機器
 680 NIC
 700 記憶媒体 DESCRIPTION OF SYMBOLS 10 Information processing apparatus 20 User apparatus 30 Information processing apparatus 40 Information processing system 60 Information processing apparatus 110 Anonymization part 120 Generalization policy cooperation determination part 130 Anonymity parameter storage part 140 Common parameter setting part 150 Communication part 160 Data before anonymization Storage unit 170 Anonymized data storage unit 180 Transmission unit 610 CPU
620 ROM
630 RAM
640 Internal storage device 650 IOC
660 Input device 670 Display device 680 NIC
700 storage media

Claims (12)

  1.  他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定する汎化方針連携決定手段と、
     前記共通汎化方針を基にデータを匿名化する匿名化手段と
     を含む情報処理装置。     A generalization policy linkage determining means for determining a common generalization policy that is a generalization policy of anonymization of data used in common with the other device in cooperation with another device;
    And an anonymizing means for anonymizing data based on the common generalization policy.
  2.  前記汎化方針連携決定手段が、
     前記匿名化するデータの少なくとも一部の属性の汎化方針を前記共通汎化方針に決定する
     請求項1に記載の情報処理装置。     The generalization policy linkage determination means is
    The information processing apparatus according to claim 1, wherein a generalization policy of at least some attributes of the data to be anonymized is determined as the common generalization policy.
  3.  前記匿名化手段が、
     前記共通汎化方針に加え、前記属性の汎化方針において、前記共通汎化方針に含まれない属性の汎化方針の少なくとも一部を基にデータを匿名化する
     請求項2に記載の情報処理装置。     The anonymization means is
    3. The information processing according to claim 2, wherein, in addition to the common generalization policy, in the attribute generalization policy, data is anonymized based on at least a part of an attribute generalization policy not included in the common generalization policy. apparatus.
  4.  前記汎化方針連携決定手段が、
     前記共通汎化方針として用いる属性を前記他の装置と決定する
     請求項2又は請求項3に記載の情報処理装置。     The generalization policy linkage determination means is
    The information processing apparatus according to claim 2, wherein an attribute used as the common generalization policy is determined as the other apparatus.
  5.  前記共通汎化方針が、準識別子の汎化方針であり、
     前記共通汎化方針が、前記基準識別子の汎化幅及び/又は境界を含む
     請求項1乃至請求項4のいずれか1項に記載の情報処理装置。     The common generalization policy is a quasi-identifier generalization policy;
    The information processing apparatus according to any one of claims 1 to 4, wherein the common generalization policy includes a generalization width and / or a boundary of the reference identifier.
  6.  前記汎化方針連携決定手段が、
     データを匿名化する場合の自装置及び前記他の装置における確保するデータの匿名化の確保の難しさを示す指標である難易度を基に前記共通汎化方針を決定する
     請求項1乃至請求項5のいずれか1項に記載の情報処理装置。     The generalization policy linkage determination means is
    The common generalization policy is determined based on a degree of difficulty that is an index indicating a difficulty in securing anonymization of data to be secured in the own device and the other device when anonymizing data. 6. The information processing apparatus according to any one of 5 above.
  7.  前記難易度を、匿名化するデータサイズ又は匿名性を基に算出する
     請求項6に記載の情報処理装置。     The information processing apparatus according to claim 6, wherein the difficulty level is calculated based on anonymized data size or anonymity.
  8.  前記汎化方針連携決定手段が、
     匿名化手段が用いる汎化方針が前記共通汎化方針であるか否かを判定するための情報である匿名性パラメータを保持する匿名性パラメータ保存手段と、
     前記他の装置と共通汎化方針を連携して決定する共通パラメータ設定手段と、
     前記共通パラメータ設定手段と前記他の装置との通信を仲介する通信手段と
     を含む
     請求項1乃至請求項7のいずれか1項に記載の情報処理装置。     The generalization policy linkage determination means is
    Anonymity parameter storage means for holding anonymity parameters that are information for determining whether the generalization policy used by the anonymization means is the common generalization policy;
    A common parameter setting means for determining a common generalization policy in cooperation with the other device;
    The information processing apparatus according to claim 1, further comprising: a communication unit that mediates communication between the common parameter setting unit and the other device.
  9.  前記匿名化手段が匿名化する匿名化前データを保存する匿名化前データ保存手段と、
     前記匿名化手段が匿名化した匿名化済みデータを保存する匿名化済みデータ保存手段と、
     前記匿名化済みデータを利用者装置に送信する送信手段と
     を含む請求項1乃至請求項8のいずれか1項に記載の情報処理装置。     The pre-anonymization data storage means for storing the pre-anonymization data to be anonymized by the anonymization means,
    Anonymized data storage means for storing anonymized data anonymized by the anonymization means,
    The information processing apparatus according to claim 1, further comprising: a transmission unit configured to transmit the anonymized data to a user apparatus.
  10.  前記汎化方針連携決定手段が、
     予め複数の装置の前記共通汎化方針の決定を連携する場合に優先する装置又は優先する汎化方針の属性を決めておく
     請求項1乃至請求項9のいずれか1項に記載の情報処理装置。     The generalization policy linkage determination means is
    The information processing apparatus according to any one of claims 1 to 9, wherein a priority apparatus or an attribute of a generalization policy to be prioritized when the determination of the common generalization policy of a plurality of apparatuses is linked in advance. .
  11.  他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定し、
     前記共通汎化方針を基にデータを匿名化する
     情報匿名化方法。     Determine a common generalization policy that is a generalization policy of anonymization of data used in common with other devices in cooperation with other devices,
    An information anonymization method for anonymizing data based on the common generalization policy.
  12.  他の装置と連携して前記他の装置と共通して使用するデータの匿名化の汎化方針である共通汎化方針を決定する処理と、
     前記共通汎化方針を基にデータを匿名化する処理と
     をコンピュータ装置に実行させるプログラムを記録したコンピュータ読み取り可能な記録媒体。     A process of determining a common generalization policy that is a generalization policy of anonymization of data used in common with the other device in cooperation with another device;
    A computer-readable recording medium storing a program for causing a computer device to execute processing for anonymizing data based on the common generalization policy.
PCT/JP2014/002480 2013-05-15 2014-05-12 Information processing device, information anonymization method, and recording medium WO2014185043A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2015516909A JPWO2014185043A1 (en) 2013-05-15 2014-05-12 Information processing apparatus, information anonymization method, and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013-103192 2013-05-15
JP2013103192 2013-05-15

Publications (1)

Publication Number Publication Date
WO2014185043A1 true WO2014185043A1 (en) 2014-11-20

Family

ID=51898034

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/002480 WO2014185043A1 (en) 2013-05-15 2014-05-12 Information processing device, information anonymization method, and recording medium

Country Status (2)

Country Link
JP (1) JPWO2014185043A1 (en)
WO (1) WO2014185043A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6695511B1 (en) * 2019-05-21 2020-05-20 三菱電機株式会社 Anonymization method derivation device, anonymization method derivation method, anonymization method derivation program, and anonymization method derivation system
JP7380183B2 (en) 2019-12-23 2023-11-15 日本電気株式会社 Anonymity-degraded information output prevention device, anonymity-degraded information output prevention method, and anonymity-degraded information output prevention program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012067213A1 (en) * 2010-11-16 2012-05-24 日本電気株式会社 Information processing system and anonymizing method
WO2012093522A1 (en) * 2011-01-05 2012-07-12 日本電気株式会社 Anonymizer device
WO2012165518A1 (en) * 2011-06-02 2012-12-06 日本電気株式会社 Distributed anonymization system, distributed anonymization device, and distributed anonymization method
JP2013041536A (en) * 2011-08-19 2013-02-28 Fujitsu Ltd Information processing method and device
WO2013121738A1 (en) * 2012-02-17 2013-08-22 日本電気株式会社 Distributed anonymization device, and distributed anonymization method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012067213A1 (en) * 2010-11-16 2012-05-24 日本電気株式会社 Information processing system and anonymizing method
WO2012093522A1 (en) * 2011-01-05 2012-07-12 日本電気株式会社 Anonymizer device
WO2012165518A1 (en) * 2011-06-02 2012-12-06 日本電気株式会社 Distributed anonymization system, distributed anonymization device, and distributed anonymization method
JP2013041536A (en) * 2011-08-19 2013-02-28 Fujitsu Ltd Information processing method and device
WO2013121738A1 (en) * 2012-02-17 2013-08-22 日本電気株式会社 Distributed anonymization device, and distributed anonymization method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PAWEL JURCZYK ET AL.: "Distributed Anonymization: Achieving Privacy for Both Data Subjects and Data Providers", DATA AND APPLICATIONS SECURITY 2009, LNCS 5645, 2009, pages 191 - 207, XP047307475, Retrieved from the Internet <URL:http://www.mathcs.emory.edu/~lxiong/research/pub/jurczyk09distributed.pdf> doi:10.1007/978-3-642-03007-9_13 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6695511B1 (en) * 2019-05-21 2020-05-20 三菱電機株式会社 Anonymization method derivation device, anonymization method derivation method, anonymization method derivation program, and anonymization method derivation system
WO2020235008A1 (en) * 2019-05-21 2020-11-26 三菱電機株式会社 Anonymization technique derivation device, anonymization technique derivation method, anonymization technique derivation program, and anonymization technique derivation system
JP7380183B2 (en) 2019-12-23 2023-11-15 日本電気株式会社 Anonymity-degraded information output prevention device, anonymity-degraded information output prevention method, and anonymity-degraded information output prevention program

Also Published As

Publication number Publication date
JPWO2014185043A1 (en) 2017-02-23

Similar Documents

Publication Publication Date Title
US11016808B2 (en) Multi-tenant license enforcement across job requests
US11361092B2 (en) Contextual access of data
CN109375872A (en) Processing method, device and the equipment and storage medium of data access request
US20170132326A1 (en) Systems and methods of precision sharing of big data
KR102508177B1 (en) Credentialless external stage for database integration
EP2784697A1 (en) Graph database query handling method and apparatus
Bijon et al. Mitigating multi-tenancy risks in iaas cloud through constraints-driven virtual resource scheduling
EP3346413B1 (en) Privilege information management system and privilege information management program
US20200036731A1 (en) Predictive real-time and scheduled anti-virus scanning
WO2019153095A1 (en) Blockchain-based consent management system and method
JP4839585B2 (en) Resource information collection and distribution method and system
Najafizadeh et al. Privacy-preserving for the internet of things in multi-objective task scheduling in cloud-fog computing using goal programming approach
US20240119051A1 (en) Predictive resource allocation for distributed query execution
Lakhan et al. Hybrid workload enabled and secure healthcare monitoring sensing framework in distributed fog-cloud network
CN115422273A (en) Data lake metadata processing method and device, electronic equipment, medium and product
WO2014185043A1 (en) Information processing device, information anonymization method, and recording medium
Shekhar et al. MTLBP: a novel framework to assess multi-tenant load balance in cloud computing for cost-effective resource allocation
JP2017027137A (en) Information processing device, information processing method, and program
Colajanni et al. On the provision of services with UAVs in disaster scenarios: a two-stage stochastic approach
JPWO2014061275A1 (en) Information processing apparatus and information processing method
di Vimercati et al. Security-aware data allocation in multicloud scenarios
Cardinaels et al. Job assignment in large-scale service systems with affinity relations
US8898192B2 (en) Managing database inquiries
US10102216B2 (en) System for associating related digital assets
Li et al. Extended efficiency and soft-fairness multiresource allocation in a cloud computing system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14798433

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015516909

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14798433

Country of ref document: EP

Kind code of ref document: A1