WO2019098136A1 - Système et procédé d'évaluation de données anonymisées, et serveur de détermination de niveau d'anonymat - Google Patents

Système et procédé d'évaluation de données anonymisées, et serveur de détermination de niveau d'anonymat Download PDF

Info

Publication number
WO2019098136A1
WO2019098136A1 PCT/JP2018/041687 JP2018041687W WO2019098136A1 WO 2019098136 A1 WO2019098136 A1 WO 2019098136A1 JP 2018041687 W JP2018041687 W JP 2018041687W WO 2019098136 A1 WO2019098136 A1 WO 2019098136A1
Authority
WO
WIPO (PCT)
Prior art keywords
anonymity
level
data
evaluation
identification
Prior art date
Application number
PCT/JP2018/041687
Other languages
English (en)
Japanese (ja)
Inventor
安細 康介
尚宜 佐藤
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2019098136A1 publication Critical patent/WO2019098136A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/10Text processing
    • G06F40/12Use of codes for handling textual entities

Definitions

  • the present invention relates to an anonymization data evaluation system and method for evaluating anonymity (anonymity level) of data obtained by anonymizing original data (personal information, personal information, and the like), and an anonymous level determination server.
  • various service providers who provide effective services for each business sector and business content for example, service providers who provide product information such as popular menus to the food and beverage industry Wholesale service providers, retail service providers who provide food products to the service providers, and settlement companies for food products are on the rise.
  • Such various service providers are personal information and personal information (the personal information defined by the conventional personal information protection law is data that is not legalized but also contains the idea of privacy), for example, name When using information uniquely given to an individual, such as user ID, membership number, license number, address, telephone number, e-mail address, etc. or information that can uniquely identify an individual, etc.
  • Anonymization of personal information is one of the means for reducing the risk in using such personal information and enabling safe secondary use.
  • personal information is processed so as not to include "anonymous processing information", that is, information that can specify an individual by appropriate anonymization processing by enactment of a revised personal information protection law, and prevent personal identification. It has become legally possible to provide and utilize third parties. For example, by performing abstraction of the value of the “quasi-identifier”, such as converting “age” to “age”, “full address” to “region”, etc. And “area”) can not be identified below “k” people, thereby realizing “k-anonymity”.
  • Patent Document 1 JP-A-2010-86179 is a conventional technique for determining whether or not anonymization is possible.
  • the anonymization classification is grouped for each item, and the anonymization process is executed by calculating the minimum number of data after the grouping for each item, and for the result of the anonymization process, A technique is disclosed that determines whether an item below a predetermined threshold exists.
  • the present invention provides a technique capable of correctly evaluating and presenting the safety and usefulness of anonymized information (anonymized data) obtained by anonymizing personal information (original data) in view of the point. To aim.
  • the present invention provides an identification anonymity level calculated from comparison of personal information (original data) and anonymization information (anonymization data) by one or more identification anonymity evaluation servers, and An anonymization data evaluation system is provided which evaluates anonymization data by adding up the non-identification anonymity level calculated only from anonymization information (anonymization data) by the above non-identification anonymity evaluation server, and the anonymization data evaluation The system makes it possible to calculate the overall anonymity level of the anonymization data.
  • an anonymization data evaluation system for evaluating anonymity of data in which personal information is anonymized
  • an anonymous data user terminal for evaluating anonymity
  • one or more identification anonymity evaluation servers for evaluating anonymity
  • anonymity A communication device comprising: one or more non-identifying anonymity evaluation servers for evaluating the nature, the anonymous data user terminal transmitting personal information and data obtained by anonymizing the personal information to the anonymity level determination server; And the one or more identification anonymity evaluation servers receive personal information and anonymized data transmitted from the anonymous data user terminal via the anonymity level determination server, and the anonymized data Communication device for transmitting the anonymity level of the identification to the anonymity level determination server, and identification identification of the anonymized data from the personal information and the anonymized data Identifying the anonymity level individual determination unit that determines the level, wherein the one or more non-identification anonymity evaluation servers transmit the anonymized data transmitted from the anonymity data user terminal via the anonymity level determination server
  • Period information is information on a living individual, and means "original data” that can identify a specific individual by the name, date of birth, other description, etc. included in the information. Including those that can be easily matched with other information, thereby allowing a particular individual to be identified.
  • “Personal information (original data)” includes identification information (identifier), a quasi-identifier (quasi-identifier), and other information.
  • the identification information (identifier) is information that can identify an individual by itself, and is, for example, a name, an ID, and the like.
  • a quasi-identifier (quasi-identifier) is information that can identify an individual by a combination of a plurality of pieces of information except identification information, and is, for example, a telephone number, an age, an address, or the like.
  • Other information is information that is unlikely to identify an individual and is basically not a target of anonymization processing.
  • Personal information is a general term for information that can be linked to an individual regardless of whether it is personal information alone.
  • anonymization information refers to personal information (original data), applying the processing of identification information (identifier) as pseudonymization or truncation, and processing of quasi-identification information or designation information, truncation or ambiguity, It is information that made identification of the individual difficult.
  • Transcriptization of personal information is to give an individual a code, a number or the like to make it impossible to identify the individual.
  • “Cut off personal information” is to anonymize by deleting information that identifies or identifies an individual.
  • the “fuzzification of personal information” is to reduce the amount of information or to put noise on personal information (original data) to make it impossible to identify an individual.
  • K-anonymization is to configure a plurality of record sets having a combination of common attribute information so as to satisfy k-anonymity by generalization or suppression of attribute information. That is, it is said that the condition in which there are k or more persons with similar attributes is considered to satisfy "k-anonymity", and processing the data as such is called “k-anonymization”.
  • K-anonymity: k-anonymity (personal identification) is one of the representative anonymization indicators, and is an indicator related to the personal identification risk for each record, and a record having the same combination of semi-identification information is Evaluate that at least k exist in the anonymized data.
  • L-diversity: l-diversity (attribute estimation) is an index of whether there are l or more types of attributes in the attribute, and the data is processed so that certain attributes satisfy l-diversity It is to be.
  • “Hierarchical information” is a hierarchical definition of what value to replace by generalizing each value of anonymization information (anonymization data), and how many levels are general It depends on the number of layers whether it can be
  • the “anonymization index (anonymity index)” is an index for evaluating the safety and usefulness of anonymization information (anonymization data), and qualitatively indicates each other between the evaluation index for safety and usefulness. There is a trade-off, and if the safety is high, the usefulness decreases, and if the usefulness is maintained, the risk remains and the safety decreases.
  • “Information loss” is one of the anonymization indicators, and is an indicator related to the usefulness of the entire data (usability indicator), and after the anonymization (anonymization data) for the record before the anonymization (original data) Evaluate how much information is lost in) records.
  • the “information loss” can be obtained by the difference between before anonymization (original data) and after anonymization (anonymized data).
  • Identity anonymity and non-identification anonymity are differences in whether or not anonymized data can be identified.
  • the anonymization data can be identified as data from "Mr. A”. If it is anonymizing identification, it can be unidentifying anonymization if no data from anyone can be identified.
  • FIG. 1 is a diagram illustrating a configuration example of the anonymity evaluation system of the present invention.
  • the anonymity evaluation system one or more anonymous data user terminals 1 (1-A, 1-B) used by an anonymous data user, and one or more users used by one or more anonymous data users Anonymous level determination server 2 (2-A), one or more identification anonymity evaluation servers 3 (3-1, 3-2), and one or more non-identification anonymity evaluation servers 4 (4-A, 4-B) and.
  • the anonymous data user terminal 1, the identification anonymity evaluation server 3, and the non-identification anonymity evaluation server 4 each show an example of two cases, and the anonymity level determination server 2 shows an example of one case. ing.
  • the anonymous data user terminal 1 and the anonymous level determination server 2 are connected via the network 51 so as to be able to mutually transmit and receive various information (data).
  • the anonymous level determination server 2, the one or more identification anonymity evaluation servers 3 and the one or more non-identification anonymity evaluation servers 4 can mutually transmit and receive various information (data) via the network 52. It is connected.
  • a user of anonymization data that handles the anonymous data user terminal 1 is called an "anonymous processing information handling business operator".
  • the anonymized data user terminal 1 is anonymized level determination server 2 (2-1, anonymized information (hereinafter referred to as anonymized data) which is anonymized by the anonymized data user terminal 1 itself or by another server.
  • the anonymous data user terminal 1 realizes the above-described function, for example, includes the computer 11, and the computer 11 includes the arithmetic unit 111, the storage unit 112, the input / output unit 113, the communication unit 114, the reading unit 115, etc. Have.
  • the arithmetic device 111 includes an anonymization processor 1111 and a controller 1112.
  • the anonymization processing unit 1111 anonymizes the personal information (original data) stored in the personal information storage unit 1121 of the storage device 112 according to a desired anonymization method, and includes, for example, identification information, semi-identification information, and the like. It has functions related to general anonymization processing such as generating anonymization data by performing anonymization processing of information with a predetermined k value, that is, k-anonymization processing, and storing the anonymization data in the anonymization data storage unit 1122 .
  • the control unit 1112 has a function of controlling overall processing of each device and each unit provided in the anonymous data user terminal 1. For example, personal information (original data) is read from the personal information storage unit 1121, the read personal information (original data) is input to the anonymization processing unit 1111, and the anonymization processing unit 1111 performs the anonymization processing described above. To create the anonymization data, store the anonymization data in the anonymity data storage unit 1122 of the storage device 112, the personal information (original data) and the generated anonymization data by the communication device 114, the network 51 The entire process such as transmission to the anonymity level determination server 2 is controlled via the above.
  • the communication device 114 has a communication unit that transmits / receives various information, for example, personal information, anonymization data, anonymity level, etc., to / from the anonymity level determination server 2 via the network 51.
  • the input / output device 113 has a function of receiving an input from the user, for example, an anonymous level determination application (anonymity level determination request), or displaying information such as the determination result to the user. It has an input / output unit.
  • the reader 115 has a reader including a function of reading information from a portable storage medium.
  • the storage device 112 includes a personal information storage unit 1121 and an anonymous data storage unit 1122.
  • the personal information storage unit 1121 stores personal information (original data including an identifier, a quasi-identifier, and other information) as original data of the anonymization data, and the personal information storage unit 1121 stores personal information (original data Anonymization data obtained by anonymizing data) is stored.
  • the anonymous level determination server 2 receives information such as personal information (original data) and anonymized data transmitted from the anonymous data user terminal 1, and stores the information in the storage device 112.
  • information including personal information (original data) and anonymization data is transmitted to the identification anonymity evaluation server 3, and anonymization
  • the anonymity level is comprehensively determined based on the results determined by the identification anonymity evaluation server 3 and the non-identification anonymity evaluation server 4 (identification anonymous level result and non-identification anonymity result), and the anonymity level comprehensive determination result is Output function, A function of transmitting anonymity level comprehensive judgment result judged comprehensively to the anonymous data
  • the anonymity level determination server 2 applies for an anonymity level determination application or an anonymity level determination request
  • the transmission destination is determined to which of the identification anonymity evaluation server 3 and the non-identification anonymity evaluation server 4 information such as personal information (original data), anonymization data, etc.
  • Assign information such as personal information (original data) and anonymization information (anonymization data) to one or more identification anonymity evaluation servers 3 and one or more non-identification anonymity evaluation servers 4 that are the transmission destinations Function to send, Also, based on the difference between personal information (original data) received from the anonymous data user terminal 1 and the anonymization data, the amount of loss of information (information entropy value etc.) which is an index indicating usefulness is calculated. Ability to determine value level, Have.
  • the anonymity level determination server 2 includes, for example, a computer 21 that realizes the above-described function, and the computer 21 includes an arithmetic device 211, a storage device 212, and a communication device 214.
  • the arithmetic device 211 includes an anonymity level comprehensive determination unit 2111, an information value level determination unit 2113, a control unit 2112, and a distribution processing unit 2114.
  • the distribution processing unit 2114 is included in the anonymity level determination application information (anonymity evaluation application information) when the anonymity level determination application information including the anonymity level determination application information is received from the anonymity data user terminal 1.
  • the anonymous level comprehensive determination unit 2111 receives the identification anonymity evaluation result and the non-identification anonymity evaluation result evaluated by the identification anonymity evaluation server 3 and the non-identification anonymity evaluation server 4, and according to the anonymity level individual judgment result. It has a function related to anonymity level determination processing in general such as comprehensively determining anonymity level for anonymization data and generating the determination result.
  • the anonymity level determination index stored in advance in the anonymity level determination index storage unit 2123 of the storage device 212 is referred to.
  • the information value level determination unit 2113 determines the amount of loss of information (information entropy value, etc.) which is an index indicating usefulness based on the difference between the personal information (original data) received from the anonymous data user terminal 1 and the anonymization data. ) Has a function to calculate the information value level.
  • the control unit 2112 has a function of controlling the overall processing of each unit provided in the anonymity level determination server 2. For example, personal information (original data) is read from the personal information storage unit 2121 of the storage unit 212, anonymization data is read from the anonymous data storage unit 2122, and each of the read information is determined by the distribution processing unit 2114. While transmitting via the network 52 to one or more of the identified anonymity evaluation server 3 and one or more of the non-identified anonymity evaluation server 4 which are the distribution destinations of the anonymity level individual determination, the identification anonymity evaluation request and It controls overall processing such as non-identification anonymity evaluation request, that is, making anonymity level individual determination request for anonymized data.
  • the communication device 214 performs various types of information, such as personal information, anonymization, via the network 51 and the network 52 between the anonymous data user terminal 1 and the identified anonymity evaluation server 3 and the non-identified anonymity evaluation server 4. It has a communication unit including a function of transmitting and receiving data, anonymity level, and the like.
  • the personal information storage unit 2121 of the storage unit 212 stores personal information (original data) received from the anonymous data user terminal 1, and the anonymous data storage unit 2122 stores the anonymization received from the anonymous data user terminal 1. Data is stored.
  • Anonymity level determination index for calculating, that is, information on the anonymization index is stored. For example, it has the following anonymous level judgment index.
  • Identification anonymity evaluation server 3 has a function of calculating anonymity evaluation index (anonymity level judgment index indicating the safety of anonymized data) which is a judgment standard of safety for anonymized data, for example, anonymity level A function of calculating an identification anonymous level individual determination result, which is an evaluation index indicating the safety of anonymization data, from personal information (original data) and anonymization data received from the determination server 2; Based on the difference between the personal information (original data) and the anonymization data received from the anonymity level determination server 2, the loss amount (information entropy value etc.) of the information indicating the usefulness is calculated, and the information value level is calculated. Function to judge, Have.
  • the identification anonymity evaluation server 3 includes, for example, a computer 31 that realizes the above-described function, and the computer 31 includes an arithmetic unit 311, a storage unit 312, and a communication unit 314.
  • the computing device 311 includes an identification anonymity level individual determination unit 3111, a control unit 3112, and an information value level determination unit 3113.
  • the identification anonymity level individual determination unit 3111 has a function related to anonymity level determination processing in general such as calculating an identification anonymity level individual determination result from personal information (original data) and anonymization data received from the anonymity level determination server 2.
  • the anonymity level determination index stored in advance in the anonymity level determination index storage unit 3123 of the storage device 312 is referred to.
  • the communication device 314 has a function related to processing of transmitting / receiving various information (personal information, anonymization data, anonymity level, etc.) to / from the anonymity level determination server 2 via the network 52.
  • the control unit 3112 has a function of controlling each device provided in the identification anonymity evaluation server 3 and the entire process of each unit. For example, anonymity for reading personal information (original data) from the personal information storage unit 3121, reading anonymization data from the anonymity data storage unit 3122, and calculating anonymity level individual determination result read from the anonymity level determination indicator storage unit 3123 Control the entire process such as generating an identification anonymity level determination result based on the level determination index (anonymization index).
  • the personal information storage unit 3121 of the storage unit 312 stores personal information (original data) received from the anonymity level determination server 2, and the anonymization data received from the anonymity level determination server 2 is stored in the anonymity data storage unit 3122. It is memorized.
  • Anonymity level judgment index storage unit 3123 stores information on the anonymity level judgment index (anonymization index) for calculating the anonymity level individual judgment result from the personal information and the anonymization data received from the anonymity level judgment server 2 Ru.
  • the non-identifying anonymity evaluation server 4 has a function of calculating an anonymity evaluation index (anonymity level judgment index indicating the safety of anonymized data) which is a judgment standard of safety for anonymized data, for example, anonymity evaluation index A function of calculating a non-identifying anonymous level individual determination result, which is an evaluation index indicating the safety of the anonymization data, from the anonymization data received from the level determination server 2; Have.
  • an anonymity evaluation index anonymity level judgment index indicating the safety of anonymized data
  • a function of calculating a non-identifying anonymous level individual determination result which is an evaluation index indicating the safety of the anonymization data, from the anonymization data received from the level determination server 2; Have.
  • the non-identifying anonymity evaluation server 4 includes, for example, a computer 41 that implements the above-described function, and the computer 41 includes an arithmetic device 411, a storage device 412, and a communication device 414.
  • the arithmetic device 411 includes a non-identification anonymous level individual determination unit 4111 and a control unit 4112.
  • the non-identifying anonymous level individual determining unit 4111 has a function related to the whole of the anonymous level determining process such as calculating the non-identified anonymous level individual determining result from the anonymization data received from the anonymous level determining server 2.
  • the anonymous level determination index stored in advance in the anonymous level determination index storage unit 4123 of the storage device 412 is referred to.
  • the control unit 4112 has a function of controlling the overall processing of each device and each unit provided in the non-identifying anonymity evaluation server 4. For example, the anonymous data is read from the anonymous data storage unit 4122 and the non-identified anonymous level determination result is generated based on the anonymous level determination indicator for calculating the anonymous level individual determination result read from the anonymous level determination indicator storage unit 4123 Control the overall processing.
  • the communication device 414 has a function related to processing of transmitting and receiving information such as anonymity data, anonymity level, and the like via the network 52 with the anonymity level determination server 2.
  • the anonymization data received from the anonymity level determination server 2 is stored in the anonymity data storage unit 4122 of the storage device 412.
  • the anonymity level judgment index storage unit 4123 stores information on anonymity level judgment index (anonymization index) for calculating a non-identification anonymity level individual judgment result from the anonymization data received from the anonymity level judgment server 2 .
  • the anonymous data user terminal 1, the anonymous level determination server 2, the identification anonymity evaluation server 3, and the non-identification anonymity evaluation server 4 are external storage devices such as CPU, memory, hard disk, etc., network A communication device for communicating with other devices via an input device, an input device such as a keyboard or a mouse, an output device such as a display device or a printer, a reader for reading information from a portable storage medium, etc.
  • the processing of the above-mentioned terminal and each server is realized by reading various programs stored inside the CPU. Note that each function may be realized not only by a CPU but also by a module, that is, as individual hardware.
  • FIG. 2 is a diagram showing a sequence for explaining transmission / reception of each information (data) between the anonymity level determination server 2 and the anonymity data user terminal 1 and anonymity level determination application in the anonymity evaluation system of the present invention.
  • Step S11 First, the anonymization data user terminal 1 generates anonymization data by the anonymization processing unit 1111 based on the personal information (original data) stored in the personal information storage unit 1121, and the anonymization data Are stored in the anonymous data storage unit 1122.
  • the anonymization data may be generated by consigning it to another server instead of generating by the anonymized data user terminal 1 itself.
  • Step S12 The anonymized data user terminal 1 transmits the anonymized data together with the personal information (original data) stored in the personal information storage unit 1121 and the anonymized data stored in the anonymized data storage unit 1122 by the communication device 114.
  • the anonymous level judgment application is sent to the anonymous level judgment server 2 by specifying the application field, the usage purpose and the like.
  • personal information (original data) to be transmitted may be masked with information that can identify an individual within a range that does not affect evaluation of anonymity, or may be randomly encoded (talking).
  • Step S21 Next, the anonymity level determination server 2 determines the distribution destination of the anonymity level individual determination request in the distribution processing unit 2114.
  • the determination of the distribution destination is one or more of the application field, use application, etc. of the anonymization data included in the anonymity level determination application received from the anonymity data user terminal 1, and stored in the anonymity level determination index storage unit 2123 Based on the organizational reliability of each of the identification anonymity evaluation server 3 and the one or more non-identification anonymity evaluation servers 4.
  • Step S22 Subsequently, in accordance with the distribution destination determined in step S21, the anonymity level determination server 2 determines one or more identification anonymity evaluation servers 3 of the distribution destination and one or more non-identification anonymities of the distribution destination. Anonymity level individual determination is requested to the evaluation server 4. Also, it receives anonymity level individual determination result transmitted from each identification anonymity evaluation server 3 and non-identification anonymity evaluation server 4 in response to the request.
  • Step S23 The anonymity level judgment server 2 causes the anonymity level comprehensive judgment unit 2111 to receive the anonymity level individual judgment result received from each of the identification anonymity evaluation server 3 and the non-identification anonymity evaluation server 4, and anonymity Based on the judgment index of the anonymous level stored in the level judgment index storage unit 2123, the synthetic judgment result of the anonymous level is output.
  • Step S24 The anonymity level determination server 2 transmits the comprehensive determination result of the anonymity level to the anonymity data user terminal 1 by the communication device 214.
  • each industry has set a predetermined anonymization level. Therefore, at this time, it is also preferable to evaluate whether personal information is anonymized according to the index and to transmit the result to the anonymous data user terminal 1 together.
  • Step S13 Finally, the anonymous data user terminal 1 receives the synthetic judgment result of the anonymous level. Then, transmission / reception processing of raw information between the anonymous data user terminal 1 and the anonymous level determination server 2 is ended.
  • FIG. 3 is a sequence for explaining the process of determining the synthesis of the anonymity level in cooperation with the anonymity level determination server 2 and the identification anonymity evaluation server 3 and the non-identification anonymity evaluation server 4 in the anonymity evaluation system of the present invention.
  • FIG. 3 is a sequence for explaining the process of determining the synthesis of the anonymity level in cooperation with the anonymity level determination server 2 and the identification anonymity evaluation server 3 and the non-identification anonymity evaluation server 4 in the anonymity evaluation system of the present invention.
  • Step S25 First, the anonymity level determination server 2 transmits the personal information storage unit of the storage device 212 to the one or more identification anonymity evaluation servers 3 of the distribution destination according to the distribution destination determined in step S21 described above. While transmitting the personal information (original data) stored in 2121 and the anonymization data stored in the anonymous data storage unit 2122, an identification anonymity evaluation request is made.
  • Step S26 Subsequently, the anonymity level determination server 2 causes the anonymity data storage unit of the storage device 212 to one or more non-identifying anonymity evaluation servers 4 of the distribution destination according to the distribution destination determined in step S21. While transmitting the anonymous data stored in 2122, a non-identifying anonymity evaluation request is made.
  • Step S31 The identification anonymity evaluation server 3 receives the personal information (original data) and the anonymization data transmitted from the anonymity level determination server 2, and based on the personal information (the original data) and the anonymization data, the quality is The evaluation value such as the distance between the target attributes is calculated to determine the identification anonymous level. This distance is determined from the absolute value of the difference between qualitative attributes. Further, based on the personal information (original data) and the anonymization data received from the anonymity level determination server 2, an evaluation value such as a distance between qualitative attributes is calculated to determine an identification anonymity level.
  • Step S32 Next, the identification anonymity evaluation server 3 transmits the determined identification anonymity level (the identification anonymity determination result) to the anonymity level determination server 2.
  • the information value level determination unit 3113 of the identification anonymity evaluation server 3 is an index indicating the usefulness based on the difference between the received personal information (original data) and the anonymization data.
  • the amount of loss (information entropy value or the like) may be calculated to determine the information value level.
  • the information value level result may be transmitted together with the identification anonymous level result.
  • the information value level determination unit 2113 of the anonymity level determination server 2 performs the information value comprehensive determination.
  • the result may be output, and in step S24, the information value comprehensive determination result may be transmitted to the anonymous data user terminal 1 together with the anonymity level comprehensive determination result.
  • Step S41 Further, the non-identifying anonymity evaluation server 4 receives the anonymization data transmitted from the anonymity level determination server 2, and based on the anonymization data, an evaluation value such as k anonymity or l diversity That is, an evaluation index (anonymity level determination index) indicating the safety of the anonymization data is calculated, and the non-identifying anonymous level is determined from the index.
  • an evaluation value such as k anonymity or l diversity That is, an evaluation index (anonymity level determination index) indicating the safety of the anonymization data is calculated, and the non-identifying anonymous level is determined from the index.
  • Step S42 The non-identifying anonymity evaluation server 4 transmits the determined non-identified anonymity level to the anonymity level determination server 2.
  • the safety and usefulness of the anonymized data subjected to the anonymization process can be evaluated, and the value of the index displayed as the evaluation result can be confirmed.
  • the anonymization data evaluation system provided with an anonymization data evaluation system that evaluates anonymization data by adding up the calculated non-identification anonymity levels can calculate a comprehensive anonymity level of the anonymization data.
  • the present invention is not limited to the embodiments described above, but includes various modifications.
  • the embodiments described above are described in detail to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described.
  • part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment.
  • each configuration, function, etc. described above may be realized by software by the processor interpreting and executing a program that realizes each function.
  • Information such as a program, a table, and a file for realizing each function can be placed in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
  • SSD Solid State Drive
  • a recording medium such as an IC card, an SD card, or a DVD.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Artificial Intelligence (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Document Processing Apparatus (AREA)
  • Storage Device Security (AREA)

Abstract

Afin de fournir une technique pour évaluer et présenter correctement la sécurité et l'utilité d'informations anonymisées (données anonymisées) obtenues par un traitement d'anonymisation d'informations personnelles (données d'origine), un système d'évaluation de données anonymisées qui évalue des données anonymisées en calculant conjointement un niveau d'anonymat d'identification, calculé par un ou plusieurs serveurs d'évaluation d'anonymat d'identification par comparaison d'informations personnelles (les données d'origine) et des informations anonymisées (les données anonymisées), et un niveau d'anonymat de non-identification, calculé par un ou plusieurs serveurs d'évaluation d'anonymat de non-identification à partir uniquement d'informations anonymisées (les données anonymisées); un niveau global d'anonymat de données anonymisées est calculé au moyen dudit système d'évaluation de données anonymisées.
PCT/JP2018/041687 2017-11-20 2018-11-09 Système et procédé d'évaluation de données anonymisées, et serveur de détermination de niveau d'anonymat WO2019098136A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017222539A JP6715816B2 (ja) 2017-11-20 2017-11-20 匿名化データ評価システム及び方法、並びに匿名レベル判定サーバ
JP2017-222539 2017-11-20

Publications (1)

Publication Number Publication Date
WO2019098136A1 true WO2019098136A1 (fr) 2019-05-23

Family

ID=66539089

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/041687 WO2019098136A1 (fr) 2017-11-20 2018-11-09 Système et procédé d'évaluation de données anonymisées, et serveur de détermination de niveau d'anonymat

Country Status (2)

Country Link
JP (1) JP6715816B2 (fr)
WO (1) WO2019098136A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205108A (zh) * 2020-09-02 2022-03-18 大众汽车股份公司 提供机动车辆的数据
CN114930331A (zh) * 2020-01-14 2022-08-19 三菱电机株式会社 匿名加工评价系统、匿名加工评价方法以及匿名加工评价程序
US12038833B2 (en) 2021-11-23 2024-07-16 The Toronto-Dominion Bank Test and validation of privacy protection quality of anonymization solutions

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021065004A1 (fr) * 2019-10-04 2021-04-08 日本電信電話株式会社 Dispositif d'évaluation de risque d'estimation d'identification, procédé d'évaluation de risque d'estimation d'identification, et programme

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013121738A1 (fr) * 2012-02-17 2013-08-22 日本電気株式会社 Dispositif d'anonymisation distribuée, et procédé d'anonymisation distribuée
JP2015153106A (ja) * 2014-02-13 2015-08-24 株式会社東芝 匿名化指標算出システム
JP2016184213A (ja) * 2015-03-25 2016-10-20 株式会社日立ソリューションズ 数値データを匿名化する方法及び数値データ匿名化サーバ

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013121738A1 (fr) * 2012-02-17 2013-08-22 日本電気株式会社 Dispositif d'anonymisation distribuée, et procédé d'anonymisation distribuée
JP2015153106A (ja) * 2014-02-13 2015-08-24 株式会社東芝 匿名化指標算出システム
JP2016184213A (ja) * 2015-03-25 2016-10-20 株式会社日立ソリューションズ 数値データを匿名化する方法及び数値データ匿名化サーバ

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OGURI HIDENOBU: "Report on the data anonymization and re-identification competition PWSCUP 2016- Evaluation of safety and usefulness, Preprints USB of the 2017 Symposium on Cryptography and Information Security", SCIS 2017, 27 January 2017 (2017-01-27), pages 1 - 8 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114930331A (zh) * 2020-01-14 2022-08-19 三菱电机株式会社 匿名加工评价系统、匿名加工评价方法以及匿名加工评价程序
CN114205108A (zh) * 2020-09-02 2022-03-18 大众汽车股份公司 提供机动车辆的数据
US12038833B2 (en) 2021-11-23 2024-07-16 The Toronto-Dominion Bank Test and validation of privacy protection quality of anonymization solutions

Also Published As

Publication number Publication date
JP2019095885A (ja) 2019-06-20
JP6715816B2 (ja) 2020-07-01

Similar Documents

Publication Publication Date Title
WO2019098136A1 (fr) Système et procédé d'évaluation de données anonymisées, et serveur de détermination de niveau d'anonymat
US10574540B2 (en) Method and system for facilitating management of service agreements for consumer clarity over multiple channels
US10296751B2 (en) Automated real-time information management risk assessor
US10558684B2 (en) Auditing database access in a distributed medical computing environment
Hintze Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency
JP6814017B2 (ja) 匿名化のために属性を自動的に識別するコンピュータ実装システムおよび方法
JP6007969B2 (ja) 匿名化装置及び匿名化方法
US10176340B2 (en) Abstracted graphs from social relationship graph
US9043937B2 (en) Intelligent decision support for consent management
US11652628B2 (en) Deterministic verification of digital identity documents
CN111316273A (zh) 认知数据匿名化
US10069842B1 (en) Secure resource access based on psychometrics
US10387683B2 (en) Policy enforcement delays
US20160260187A1 (en) Provisioning in digital asset management
US10078656B1 (en) Unmodifiable data in a storage service
US20190303617A1 (en) Coordinated de-identification of a dataset across a network
US11316833B2 (en) System, method, and recording medium for preventing back propogation of data protection
US20170155659A1 (en) Autonomous trust evaluation engine to grant access to user private data
US11755768B2 (en) Methods, apparatuses, and systems for data rights tracking
US11227059B2 (en) Regulatory compliance for applications applicable to providing a service for regulatory compliance on a cloud
CN112150280A (zh) 提升匹配效率的联邦学习方法及设备、电子设备和介质
US20150161345A1 (en) Secure messaging services
US20210126904A1 (en) On-device privacy-preservation and personalization
US20230367855A1 (en) Method to randomize online activity
US11394677B2 (en) Systems and methods for screening electronic communications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18879035

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 18879035

Country of ref document: EP

Kind code of ref document: A1