JP2017174403A - Information processing device, information processing method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To achieve both privacy protection and timing gap elimination.SOLUTION: An information processing device includes estimation means for estimating service availability in each user, classification means for classifying a plurality of users to groups on the basis of the availability and the similarity of context information of the plurality of users, corresponding to the service, and generation means for generating disclosure information to be disclosed to a providing source of the service in each group on the basis of text information of a user included in the group.SELECTED DRAWING: Figure 5

Description

  The present invention relates to an information processing apparatus, an information processing method, and a program.

Conventionally, information and services suitable for a situation are recommended by estimating a user's context. These systems and technologies are variously called Personal Assistant, Context Aware Computing, etc., but here they are called Personal Context Assistant (hereinafter, PCA).
For example, as PCA, news related to hot topics or prefectures is provided based on commuting time or current location. It is also considered to recommend that taxi be dispatched when arrival at the airport is detected based on the location information.
However, even if a service is recommended and a user uses the service, a waiting time may be required depending on the service. For example, in the case of taxi dispatch, if a request for dispatch is made after seeing the notification, it is necessary to wait until the taxi arrives at the airport.
As described above, since there is a gap between the timing when the user needs the service and the timing when the service provider can provide the service, a waiting time occurs.
Therefore, in order to eliminate this timing gap, it is considered that the system will prepare and execute services ahead of time in the future. For example, Patent Document 1 proposes to shorten the time from ordering to delivery by shipping products close to each other before placing an order.
In order for the system to proactively prepare the service, the service provider needs to be able to prepare. As a platform for that, we expect to have a mechanism for sharing contexts with service providers.
At this time, if the context is unconditionally shared, it is conceivable that the service provider having the intention to use the context other than the legitimate purpose accumulates the context. At this time, the user's behavior history remains on the service provider side. Therefore, privacy is not protected. However, if the context is not shared until just before the possibility of using the service increases, the timing gap becomes large.

  Conventionally, there has been an anonymization technique for protecting privacy (for example, Patent Document 2). Patent Document 2 proposes an anonymization method that prevents a decrease in information value while satisfying the required level of all data when each data has a required level of k anonymization. More specifically, in the technique of Patent Document 2, in order to prevent a decrease in information value, similar data is divided into groups, and the group is repeated when the required level is satisfied. In the technique of Patent Document 2, anonymization processing is performed in the minimum group unit that satisfies the required level. In this way, anonymization is performed to prevent a decline in information value while satisfying the required level required by individual data.

Special table 2008-524714 gazette International Publication No. 13/031997

If the user context is provided with higher accuracy, the timing gap can be made smaller. Therefore, when the probability of using the service is high, the user context should be provided with higher accuracy.
Therefore, in order to leave the context of a user with a high use probability with higher accuracy, it is conceivable to use the use probability for the service as the request level for anonymization in Patent Document 2. In other words, it can be considered that the request level of anonymization is lowered as the service use probability is higher.
However, in patent document 2, it anonymizes a user with a low request level of anonymization, and a high user. Therefore, in some cases, a user who desires a low request level for anonymization may cause the request level to be adjusted by a user who has a high request level for anonymization. At this time, there is a problem that the purpose of the user who desires to lower the request level of anonymization and to advance the preparation of the service is not achieved.
An object of the present invention is to achieve both privacy protection and timing gap resolution.

  The present invention provides an estimation means for estimating service availability for each user, and the plurality of users based on the availability and the similarity of context information of the plurality of users corresponding to the service. And a generating unit that generates disclosure information to be disclosed to the service provider for each group based on context information of users included in the group.

  According to the present invention, both privacy protection and timing gap elimination can be achieved.

It is a figure which shows an example of the system configuration | structure of an information processing system. It is a figure which shows an example of the hardware constitutions of a computer. It is a figure which shows an example of a function structure of a PCA server. It is a figure which shows an example of a parameter etc. It is a flowchart which shows an example of a disclosed information generation process. It is a flowchart which shows an example of an anonymization group creation process. It is a flowchart which shows an example of a marginal error group disassembly process. It is a figure for demonstrating the process of FIG. It is a figure which shows an example of context information (the 1). It is a figure (example 2) which shows an example of context information. FIG. 10 is a diagram (part 3) illustrating an example of context information; It is a figure which shows an example of a parameter etc. It is FIG. (4) which shows an example of context information. It is FIG. (5) which shows an example of context information.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<Embodiment 1>
The system configuration of the information processing system of this embodiment will be described with reference to FIG.
The PCA client 101 is a client, acquires context information, and transmits it to the PCA server 102. The PCA client 101 is, for example, a mobile device such as a smartphone owned by the user. Examples of the context information include position information such as latitude and longitude obtained by GPS (Global Positioning System), angular velocity obtained by a gyro sensor, azimuth obtained by a magnetic sensor, acceleration obtained by an acceleration sensor, and the like. In addition, as context information, for example, vitality such as a user's heartbeat or information such as concentration estimated from shaking, information such as device usage status, nearby devices and objects acquired by proximity communication, etc. It is information about etc.
The PCA server 102 anonymizes the context information obtained from the plurality of PCA clients 101 and provides the context information to the plurality of services 103. The PCA server 102 is, for example, a server device. Alternatively, the PCA server 102 may be, for example, a virtual server constructed in a cloud environment.
The PCA server 102 may process the context information obtained from the PCA client 101 to generate higher order context information. Then, the PCA server 102 may anonymize the higher order context information and provide it to the service 103.
High-order context information generation processing will be described in the description of the context processing unit 302 in FIG.
The service 103 prepares a service according to the user based on the anonymized context information. For example, if there is a taxi service or the like, the user's location information and the like can be obtained by anonymizing, so the taxi route is changed based on the information.

A configuration of a computer constituting the server device and the client device according to the present embodiment will be described with reference to FIG. Each of the server device and the client device may be realized by a single computer, or may be realized by distributing functions to a plurality of computers as necessary. When configured by a plurality of computers, they are connected by a local area network (LAN) or the like so that they can communicate with each other.
The CPU 201 is a central processing unit (CPU) that controls the entire computer 200. The ROM 202 is a Read Only Memory (ROM) that stores programs and parameters that do not need to be changed. The RAM 203 is a Random Access Memory (RAM) that temporarily stores programs and data supplied from an external device or the like. The external storage device 204 is a hard disk or memory card that is fixedly installed in the computer 200. Alternatively, the external storage device 204 may include an optical disk such as a flexible disk (FD) and a Compact Disk (CD) that can be detached from the computer 200, a magnetic or optical card, an IC card, a memory card, and the like. Good. An input device interface 205 is an interface with an input device 209 such as a pointing device or a keyboard that receives data from a user and inputs data. The output device interface 206 is an interface with the monitor 210 for displaying data held by the computer 200 and supplied data. The communication interface 207 is a network interface for connecting to a network line 211 such as the Internet. A system bus 208 is a system bus that connects the units 201 to 207 so that they can communicate with each other.
The PCA client 101 which is a client device of this embodiment includes a sensor and the like. For example, the sensor is a GPS sensor, a gyro sensor, a magnetic sensor, an acceleration sensor, or the like. In addition, the vital sensor for acquiring a heartbeat or the like may take the form of another device, and the PCA client 101 may be configured to acquire data from a communication interface or the like. Further, if the PCA client 101 is in the form of a smartphone or the like, it includes a telephone call unit and an imaging unit.
When the CPU 201 of the server apparatus executes processing based on a program stored in the ROM 202 or the external storage device 204 of the server apparatus, the functions of the server apparatus shown in FIG. 3 described later and the processes of the flowcharts of FIGS. .

In this embodiment, the PCA server 102 anonymizes the context information collected from the PCA client 101 and discloses the information to the service 103. Hereinafter, the functional configuration of a system for generating information to be disclosed in the present embodiment will be described with reference to FIG. In this embodiment, it is assumed that the functions shown in FIG. 3 are implemented in the PCA server 102. However, a part of the functions may be distributed to the PCA client 101 or the like.
The context receiving unit 301 receives context information from the PCA client 101. More specifically, the context receiving unit 301 receives context information such as position information via the communication interface 207.
The context processing unit 302 processes the context information to generate higher-order context information.
For example, when the latitude / longitude is obtained from the PCA client 101, the context processing unit 302 may convert the latitude / longitude into information such as an address.
Further, the context processing unit 302 may generate information related to the relationship with surrounding objects and people. For example, the context processing unit 302 estimates the users who draw the same trajectory together from the trajectories of position information obtained from a plurality of users, and generates companion information. Etc. may be performed. Alternatively, the context processing unit 302 may specify a thing obtained by proximity communication and specify that the thing is carried. For example, the context processing unit 302 may specify a mobile phone such as a smart watch.
Or the context process part 302 may produce | generate the information regarding a physical condition. For example, the context processing unit 302 may estimate a movement state such as whether the user is walking or riding a car from position information, an acceleration sensor, and the like, and may generate information related to the body state. Or the context process part 302 may estimate a fatigue degree etc. from the continuation time etc. of a walk state, and may produce | generate the information regarding a physical state.
Or the context process part 302 may produce | generate the information regarding a psychological state. For example, the context processing unit 302 may generate information related to the psychological state by estimating that the user is in an environment where the user should concentrate, such as the workplace, but the concentration is low, and wants to concentrate. Or preference etc. may be sufficient as a psychological state. For example, the context processing unit 302 generates product information desired by the user from past purchase history and the like. Or the context process part 302 may produce | generate the goods etc. which a user desires based on the "wish list" etc. which were input previously.
In this embodiment, as context information, in addition to information indicating the situation such as when, where, what, and who, information indicating the relationship between the user and the person / thing, the state of mind and body of the user, and the like To do.
The functions of the context processing unit 302 may be realized by being distributed between the PCA client 101 and the PCA server 102.
The user management unit 303 manages user information and user context information. More specifically, the user management unit 303 stores and manages the context information acquired by the context reception unit 301 and the context processing unit 302 in the external storage device 204.
The service management unit 304 manages a service that discloses user information. More specifically, the service management unit 304 stores and manages a list relating to service information in the external storage device 204.

The disclosure information generation unit 305 generates context information disclosed to the service provider. A more specific processing method is as follows. First, the disclosure information generation unit 305 estimates the use probability of the user's service, and divides the user into layers for each use probability. Usage probability is an example of availability. Next, the disclosure information generation unit 305 divides users into groups with information to be anonymized for each layer. The disclosure information generation unit 305 generates context information to be disclosed by performing anonymization processing for each group. Detailed processing contents will be described later with reference to the flowchart of FIG.
The disclosure information generation unit 305 includes a context acquisition unit 306, a usage probability calculation unit 307, a usage probability classification unit 308, an anonymization classification unit 309, and an anonymization information generation unit 310.
The context acquisition unit 306 acquires user context information before anonymization. More specifically, the context acquisition unit 306 searches and acquires user context information from the user management unit 303.
The usage probability calculation unit 307 calculates the usage probability of the service for each user. More specifically, the use probability calculation unit 307 estimates the service use probability for each service managed by the service management unit 304. For example, the use probability calculation unit 307 estimates the probability of requesting a taxi dispatch for a taxi service or the like. More specifically, the use probability calculation unit 307 learns the situation of getting on a taxi from a normal action, and calculates the probability of reaching the situation from the current situation. For example, suppose that a taxi is often called when it is raining outside after shopping in a shopping mall. For example, the use probability calculating unit 307 can specify that there is a user in a shopping mall by using location information and the like, and can calculate the probability of calling a taxi from the precipitation probability of external weather. However, the usage probability calculation method is not limited to these.
The usage probability classification unit 308 divides the usage probability of the user obtained by the usage probability calculation unit 307 for each user having the same level. In this embodiment, this classification is called a layer. For example, the use probability classifying unit 308 uses a section in which use probabilities having the same degree are set in advance for each service. The usage probability classifying unit 308 may use the usage probability section acquired from the service 103.

The anonymization classification unit 309 classifies users into groups based on the similarity of context information to be anonymized for each layer obtained by the use probability classification unit 308. At this time, the anonymization classification unit 309 uses a predetermined value for each layer as the size of the group. Or the anonymization classification | category part 309 determines the size of a group based on a use probability. A detailed group size determination method will be described after the flowcharts 5 to 7 are described.
As the similarity of the context information, if the context information is a numerical value such as “age”, the reciprocal of the difference between the numerical values can be made similar. If the context information is a vector such as “position information”, the reciprocal of the distance between the vectors can be regarded as similarity. Or you may take cosine similarity. Further, when the context information is categorical data such as “sex”, the similarity can be defined based on whether or not they match.
Moreover, it may be categorical data having a hierarchy. At this time, the number of matching hierarchies may be used as the similarity by using how many hierarchies match. Alternatively, the degree of similarity may be defined by the reciprocal of the distance, etc., with the number of movements required when moving from one data to the other data following the hierarchical tree.
In addition, when the context information is composed of a plurality of vectors, categorical data, etc., vector data is converted into categorical data, and the similarity of data is determined based on the number of times categorical data matches. May be. Alternatively, the similarity may be obtained for each data constituting the context information, and the weighted sum of the similarities may be taken. The definition of the similarity of context information in the present embodiment is not limited to these.
As a user classification method based on context information, classification may be performed based on the similarity of context information by a clustering technique such as k-means or spectral clustering. Alternatively, a method using a generalized hierarchical tree often used in the k anonymization method may be used. The user classification method in the present embodiment is not limited to these.
The anonymization information generation unit 310 generates context information to be disclosed for each group obtained by the anonymization classification unit 309. For example, if the context information to be disclosed is position information, the anonymized information generation unit 310 obtains the center of gravity of the position information of users constituting the group. In addition, the anonymized information generation unit 310 may obtain and disclose the maximum distance from the center of gravity to the users constituting the group as a radius or the like. Further, the anonymization information generation unit 310 performs generalization such as omitting the address if the disclosed context information is an attribute value such as an address. However, the anonymization information generation process is not limited to these.

The context disclosure unit 311 discloses the context information generated by the anonymized information generation unit 310 to the service. For example, in the case where the location information is anonymized and disclosed, the context disclosure unit 311 obtains the center of gravity and the radius by the anonymization information generation unit 310, and thus discloses the information in association with the user ID. Alternatively, the context disclosure unit 311 may disclose information in units of groups, assigning an ID to the group generated by the anonymization classification unit 309, and linking the center of gravity, the radius, and the user ID list to the group ID. You may make it disclose. However, the disclosure method of the context information is not limited to these.
The associated user ID is preferably closed to the service, and it is preferable not to use the user ID in the PCA server. This is because, in the present embodiment, context information is generated so that the disclosed context information cannot be narrowed down to a certain number of people or less. However, if an ID that can uniquely identify a user in the entire PCA is used, specificity is born. On the other hand, if the ID is closed to the service, the user ID of the service cannot be used for association with the context information that is not disclosed in the service. Therefore, the data is combined by matching the context information. However, since the context information is anonymized, it cannot be narrowed down beyond a certain number. Therefore, information is not disclosed to the service more than the user assumes.
However, a user ID in the PCA server may be used. At this time, even context information that is not disclosed in the service can be easily combined by using the user ID. However, since the accuracy of the disclosed context information is reduced in the process of anonymization, a certain degree of privacy can be protected.
It is not necessary to include the user ID in the disclosed information, and only the context information may be disclosed. However, the configuration of information to be disclosed is not limited to these.

Next, the disclosure information generation processing in this embodiment will be described with reference to the flowchart of FIG. This process is executed by the disclosure information generation unit 305 to generate context information to be disclosed to the service. For this reason, in this process, the service is specified as a parameter and the process is executed. In addition, a parameter set for each service is also given and executed. The parameters will be described with reference to FIG. The first parameter is a usage probability interval used when dividing users into layers. In this example, sections to be divided into four layers are defined. The second parameter defines whether to disclose context information for each layer. “No” indicates that information is not disclosed. “Permitted (protected)” indicates that information is disclosed after anonymization. “Yes (elementary value)” indicates that information may be disclosed without anonymization. The third parameter is the anonymization group size, which specifies the size of the anonymization group generated in the layer. The limit error of the fourth parameter specifies an error that should be the limit of the anonymization information generated in the layer. Details will be described later with reference to the flowchart of FIG. The limit error is an example of a setting error. The symbol is a symbol used for explanation in the present embodiment, not a parameter.
In the following description, a case where position information is anonymized will be described as an example. Hereinafter, a description will be given according to the flowchart of FIG.
In S501, the use probability calculation unit 307 estimates the use probability of the service for each user. More specifically, the use probability calculation unit 307 uses the use probability calculation unit 307 to estimate the probability of using the service for each user.
In S502, the use probability classifying unit 308 divides users into layers based on use probabilities. More specifically, the use probability classifying unit 308 determines which use probability section the user corresponds to using the use probability section shown in FIG.
In S503, the use probability classifying unit 308 identifies the anonymization target layer. More specifically, the use probability classification unit 308 refers to the disclosure availability shown in FIG. 4A and identifies the layer that is “permitted (protected)”.
In S504, the anonymization classification unit 309 performs an anonymization group creation process for the layer specified in S503. Details will be described later with reference to the flowchart of FIG.
In S505, the anonymization information generation unit 310 generates disclosure information for each anonymization group. For example, if the context information to be disclosed is position information, the anonymized information generation unit 310 uses the center of gravity and the radius of the position information of the users constituting the group as disclosure information.
For the user information of the layer that has not been anonymized in S503, the anonymization information generation unit 310 determines a disclosure method based on a parameter indicating whether disclosure is possible. More specifically, the anonymized information generation unit 310 does not disclose information regarding the user of the “No” layer. On the other hand, the information is disclosed as it is for the user who is “possible (primary value)”.
That is, the anonymized information generation unit 310 changes the strength of anonymization of the disclosed information based on the use probability of the group described later. More specifically, the anonymization information generation unit 310 weakens the anonymization of the disclosure information as the use probability of the group is high (for example, the disclosure information is left as a raw value), and the use probability of the group is low. Increase the anonymization of disclosed information (for example, do not disclose disclosed information).

Next, the anonymization group creation process in this embodiment will be described with reference to the flowchart of FIG. In this process, an anonymization group is created by repeating the division of the user set for each layer that is to be anonymized. Hereinafter, each step will be described.
In S601, the anonymization classification unit 309 is a loop for sequentially processing the layers to be anonymized specified in S503 in FIG. 5, and the layers to be anonymized are assigned numbers in order from 1. And Since the anonymization classification unit 309 refers to the layer using the variable i, first, i is initialized to 1. Further, the anonymization classification unit 309 proceeds to S602 when i is equal to or smaller than the number of layers, and proceeds to S609 through a loop when i is not satisfied.
In S602, the anonymization classification unit 309 registers the user of layer i as one group in the division candidate group list.
In step S603, the anonymization classification unit 309 extracts a group from the division candidate group list and divides the group based on the similarity of the context information. The anonymization classification unit 309 deletes the extracted group from the division candidate group list. The anonymization classification unit 309 divides the group into two using a division clustering method such as k-means as a division method. Or the anonymization classification | category part 309 may divide | segment using methods, such as spectral clustering. The group dividing method is not limited to these.
In S604, the anonymization classification unit 309 evaluates the result divided in S603 and determines whether or not the division may be performed. More specifically, the anonymization classification unit 309 confirms that the size of the group after the division satisfies the condition of the anonymization group size given as a parameter. For example, in the example illustrated in FIG. 4A, it is set as a condition that the size of the anonymization group is “6 or more” when the use probability interval is 0.4 or more and less than 0.7. The anonymization classification unit 309 determines that the group can be divided (OK) when the size of the group after the division satisfies the condition in each group after division, and proceeds to S605. In other cases, the anonymization classification unit 309 proceeds to S606.
In S605, the anonymization classification unit 309 registers the divided group in the division candidate group list.
In S606, the anonymization classification unit 309 cancels the division in S603 and registers the group before the division in the completed group list.
In S607, the anonymization classification unit 309 determines whether there is a group in the division candidate group list. The anonymization classification unit 309 moves to S603 when there is a group, and moves to S608 otherwise.
S608 is the end of the loop of the layer, and the anonymization classification unit 309 adds 1 to i and returns to S601.
In S609, the anonymization classification unit 309 performs a marginal error group disassembly process. Details will be described with reference to the flowchart of FIG.

Next, the limit error group disassembly process in the present embodiment will be described with reference to the flowchart of FIG. At the start of this process, the anonymization group is registered in the completed group list immediately before S609 in the anonymization group creation process (FIG. 6). In this processing, the error of the group in this list is evaluated, and the group with a large error is disassembled and integrated with other groups to try to reduce the error. Parameter error is used for error evaluation. As shown in FIG. 4A, the limit error is a value set for each layer.
S701 is a loop for processing layers in order from the lower layer. Here, the layer has a smaller usage probability interval called a lower layer. For example, in FIG. 4 (a), the second row is positioned in the lower layer because the second row has a smaller use probability interval than the third row. Assume that layers are assigned numbers in order from 1 in order from the lower layer. Since the anonymization classification unit 309 refers to the layer using the variable i, first, i is initialized to 1. Further, the anonymization classification unit 309 proceeds to S702 when i is equal to or less than the number of layers, and when not satisfying this, exits the loop and ends the process.
In S702, the anonymization classification unit 309 specifies a group that exceeds the limit error in layer i as a dismantling group. In the example of FIG. 4A, for example, when the layer i is a layer having a usage probability interval of 0.4 or more and less than 0.7, the limit error is defined as 1000 m. Therefore, here, the anonymization classification unit 309 uses the radius of the group as an error, and uses a group with this radius exceeding 1000 m as a disassembly candidate.

S703 is a loop for sequentially processing the dismantling groups specified in S702. It is assumed that numbers are assigned to the dismantling groups in order from 1. Since the anonymization classification unit 309 refers to the dismantling group using the variable j, j is first initialized to 1. Further, when the dismantling group j is equal to or less than the number of groups, the process proceeds to S704.
In S704, the anonymization classification unit 309 obtains an error for each user when the user is excluded from the dismantling group. Then, the anonymization classification unit 309 sets the user m as the user with the smallest error. At this time, the anonymization classification unit 309 sets a flag that the user m has been processed. In addition, when selecting the user m, the anonymization classification unit 309 selects from unprocessed users.
In S705, the anonymization classification unit 309 determines whether or not the error of the dismantling group is reduced when the user m is excluded. In addition, the anonymization classification unit 309 determines that the condition of the anonymization group size is satisfied when the user m is excluded. The anonymization classification unit 309 proceeds to S706 when the error is reduced and the condition is satisfied (YES), and proceeds to S706 otherwise (NO).
In step S <b> 706, the anonymization classification unit 309 identifies “a group of layer i” and “a group of layers lower than layer i” that are less than the limit error as absorption destination groups. The reason why the upper layer of layer i is not included is that the anonymization group size required by the user of layer i is larger than the upper layer, and therefore, when integrated on the upper layer side, the condition of the user of layer i cannot be satisfied. is there. On the other hand, since it is certain that the lower layer is larger than the size of the anonymization group of the user of layer i, it can be integrated into the group on the lower layer side.

In S707, the anonymization classification unit 309 obtains an error when the user m is included in the absorption destination group specified in S706. And the anonymization classification | category part 309 makes it the absorption destination group n, when the smallest error is less than a limit error.
In S708, the anonymization classification unit 309 determines whether or not the absorption destination group n is found in S707. When the anonymization classification unit 309 is found (YES), the process proceeds to S709, and otherwise (NO), the process proceeds to S711.
In S709, the anonymization classification unit 309 includes the user m in the absorption destination group n.
In S710, the anonymization classification unit 309 determines whether or not the error when the user m is excluded from the dismantling group is less than the limit error. When the anonymization classification unit 309 is below the limit error (YES), the process proceeds to S712, and otherwise (NO), the process proceeds to S711.
In S711, the anonymization classification unit 309 determines whether or not an unprocessed user remains in the dismantling group j. The anonymization classification unit 309 uses the processed flag given in S704. The anonymization classification unit 309 proceeds to S704 when there is an unprocessed user (YES), and proceeds to S712 otherwise (NO).

In S712, the anonymization classification unit 309 cancels the dismantling so as to satisfy the anonymizing group size when all users of the dismantling group j cannot be processed. More specifically, the anonymization classification unit 309 moves the users of the dismantling group to another group that can satisfy the limit error by the processes of S704 to S711. However, the user may remain in the dismantling group. For example, when there is no other group that can satisfy the limit error, the user remains in the dismantling group. At this time, when the user remaining in the dismantling group does not satisfy the condition of the anonymizing group size, the dismantling of the dismantling group cannot be achieved. Therefore, in such a case, the anonymization classification unit 309 abandons reducing the marginal error of the dismantling group and returns the process to a state where the condition of the anonymization group size can be satisfied. More specifically, in S709, the anonymization classification unit 309 stores in the stack that the user m is included in the absorption destination group n. In S712, the anonymization classification unit 309 reads out to which group the user is included from the stack, and sequentially returns the user to the dismantling group. The anonymization classification unit 309 sequentially returns to the group until the dismantling group satisfies the condition of the anonymization group size. As a result, it becomes possible to satisfy the condition of the size of the anonymization group specified by the parameter, and the anonymity of the group can be preferentially protected.
S713 is the end of the dismantling destination group loop, and the anonymization classification unit 309 adds 1 to j and returns to S703.
S714 is a loop process from the lower layer, and the anonymization classification unit 309 adds 1 to i and returns to S701.

The process of the flowchart of FIG. 7 will be described more specifically with reference to FIG. 8 using an example of anonymizing and disclosing position information. FIG. 8A is a diagram showing a distribution of user position information. In the figure, .DELTA..DELTA.X represents the use probability of the user service. Correspondence with the use probability is as shown by reference numerals in FIG.
FIG. 8A is a diagram showing a distribution of user position information. In FIG. 8, ◯ Δ × represents the use probability of the user's service. Correspondence with the use probability is as shown by reference numerals in FIG. The state shown in FIG. 8A is a state in which the disclosure information generation process (S501) is completed.
FIG. 8B shows a state in which the process is further advanced to the point immediately before the limit error group disassembly process (S609) is performed. Each of the two types of broken lines indicates an anonymization group. The anonymization group of the fine broken line 1402b is an anonymization group of the layer whose utilization probability is represented by Δ, and the anonymization group of the rough broken line 1404b is an anonymization group of the layer whose utilization probability is represented by ○. Since the layer whose use probability is represented by x does not disclose information, it is deleted from FIG. Reference numeral 1401b denotes a limit error of each group used in later explanation.
Hereinafter, the processing of the flowchart of FIG. 7 will be described more specifically on the assumption that the information illustrated in FIG. 8B is input to the error limit group disassembly processing. First, in S701, the anonymization classification unit 309 selects a layer having a usage probability Δ. In step S702, the anonymization classification unit 309 identifies a group that exceeds the error limit. However, in this example, since all the groups of layers having the usage probability Δ are below the error limit, the anonymization classification unit 309 skips the processing from S703 to S713. In S <b> 714, the anonymization classification unit 309 sets the next layer of usage probability ○ as the processing target, and returns to S <b> 701.

There are four groups of groups 1404b to 1407b in the next layer of use probability ◯. In S702, the anonymization classification unit 309 selects only the group 1404b exceeding the error limit. In S703 to S713, the anonymization classification unit 309 reduces the error of the group 1404b by moving the user from this group to another group. In 1404b, there are five users 1408b to 1412b. In S704, the anonymization classification unit 309 selects a user who minimizes the error when excluded from the group. In this example, the anonymization classification unit 309 selects the user indicated by 1408b. In S705, the anonymization classification unit 309 determines that the error of the group 1404b is small when the user 1408b is excluded. In S706, the anonymization classification unit 309 specifies the groups 1402b to 1403b and 1405b to 1407b as candidates for the absorption destination group. In S707, the anonymization classification unit 309 selects a group having the smallest error and the error limit below when the user 1407b is included. In this example, the anonymization classification unit 309 determines that the user 1408b can be included in the group 1403b. Therefore, in S708, the anonymization classification unit 309 determines that the absorption destination group has been found, and proceeds to S709. In S709, the anonymization classification unit 309 moves the user 1408b from the group 1404b to the group 1403b, and corrects both errors. As a result, the state of the anonymization group as shown in FIG. It can be seen that the group 1404b has been corrected so that the error is small and the group 1403b is corrected so that the error is large.
Even if the user 1408b is moved, the error of the group 1404b exceeds the limit error of 500 m. Therefore, in S710, the anonymization classification unit 309 determines NO. Since there are four users who have not yet processed, the anonymization classification unit 309 determines YES in S711.

In S704 to S708, the anonymization classification unit 309 repeats the same process again. That is, the anonymization classification unit 309 specifies the user 1409b as a user whose error is reduced when excluded. And the anonymization classification | category part 309 specifies the group 1403b as a group by which an error does not exceed a limit error, even if it moves the user 1409b. In step S709, the anonymization classification unit 309 moves the user 1409b from the group 1404b to the group 1403b, and updates the error of both groups. As a result, the state of the anonymization group as shown in FIG. The group 1404b has a small error. On the other hand, since the group 1403b did not affect the error, the error has not changed.
In S710, since the error of the group 1404b is less than the limit error 500m, the anonymization classification unit 309 determines YES. In S712, the group 1404b cannot process all users, but the anonymization classification unit 309 does not cancel dismantling because the size of the anonymization group is satisfied.
Since there are no groups that are candidates for dismantling except for 1404b, the anonymization classification unit 309 exits S713. Further, since there is no higher layer than the use probability ◯, the anonymization classification unit 309 similarly skips S714 and ends the processing of the flowchart shown in FIG.
In the above processing, when the user of the dismantling group is moved to the absorption destination group of the lower layer, the error of the absorption destination group may satisfy the error limit of the upper layer. More specifically, in S707, the anonymization classification unit 309 obtains an error when the user m belonging to the disassembly group is included in the lower layer group, and the error is “error limit of upper layer”. The group that falls below is determined as the absorption group n. Thereby, it is possible to prevent a deterioration in information quality of the disclosure information of the user moved from the upper layer to the lower layer group.
As described above, in the process of the flowchart of FIG. 7, when there is a group exceeding the error limit, the user is moved to a group having a margin for error. This allows the group to be adjusted to meet the error limit.
The anonymized group size (FIG. 4 (a)), which is a parameter used in the above disclosed information generation process (FIG. 5), is determined in consideration of the use probability of the services of the users making up the group. Is desirable.

For example, the probability that any one of the users constituting the group will execute the service is defined as a “group use probability”. You may make it set so that the utilization probability of this group may become more than a predetermined | prescribed request | requirement probability. The probability that any one user in the group uses the service can be obtained by the equation shown in FIG. FIG. 4B shows information indicating how many users can achieve 95% or more if the user's service is used if the request probability is 95% if the user belongs to the anonymization group. It is. The anonymization classification unit 309 can determine the size of the anonymization group based on the information shown in FIG. 4B after determining the section of the layer use probability. For example, the anonymization classification unit 309 refers to the range of 0.4 or more and less than 0.7 in FIG. Use the size of the group. Since it is 6 in this example, the size of the anonymization group is set as 6 or more. By setting the anonymization classification unit 309 in this way, the probability that any one user of the anonymization group uses the service can be set to a request probability of 95% or more.
As a result, even if the service prepares for anonymized information, there is a possibility that at least one person will enjoy the service with the probability of request. Generate anonymization.
Or the anonymization classification | category part 309 may approximate the utilization probability of a group with the sum of the utilization probability of the user who comprises a group. As a result, the use probability of the group can be obtained by simple calculation.
The anonymization classification unit 309 may acquire the request probability from the service. In addition, the anonymization classification unit 309 may use the group use probability as a probability that at least N persons in the group will use instead of a probability that one person in the group will use.
In the present embodiment, the anonymization classification unit 309 performs processing after determining the size of the anonymization group as a parameter. However, the anonymization classification unit 309 may determine and process only the request probability without determining the size of the anonymization group. More specifically, the anonymization classifying unit 309 uses the constituent users of the group after the division at the time of determination in S604 of FIG. The probability of using the service (group usage probability) is calculated. The anonymization classification unit 309 determines that division is possible when the group use probability exceeds the required probability in each divided group. On the other hand, the anonymization classification | category part 309 judges that it cannot divide | segment, when it falls below a request | requirement probability.
Also in the marginal error group disassembly process (FIG. 7), in S712, the anonymization classification unit 309 cancels disassembly until the condition of the anonymization group size is satisfied, but cancels disassembly until the request probability is satisfied. To.
This makes it possible to determine whether or not the anonymization group satisfies the request probability with higher accuracy than when the size of the anonymization group is determined in advance. On the other hand, when the size of the anonymization group is determined in advance, since the process in S604 is simplified, an effect that the process can be performed at a higher speed is obtained.

Next, an example of disclosing location information for a taxi service will be described with reference to FIGS.
FIG. 9A is a diagram showing a distribution of user position information at a certain time T. FIG. ○ △ × in the figure represents the use probability of the user's taxi service. Correspondence with the use probability is as shown by reference numerals in FIG. The state shown in FIG. 9A is a state after S501 of the disclosure information generation process (FIG. 5).
FIG. 9B shows a state where S502 to S504 are further completed and an anonymization group is created. Each of the two types of broken lines indicates an anonymization group. The anonymization group of the fine broken line 801b is an anonymization group of the layer whose utilization probability is represented by Δ, and the anonymization group of the rough broken line 802b is an anonymization group of the layer whose utilization probability is represented by ○. Since the layer whose usage probability is expressed by “x” does not disclose information, it is deleted from the figure.
FIG. 9C shows a state where the anonymized information is generated after S505 is further completed, and shows an image of information provided to the taxi service. The center of gravity and the radius are calculated for each anonymization group, and are generated as disclosed context information. In the taxi service, for each anonymized group, the center of gravity, the radius, the probability of the group, the configured user ID, the service usage probability of the user, and the like are disclosed. The probability of the group is obtained by using the service usage probability of the constituent users to determine the probability that any one user will execute the service. The user ID is an ID closed to the taxi service. Therefore, it cannot be used in combination with data held by other than taxi service.
When such information is received by the taxi service, the patrol route can be determined so that the taxi patrols the area indicated by the broken line in FIG. In addition, by disclosing the user ID to the taxi service side, when the taxi service side has attribute information associated with the user ID, it is possible to prepare a taxi based on the attribute information. For example, when having a signage in a taxi, it is possible to pre-download and prepare advertisements tailored to the user.
However, the items and forms of information disclosed to the service are not limited to these.

FIG. 10A shows the distribution of the user's position information and the user's use probability at time T + 1, which is a time slightly advanced from FIG. 9A. The black symbols (● and ★) in FIG. 10 are portions where the use probability has changed from time T. In either case, the use probability is higher than at time T. In addition, at time T, since it has been decided to go around the area represented by the broken line, there are as many taxis as there are broken line areas.
FIG. 10B shows the state of the anonymization group in the state at time T + 1. Users 901b and 902b with increased use probabilities change the anonymization group as compared to time T. Therefore, the accuracy of information to be disclosed is increased. On the other hand, the user 903b has not changed the anonymization group. If an anonymization group is formed with a user in the same layer, the error becomes too large. For this reason, the process is performed so that the user is assigned to the anonymization group of the lower layer by the dismantling process of the marginal error group.
FIG. 10 (c) shows an image of information provided to the taxi service at time T + 1. From the taxi service, it becomes possible to know the position information of the user 901b who requested the vehicle dispatch, and the waiting time of the user can be reduced by the taxi 901c that has been prepared nearby picking up.

FIG. 11A shows the same information as in FIG. 10A with the time advanced to time T + 2. Since the taxi 901c and the user 901b headed for the user's destination, they disappear from FIG. In addition, the black symbols (★) are portions where the use probability has changed from time T + 1.
FIG.11 (b) has shown the state of the anonymization group, and the user 1001b comes to form an anonymization group by one person.
FIG. 11C is an image of information provided to the taxi service, and directs the taxi 1001c that has been dispatched nearby to the user 1001b. In addition, since there is no taxi supplementing the area 1002c, another taxi is directed to the area 1002c.
Thus, as the taxi utilization probability increases, the accuracy of information increases. More specifically, the accuracy of position information increases. As a result, in a state where the use probability is high, a more personalized preparation is made. More specifically, a taxi goes around the user. As a result, there is an effect that waiting time is reduced when taxi dispatch is requested.

Next, an example in which there is a plurality of context information and attribute information etc. will be described. In this example, an example of sharing shoe information desired by a visitor (PCA client user) who has the possibility of visiting the shoe shop service will be described with reference to FIGS.
A shoe shop is a store that sells shoes to customers. When customers visit the store, they want to see and try on their shoes. For this reason, when the desired shoe stock is not in the visited store, the store clerk goes to another store in the vicinity, so that he / she is kept waiting. In order to solve these problems, the shoe shop service prepares shoes according to the information of customers who visit the store. This prevents the customer from waiting because the desired shoe is not available when the customer visits the store.
The context information before anonymizing with the PCA server will be described with reference to FIG. This is mainly information about shoes that the user wants. Such information may be estimated from the user's usual behavior. For example, in online shopping or the like, a wish list is created. The context acquisition unit 306 may create context information from the wish list. Alternatively, the context acquisition unit 306 may acquire context information while the user goes around several shoe shops. However, the method for acquiring the context information is not limited to these.

Each item in the column in FIG. 13A will be described.
The user ID is information for uniquely identifying the user. When the service already has information on the user, the user ID is associated with the information and processed. For example, if the user is already a member of the shop, the shop stores information such as age, gender, and previously purchased items. it can. For example, it can be prepared not to be the same as a previously purchased product.
The use probability is a probability that the user visits the store, and is expressed by a code here. The correspondence between this code and the use probability is as shown in FIG.
A category and a subcategory are information regarding the type of shoe. The category is an upper classification, and the lower classification is a subcategory.
The color classification and the color are information on the color of the shoe. The color classification is an upper classification, and the lower classification is a color.
The size is information regarding the size of the shoe.
FIG. 13A shows context information at a certain time T. FIG. On the other hand, the disclosure information generation unit 305 anonymizes “category, subcategory, color classification, color, size” by performing the disclosure information generation process, and generates the information in FIG. At this time, the parameters shown in FIG. 12 are used in the disclosure information generation process. This parameter is almost the same as that shown in FIG. However, the marginal error is changed according to the context information to be anonymized. More specifically, here, the limit error is the number of items (columns) anonymized. That is, it is indicated that the number of items to be anonymized is desirably 4 or less for the data expressed by the use probability code Δ.

Hereinafter, the disclosure information generation process illustrated in FIG. 5 will be described step by step.
In S501, the use probability calculation unit 307 estimates the use probability. For example, the usage probability calculation unit 307 creates a correspondence between the distance between the user and the store and the usage probability in advance, assigns a small probability to a far distance, and assigns a large probability to a nearby distance. You may make it set. For example, the use probability calculation unit 307 can achieve this by setting a normal distribution centered on the store. Alternatively, the use probability calculation unit 307 may cause the PCA server to create a traveling model between points using the context information accumulated in the PCA server. For example, the use probability calculation unit 307 creates a movement probability between points as a traveling model based on position information collected from the user. Then, the use probability calculation unit 307 obtains the movement probability from the point where the user is currently located to the shoe shop based on the traveling model. However, the usage probability estimation method is not limited to these.
In S502, the use probability classification unit 308 divides users into layers for each use probability. In this example, there are two usage probabilities Δ and ○.
In S503, the use probability classifying unit 308 identifies the anonymization target layer. According to FIG. 12, since the layers represented by the signs Δ and ○ of the use probability are targets, all layers are anonymized in FIG.

In S504, the anonymization classification unit 309 performs an anonymization group creation process. First, the disclosure information generation unit 305 repeats dividing the user to the minimum size that satisfies the condition of the anonymization group size, paying attention only to the data of the usage probability code Δ. In this example, two groups of User01 to User08 and User012 to User18 are created. Next, the disclosure information generation unit 305 performs processing while paying attention to the data of the use probability code ◯. Then, two groups of User 09 to User 11 and User 19 to User 21 are created.
In S505, the anonymization information generation unit 310 generates disclosure information for each anonymization group. The anonymization information generation unit 310 processes each item for each of the four groups. More specifically, the anonymization information generation unit 310 leaves the value for “category, subcategory, color classification, color” when all the data in the group has the same value, and is different. Is replaced with “*”. As a result, anonymization is performed so that the original value is unknown. The anonymization information generation unit 310 converts the size into a data range in the group. As a result, the size of each data is not known.
Thus, the context information for disclosure shown in FIG. 13B is generated. This information is disclosed to the shoe shop service. As a result, the shoe shop service compares with the stock in the shop, and if the shoes on this list are not in stock, they are ordered from nearby stores.

FIG. 14A shows the context information for disclosure at time T + 1 when time has advanced from the state shown in FIG. At time T + 1, the usage probability of User 12 has increased, so the sign of the usage probability has changed from Δ to ◯. Here, the symbols are blacked out for easy understanding.
As a result of the increase in usage probability, the anonymization group created in S504 changes. More specifically, in the data of the usage probability code Δ, the anonymization group is changed to User01 to User08 and User013 to User18 due to the absence of User12. Furthermore, in the data of the use probability code ◯, the anonymization group is changed to User 09 to User 12 and User 19 to User 21 due to the increase of User 12.
Then, disclosure information is generated for each anonymization group. For example, in the group of User 09 to User 12 including User 12, the color is replaced with * and the size is replaced with the data section of the group.
As a result, the context information disclosed by the User 12 can be recognized at the time T, and the subcategory and the color classification that are not known.
FIG. 14B shows a state in which the time has further advanced to T + 2. At time T + 2, since the usage probability of User 12 has further increased, the sign of the usage probability has changed from ○ to ☆. Here, the symbols are blacked out for easy understanding.
As a result of the increase in usage probability, the anonymization group created in S504 changes. More specifically, the anonymization group of the data of the use probability code Δ does not change. However, in the data of the use probability code ◯, the anonymization group changes to User 09 to User 11 and User 19 to User 21 because User 12 has decreased. And since the data of the use probability ☆ is on condition that the size of the anonymization group is 1, an anonymization group of only User1 is formed.
Then, disclosure information is generated for each anonymization group. However, since the anonymization group including User 12 has data only for User 12, the value as it is is disclosed.
As a result, the context information disclosed by the User 12 can be known at the time T + 1, and the color and size that were not known after being processed.
Thus, as with User 12, as the use probability increases, the accuracy of the user's information increases. More specifically, the values of “category, subcategory, color classification, color” can be known. “Size” narrows the section. As a result, in a state where the use probability is high, a more personalized preparation is made. More specifically, shoes that match the information disclosed by the user are prepared in advance in the store. As a result, it is possible to avoid a situation where the desired shoes are not in stock when visiting the store, and to see or try on the product with less waiting time.

In the examples of taxi service and shoe shop service, the case where only the use probability changes without changing the context information has been described. However, context information also changes from moment to moment. That is, in the case of a taxi service, the location information changes as the user moves. Also, in the shoe shop service, the information on the shoes you want changes as you browse multiple shops.
In this example, an example in which the use probability increases is described, but the use probability may decrease. As the use probability decreases, the accuracy of information decreases. In the example of the taxi service, the center-of-gravity coordinates of the disclosure information may be different from the user position information. In the example of the shoe shop service, the value of “category, subcategory, color classification, color” is unknown, and “size” has a wide range. As a result, the information of the user whose use probability has decreased is anonymized.
Even if the information once disclosed is hidden by anonymization, the service side may store the information when disclosed. However, since the context information changes from moment to moment, it becomes impossible to follow changes after disclosure.
As described above, it is possible to achieve both anonymization and service preparation by changing the accuracy of information according to the probability that the user uses the service.
In particular, the disclosure information generation unit 305 forms an anonymization group and anonymizes the context information of the users of the same group. As a result, the users in the group cannot be distinguished from other users. As a result, privacy can be protected.

In the present embodiment, context information is disclosed to the service side including the user ID. However, this user ID is a user ID closed to the service. For this reason, in order to associate with data held by another service, it is necessary to match the data with the context information disclosed in common and combine the data. However, since the context information is anonymized, it cannot be narrowed down beyond a certain number.
Moreover, in this embodiment, anonymization is performed between users having the same usage probability by dividing the users into layers based on the usage probability. Thereby, it is possible to prevent a user with a high use probability from degrading the accuracy of information in accordance with the request level for anonymization of a user with a low use probability.
In addition, in this embodiment, the size of the anonymization group is determined based on the use probability of the group. Thereby, the information after anonymization can be useful for the service side. In addition, in this embodiment, the group use probability is a probability that at least one of the users configuring the group will use the service. At this time, since the preparation for the provided information is used for one of the users with a request probability, the possibility of being wasted can be controlled stochastically.
In addition, in this embodiment, a limit error is defined for each layer of use probability, a group exceeding the limit error is disassembled, and a user is assigned to another group. Thereby, it is possible to suppress the error from becoming larger than the limit error for each use probability. In particular, in the present embodiment, the assignment to a group in a lower layer than the layer to which the user belongs is included in the assignment to another group. This can further suppress the error from becoming larger than the limit error.

In the present embodiment, the disclosure information is generated based on the use probability. However, it is not limited to the use probability, and may be a user service request level. More specifically, it is not a continuous value of 0 to 1 such as a probability but a continuous value of 0 to 1 or a categorical value such as “high”, “medium”, and “low”. May be. The required degree in this embodiment is not limited to these.
Further, in the present embodiment, it is obtained by estimation by the system, but what is input by the user may be used. More specifically, the PCA server 102 may display a UI for inputting the degree of request on the monitor or the like of the PCA client 101 and receive a user input. For example, the PCA server 102 may use a request degree that is presented to the monitor of the PCA client 101 in five stages or the like and is input by the user through a UI such as a slider. The PCA server 102 may generate the stages so as to match the number of layers by using the parameters when generating the disclosure information illustrated in FIG. Alternatively, the PCA server 102 may display the request level with a color or the like and input the request level through buttons for increasing or decreasing the request level. Alternatively, for example, the PCA server 102 may accept the use probability via the monitor of the PCA client 101 or the like, or may accept a continuous value or a categorical value expressing the request level. Since the estimation may be erroneous, when the user strongly desires the service, the PCA server 102 inputs a high degree of request based on a user operation via the monitor of the PCA client 101 or the like. Alternatively, when the user does not want to disclose his own information, the PCA server 102 actively inputs a low request level based on a user operation via the monitor of the PCA client 101 or the like. Thereby, information disclosure reflecting the user's intention can be performed.

<Embodiment 2>
In the first embodiment, when the use probability is high, information is disclosed to the service. However, even a user whose usage probability is highly estimated may not want to disclose more than a certain amount of information. Therefore, the disclosure information is generated so as to satisfy the disclosure condition specified by the user. In the present embodiment, a method for generating disclosure information so as to satisfy an “anonymization request” which is one of disclosure conditions input by a user is shown. Therefore, in the present embodiment, a method for generating the disclosure information so as to satisfy the anonymization request input by the user is shown.

A functional configuration of a system for generating information to be disclosed in the present embodiment will be described.
In the present embodiment, in addition to the configuration of the first embodiment, there is an anonymization request input unit. In addition, the anonymization classification unit 309 and the anonymization information generation unit 310 are different. Hereinafter, description will be made in order.
The anonymization request input unit of the present embodiment inputs anonymization conditions that should be satisfied when disclosing user information. For example, the anonymization request input unit inputs a condition that three or more anonymization group sizes are required when disclosing user information. Alternatively, the anonymization request input unit may be a condition that anonymization group size is required for three or more people in a certain region or time zone. This makes it possible to increase the anonymization group so as not to reveal the location of the house when at home. For example, the anonymization request input unit may receive an anonymization request condition input via a monitor, an input device, or the like of the PCA server 102. Further, the anonymization request input unit may receive an anonymization request condition input via a monitor, an input device, or the like of the PCA client 101 via a network.
Alternatively, the anonymization request input unit may input the ambiguity condition of the disclosure information. That is, when disclosing center coordinates and a radius as disclosure information based on position information, the anonymization request input unit may input a condition for the minimum value of the radius size. Alternatively, when disclosing attribute information, the anonymization request input unit may input the minimum value of the number of anonymized items as a condition. Alternatively, the anonymization request input unit may input items that should be anonymized without fail. Further, the anonymization request input unit may input the ambiguity condition of the disclosure information including the conditions such as the region and the time zone. For example, when anonymization request input unit discloses position information in a certain area, the minimum radius size is set to 100 m or more. Alternatively, the anonymization request input unit may not disclose position information in a certain area.
The anonymization request is not limited to these.

The anonymization classification unit 309 of the present exemplary embodiment classifies users into groups based on the similarity of context information to be anonymized for each layer obtained by the usage probability classification unit 308 so as to satisfy the anonymization request. When the condition regarding the anonymization group size is designated, the anonymization classification unit 309 creates an anonymization group so as to satisfy the condition. More specifically, between S501 and S502 in FIG. 5 of the first embodiment, the anonymization classification unit 309 corrects the use probability so as to satisfy the anonymization request. For example, when the anonymization request is a condition that “anonymization group size is 3 or more” and there is a user estimated to have a usage probability of 1 in S501, the anonymization classification unit 309 corrects as follows. . That is, the anonymization classification unit 309 corrects the use probability to 0.8 or less as a value of 0.7 or more and 1 based on the parameters of FIG. Further, if the anonymization request has a region, a time zone, or the like, the anonymization classification unit 309 corrects the use probability only when these conditions are satisfied.
The anonymization information generation unit 310 of this embodiment generates context information to be disclosed so as to satisfy the anonymization request for each group obtained by the anonymization classification unit 309. When the condition of the ambiguity of the disclosure information is designated, the anonymized information generation unit 310 processes the disclosure information so as to satisfy the condition. More specifically, immediately after S505 in FIG. 5 of the first embodiment, when the disclosed information does not satisfy the user's anonymization request, the anonymization information generation unit 310 performs further ambiguity. For example, if the anonymization request is a condition that “the radius of the position information is 500 m or more”, the anonymization information generation unit 310 has a condition when the radius of the disclosure information obtained for each user in S505 is 100 m. The radius of the user's disclosure information is corrected to 500 m or the like to make the disclosure information.
As described above, since an anonymization request can be designated for each user, information disclosure beyond a certain level can be prevented.

<Embodiment 3>
In the first embodiment, parameters (disclosure parameters) as shown in FIG. 4A are stored in advance, and the disclosure information generation unit 305 generates disclosure information according to the parameters. Therefore, disclosure information is generated uniformly for the user based on the usage probability estimated by the system. However, some users may wish to actively disclose information and benefit from services. It can be said that such a user has a high request for preparation on the service side (preparation request). The service side also has information quality necessary to meet the preparation request. The stage of preparation on the service side may vary depending on the service. Therefore, in the present embodiment, a method for generating disclosure information so as to satisfy “preparation request” which is one of the disclosure conditions will be described. In particular, a description will be given of a method for generating disclosure information by using both a preparation request required by the service side and a preparation request required by the user side.

A functional configuration of a system for generating information to be disclosed in the present embodiment will be described. In the present embodiment, in addition to the configuration of the first embodiment, a user preparation request input unit, a service preparation request input unit, and a disclosure setting generation unit exist. In addition, the anonymization classification unit 309 is different. Hereinafter, description will be made in order.
The service preparation request input unit inputs an anonymization level and information quality. More specifically, the anonymization level is a combination of disclosure permission and anonymization group size. For example, the service preparation request input unit inputs a combination of availability of disclosure and anonymized group size as shown in FIG. In this example, four levels are input. In this description, the information shown in FIG. 4A is input, but the anonymization level may be increased. Furthermore, the service preparation request input unit may input information quality in association with the anonymization level. For example, information quality is a marginal error. Alternatively, a group use probability or the like may be used as information quality. For example, the service preparation request input unit may receive information quality input via a monitor, input device, or the like of the PCA server 102. Further, the service preparation request input unit may receive the information quality input via the monitor, input device, etc. of the PCA client 101 via the network. The same applies to the following service preparation request input unit.
In addition, the service preparation request input unit may input a section of a usage probability that is an initial value in association with an anonymization level. Further, the service preparation request input unit may write the contents of preparation on the service side as a comment for each anonymization level. More specifically, the service preparation request input unit describes information regarding preparation that a taxi is to be dispatched within a radius of 1000 m of the user if the service is a taxi service or the like. This information is used in a user preparation request input unit described later.

The user preparation request input unit inputs a request regarding how much information is desired to be disclosed. More specifically, the user preparation request input unit inputs the anonymized number of people corresponding to the use probability. For example, the user preparation request input unit states that “if the usage probability is 0.7 or more and less than 0.8, the anonymization group size is 3 or more” “if the usage probability is 0.8 or more and 1 or less, the anonymization group size is 1 Enter a request that says "I want to be a person". Alternatively, the user preparation request input unit inputs an error limit for the use probability. For example, if the disclosure information is position information, the user preparation request input unit inputs a request such as “If the use probability is 0.7 or more and less than 0.8, the error limit is 200 m”.
The system side may present the anonymization level and input the information corresponding to it. More specifically, the user sets a use probability interval or sets an error limit for each. At this time, there may be an anonymization level that does not associate intervals of use probabilities. For example, if the user is tolerant of information disclosure, the usage probability interval may not be associated with a level at which anonymization is felt to be too strong.
Further, when the anonymization level is presented from the system side, the comment on the service-side preparation content input by the service preparation request input unit may be displayed together. Thus, the user can associate the usage probability intervals while considering both privacy protection and service enjoyment.

The disclosure parameter generation unit generates a disclosure parameter for generating disclosure information as illustrated in FIG. 4A based on information input by the service preparation request input unit and the user preparation request input unit. In the first and second embodiments, the disclosure parameter is the same regardless of the user, but in the present embodiment, the disclosure parameter is generated for each user. More specifically, the disclosure parameter generation unit associates the use probability section obtained by the user preparation request input unit with the anonymization level input by the service preparation request input unit. In addition, the disclosure parameter generation unit overwrites the limit error input by the service preparation request input unit with the limit error input by the user preparation request input unit.
Moreover, when the anonymization level is too fine, there are many users who do not associate usage probabilities, and anonymization processing at each anonymization level may be difficult. Therefore, the disclosure parameter generation unit may propose to output to the service providing side based on the number of responding persons and the like to round the correspondence of the anonymization level and recreate it.
The anonymization classification unit 309 of the present embodiment creates an anonymization group according to the disclosure parameters for each user. More specifically, in S502, the anonymization classification unit 309 divides the users into layers according to the use probability interval of the disclosure parameter for each user. Since the users with the same layer have the same anonymization group size, the subsequent processing is the same up to the marginal error group disassembly processing (S609 and flowchart 7). In the limit error group dismantling process, the process differs slightly because the limit error differs for each user. More specifically, in S704, the anonymization classification unit 309 preferentially selects a user having a large difference between the current error and the limit error. And in S707 and S710, the anonymization classification | category part 309 performs a process on condition that all the user's limit errors are satisfy | filled.
As described above, the disclosure information is generated based on the service and the preparation request requested by the user. In particular, by setting a service preparation request, it is possible to generate a disclosure parameter that reflects different service preparation stages and necessary information quality for each service. In addition, by setting a user preparation request, it is possible to generate a disclosure parameter that reflects the permissibility of disclosure for each user and the aggressiveness of service reception.
In the present embodiment, the disclosed parameter is fixed to the user regardless of the situation. However, you may comprise so that a disclosed parameter may be changed according to a condition. More specifically, the service preparation request input unit and the user preparation request input unit may input conditions such as a place and a time zone together. And in the anonymization classification | category part 309, a disclosure parameter is switched and used according to conditions.
That is, in the service preparation request input unit, a plurality of disclosure levels and information qualities are set according to the situation such as location and time zone. For example, in a taxi service or the like, even if the anonymization level is set finely in an area with few taxis, it cannot be handled, so the anonymization level is changed according to the area.
In addition, the user preparation request input unit designates a preparation request on condition of conditions such as a time zone and a place. For example, the information is set to be disclosed more on the basis of a condition such as “on holidays”. As a result, information is disclosed so that the service can be positively received only on holidays. On the other hand, for business-related services, if “weekdays from 8:00 to 17:00” or the like is a condition, information is disclosed so that the service can be actively received during business.

  In the present embodiment, the method of generating the disclosure information that satisfies the anonymization request shown in the second embodiment is not included, but it may be configured to include it. More specifically, the disclosure parameter generation unit may generate the disclosure parameter using the anonymization group size condition of the anonymization request input unit. Or although the anonymization group size is input from the anonymization request input part, you may input from a user preparation request input part. In addition, the anonymization request input unit inputs the ambiguity condition of the disclosure information. Then, as shown in the second embodiment, the anonymized information generation unit 310 may generate information that satisfies a condition.

<Other embodiments>
The present invention supplies a program that realizes one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium. It can also be realized by a process in which one or more processors in the computer of the system or apparatus read and execute the program. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

  As mentioned above, although preferable embodiment of this invention was explained in full detail, this invention is not limited to the specific embodiment which concerns.

  As mentioned above, according to the process of each embodiment mentioned above, privacy protection and timing gap elimination can be made compatible. That is, when the probability that the user uses the service is low, the accuracy of information is low, and privacy is protected. On the other hand, since the accuracy of information increases as the probability that the user uses the service increases, the timing gap can be gradually reduced. Therefore, it is possible to create a state in which the timing gap is eliminated immediately before using the service.

102 PCA server 201 CPU
204 External storage device 210 Monitor

Claims (13)

An estimation means for estimating service availability for each user;
Classification means for classifying the plurality of users into groups based on the availability and the context information of the plurality of users and the similarity of the context information according to the service;
Generating means for generating disclosure information disclosed to the service provider for each group based on user context information included in the group;
An information processing apparatus. It further has an acquisition means for acquiring user context information,
The information processing apparatus according to claim 1, wherein the estimation unit estimates service availability for each user based on the context information.   The classification unit divides a plurality of users into layers based on the similarity of the availability, and for each of the divided layers, the context information of the plurality of users belonging to the layer and the similarity of the context information according to the service The information processing apparatus according to claim 1, wherein the plurality of users are classified into groups based on characteristics.   The information processing apparatus according to claim 3, wherein the classifying unit classifies the plurality of users into groups such that when the plurality of users are classified into groups, the group availability is equal to or higher than a set request probability.   The classification means sets the availability of the group as a probability that at least one user among the users included in the group uses the service, and the availability of the group is equal to or higher than a set request probability. The information processing apparatus according to claim 4, wherein the plurality of users are classified into groups.   The classification means approximates the availability of the group by the sum of the availability of services of a plurality of users included in the group, so that the availability of the group is equal to or higher than a set request probability. The information processing apparatus according to claim 4, wherein the plurality of users are classified into groups.   The information processing apparatus according to claim 3, wherein the classifying unit classifies the plurality of users into groups based on the similarity according to a group size set for each layer.   The classification means determines a group size based on the availability of the group, and classifies the plurality of users into groups based on the similarity according to the determined group size. The information processing apparatus according to claim 1.   The classification means is configured to classify the plurality of users into groups, and when the group error is larger than the setting error of the layer to which the group belongs among the setting errors set for each layer, the users included in the group The information processing apparatus according to claim 3, wherein the information processing apparatus is moved to another group.   10. The information processing according to claim 9, wherein when the group error is larger than the layer setting error, the classification unit moves a user included in the group to a group of layers having a lower availability section than the layer. apparatus.   The said production | generation means produces | generates the said disclosure information which weakened anonymization so that there was the availability of the said group for every said group based on the user's context information contained in the said group. Information processing device. An information processing method executed by an information processing apparatus,
An estimation step for estimating service availability for each user;
A classification step of classifying the plurality of users into groups based on the availability and the context information of the plurality of users and the similarity of the context information according to the service;
Generating a disclosure information to be disclosed to the service provider for each group based on user context information included in the group;
An information processing method including:   The program for functioning a computer as each means of the information processing apparatus in any one of Claims 1 thru | or 11.

Images