Control of data linkability

US 20050283621A1
Filed: 03/16/2005
Published: 12/22/2005
Est. Priority Date: 03/19/2004
Status: Active Grant

First Claim

Patent Images

1. A method of controlling data linkability in a system in which a client apparatus is connected to a personal data management server that has a database for storing individual data, the personal data being electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the client apparatus starting processing for connecting with the personal data management server, the method for controlling data linkability comprising:

executing processing for referring to a personal ID for identifying a specific individual stored in a storage area in the client apparatus;

executing processing for creating one or more anonymous IDs according to a hash function with the personal ID as a key;

executing processing for sending anonymous data for management, which includes the anonymous IDs and one or more conditions for permitting personal data usage, to the personal data management server;

executing processing for receiving a result of registration of the anonymous data for management from the personal data management server;

when the registration fails, executing the anonymous ID creation processing and the anonymous data for management sending processing again; and

when the registration is successful, executing processing for storing the anonymous data for management in the storage area in the client apparatus.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In the conventional technique for mainly performing access control, an entity (an individual) which provides information cannot grasp a state of use of personal information. In the conventional technique for encrypting stored data, a decryption key is always required when personal data is used and the personal data is not protected once decrypted. The invention constitute a system such that a purchase history is collected according to an anonymous ID and a response from a member card or an agent server is required for operation for associating the anonymous ID with a personal ID. Personal data itself is not encrypted but stored in a plain text with the personal ID and the anonymous ID as keys such that the anonymous ID is regenerated every time the anonymous ID is associated with the personal ID on a server side. At this point, the anonymous ID serving as a collection key for the purchase history, which is accumulated concurrently, is also regenerated.

61 Citations

View as Search Results

22 Claims

1. A method of controlling data linkability in a system in which a client apparatus is connected to a personal data management server that has a database for storing individual data, the personal data being electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the client apparatus starting processing for connecting with the personal data management server, the method for controlling data linkability comprising:
- executing processing for referring to a personal ID for identifying a specific individual stored in a storage area in the client apparatus;
  
  executing processing for creating one or more anonymous IDs according to a hash function with the personal ID as a key;
  
  executing processing for sending anonymous data for management, which includes the anonymous IDs and one or more conditions for permitting personal data usage, to the personal data management server;
  
  executing processing for receiving a result of registration of the anonymous data for management from the personal data management server;
  
  when the registration fails, executing the anonymous ID creation processing and the anonymous data for management sending processing again; and
  
  when the registration is successful, executing processing for storing the anonymous data for management in the storage area in the client apparatus.
- View Dependent Claims (2, 3, 4, 10)
- - 2. A method of controlling data linkability according to claim 1, wherein the conditions for permitting personal data usage are the conditions for, when the client apparatus having sent an anonymous ID to send a personal ID receives a personal ID acquisition request from the personal data management server, controlling whether the personal ID stored in the storage area is given to the personal data management server.
  - 3. A method of controlling data linkability according to claim 2, further comprising;
    - before the client apparatus sends a personal ID to the personal data management server, executing processing for creating a new anonymous ID according to the anonymous ID creation processing;
      
      executing processing for sending the new anonymous ID to the personal data management server; and
      
      executing processing for confirming a result of registration of the new anonymous ID by the personal data management server.
  - 4. A method of controlling data linkability according to claim 1, wherein, in response to a client identification request received from the personal data management server, the client apparatus sends the anonymous ID stored in the storage area.
  - 10. A method of controlling data linkability according to claim 1 or 5, wherein the conditions for permitting personal data usage include terms of validity of the created anonymous IDs.

5. A method of controlling data linkability in a system using a personal data management server that has a database for storing individual data, the personal data including electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the method for controlling data linkability comprising:
- executing processing for receiving anonymous IDs created according to a hash function with a personal ID for identifying a specific individual as a key and one or more anonymous data for management including one or more conditions for permitting personal data usage from a client apparatus;
  
  executing processing for deciding whether the received anonymous IDs conflict with an anonymous ID stored in the server and sending a result of the decision to the client apparatus;
  
  when there is no conflict, executing processing for storing the anonymous data for management in the database; and
  
  executing processing for replacing anonymous IDs in the database created from personal IDs, which are the same as the received anonymous IDs, with the received anonymous IDs.
- View Dependent Claims (6, 7, 8, 9)
- - 6. A method of controlling data linkability according to claim 5, wherein the conditions for permitting personal data usage are the conditions that can control, when the personal data management server requests the client apparatus having sent the stored anonymous IDs to acquire a personal ID, whether the stored personal IDs can be received.
  - 7. A method of controlling data linkability according to claim 5, wherein the processing for storing the anonymous data for management in the database is executed after two or more anonymous data for management are received.
  - 8. A method of controlling data linkability according to any one of claims 5 to 7, wherein an anonymous ID is received from the client apparatus and, next, electronic data, which can be collated with personal data to identify a specific individual, is accumulated with the anonymous ID as a key.
  - 9. A method of controlling data linkability according to any one of claims 5 to 8, wherein each means for executing processing is stored in a tamper resistant device.

11. A client apparatus connected to a personal data management server that has a database for storing individual data, the personal data being electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the client apparatus comprising:
- a storage unit that has a personal ID for identifying a specific individual; and
  
  an arithmetic processing unit that creates one or more anonymous IDs according to a hash function with the personal ID stored in the storage unit as an input value and stores the anonymous IDs in the storage unit, wherein the storage unit includes anonymous data for management having the anonymous IDs and at least one condition for permitting personal data usage concerning the personal data owned by the personal data management server, and the client apparatus has a function of, when the personal data management server requests the client apparatus to send the personal ID, before sending the personal ID to the personal data management server, creating a new anonymous ID using the arithmetic processing unit, sending the anonymous ID to the personal data management server, and storing the new anonymous ID in the storage unit.

12. A method of controlling data linkability in a system in which a client apparatus is connected to a personal data management server that has a database for storing personal data, the personal data being electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the client apparatus starting processing for connecting with the personal data management server, the method for controlling data linkability comprising:
- executing processing for referring to a personal ID for identifying a specific individual stored in a storage area in the client apparatus and an anonymous ID;
  
  creating ID corresponding data representing a correspondence relation between the personal ID and the anonymous ID;
  
  executing processing for creating one or more new anonymous IDs according to a hash function with the personal ID as a key and sending the anonymous IDs to the personal data management server;
  
  executing processing for receiving a result of registration of the anonymous IDs from the personal data management server;
  
  when the registration fails, executing the anonymous ID creation processing and the anonymous data for management sending processing again; and
  
  when the registration is successful, executing processing for storing the anonymous IDs in the storage area in the client apparatus and sending the ID corresponding data to the personal data management server.

13. A method of controlling data linkability in a system in which a client apparatus is connected to a personal data management server that has a database for storing personal data, the personal data being electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the client apparatus starting processing for connecting with the personal data management server, the method for controlling data linkability comprising:
- executing processing for receiving one or more new anonymous IDs created according to a hash function with a personal ID for identifying a specific individual, which is present in the client apparatus, as a key from the client apparatus;
  
  executing processing for deciding whether the received new anonymous IDs conflict with an anonymous ID stored in the server and sending a result of the decision to the client apparatus;
  
  when there is no conflict, executing processing for storing the new anonymous IDs in a database that stores anonymous ID regeneration history data; and
  
  receiving ID corresponding data of the personal ID and the anonymous ID before regeneration from the client apparatus.
- View Dependent Claims (15, 17)
- - 15. A method of controlling data linkability according to claim 13 or 14, wherein data stored in the database that stores anonymous ID regeneration history data has record data including a set of an old anonymous ID before regeneration and a new anonymous ID after regeneration.
  - 17. A method of controlling data linkability in a personal data management server which has a database for storing personal data, the personal data having first electronic data that can identify a specific individual and second electronic data that can be collated with the personal data to identify a specific individual, when the personal data management server starts processing for linking the first electronic data and the second electronic data, the method comprising:
    - acquiring ID corresponding data according to the processing according to claim 13;
      
      and linking data of the second electronic data corresponding to the first electronic data using the ID corresponding data.

14. A method of controlling data linkability in a system in which a client apparatus is connected to a personal data management server that has a database for storing personal data, the personal data being electronic data that can identify a specific individual and electronic data that can be collated with the personal data to identify a specific individual, the client apparatus starting processing for connecting with the personal data management server, the method for controlling data linkability comprising:
- executing processing for receiving one or more new anonymous IDs created according to a hash function with a personal ID for identifying a specific individual, which is present in the client apparatus, as a key from the client apparatus;
  
  executing processing for deciding whether the received new anonymous IDs conflict with anonymous IDs stored in the server and sending a result of the decision to the client apparatus;
  
  when there is no conflict, executing processing for storing the new anonymous IDs in a database that stores anonymous ID regeneration history data;
  
  receiving ID corresponding data of personal IDs and anonymous IDs before regeneration from the client apparatus; and
  
  executing processing for replacing anonymous IDs before regeneration present in the database for storing the personal data with the new anonymous IDs.
- View Dependent Claims (18, 19)
- - 18. A method of controlling data linkability in a personal data management server which has a database for storing personal data, the personal data having first electronic data that can identify a specific individual and second electronic data that can be collated with the personal data to identify a specific individual, when the personal management server starts processing for linking the first electronic data and the second electronic data, the method comprising:
    - acquiring ID corresponding data according to the processing according to claim 14;
      
      and linking data of the second electronic data corresponding to the first electronic data using the ID corresponding data.
  - 19. A method of controlling data linkability, wherein, in the processing for regenerating the anonymous ID in the database according to claim 14, data is locked such that the data cannot be referred to during the regeneration and two or more anonymous IDs are replaced while the data is locked.

16. A method of controlling data linkability in a system in which a client apparatus is connected to a personal data management server that has a database for storing personal data, the personal data being electronic data that can identify a specific individual, electronic data that can be collated with the personal data to identify a specific individual, and a database that stores anonymous ID regeneration history data, the client apparatus starting processing for connecting with the personal data management server, the method for controlling data linkability comprising:
- receiving an anonymous ID from the client apparatus;
  
  referring to a regeneration sequence of the received anonymous ID stored in the database that stores anonymous ID regeneration history data and extracting a latest anonymous ID;
  
  when the received anonymous ID is older than the latest anonymous ID, sending an anonymous ID to the client apparatus; and
  
  deleting history data related to an anonymous ID, which is older than the latest anonymous ID and is not present in the database for storing the personal data, from the regeneration sequence stored in the database that stores anonymous ID regeneration history data.

20. A method of controlling data linkability in a personal data management server which has a database for storing personal data in an encrypted form, the personal data being electronic data that can identify a specific individual, electronic data that can be collated with the personal data to identify a specific individual, and corresponding data of these electronic data, when the personal data management server starts processing for connection with a client apparatus, the method comprising:
- receiving an encryption key provided in the client apparatus; and
  
  decrypting ID corresponding data of a personal ID stored in the server and anonymous ID before regeneration using the received encryption key.

21. A data management system comprising:
- a terminal apparatus that acquires linked data;
  
  a first apparatus that stores a combination of a real name ID and a real name;
  
  a second apparatus that stores data related to the real name and an anonymous ID corresponding to the data;
  
  a third apparatus that stores a correspondence table of the real name ID and the anonymous ID; and
  
  a control apparatus that stores anonymous ID regeneration history data of corresponding to the real name ID and is connected to the terminal apparatus, the first apparatus, the second apparatus, and the third apparatus via a network, wherein when the control apparatus accesses the second apparatus to regenerate the anonymous ID, the control apparatus accesses the third apparatus to regenerate a value of the correspondence table corresponding to the regenerated anonymous ID, and stores information on the regeneration history in a storage unit of the control apparatus.
- View Dependent Claims (22)
- - 22. A data management system according to claim 21, wherein, when an IC card storing a first anonymous ID accesses the data management system, the control apparatus refers to the regeneration history data and judges whether the first anonymous ID is regenerated and, when the first anonymous ID is regenerated to the second anonymous ID, the control apparatus regenerates the first anonymous ID stored on the IC card to the second anonymous ID and deletes the regeneration history information corresponding thereto.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Sato, Yoshinori, Fukumoto, Takashi, Morita, Toyohisa, Maki, Hideyuki

Granted Patent

US 7,814,119 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/6254   by anonymising data, e.g. d...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3273   for mutual authentication n...

Control of data linkability

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Control of data linkability

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links