Control of data linkability
First Claim
1. A method of controlling linkability of a personal database and an anonymity database in a personal data management server, the personal database for storing individual data of a user in accordance with a personal ID as a key, and the anonymity database for storing data of the same user in accordance with an anonymous ID as a key,the personal data management server responding to a request to retrieve data from the personal database by the personal ID as a key;
- andthe personal data management server responding to a request to retrieve data from the anonymity database by the anonymous ID as a key and maintaining the anonymous ID, the method comprising;
the personal data management server, in response to a request for retrieving data of the user from the personal database and the anonymity database by a present said anonymous ID taken as a present anonymous ID serving as a key, inquiring of a client apparatus about a personal ID corresponding to the present anonymous ID of the user,the personal data management server receiving the personal ID corresponding to the present anonymous ID and another anonymous ID for replacing the present anonymous ID from the client apparatus,the personal data management server retrieving data from the personal database according to the receiving personal ID and data from the anonymity database according to the present anonymous ID to respond to the retrieving request by the present anonymous ID as a key, andthe personal data management server replacing the present anonymous ID with the another anonymous ID after the responding, so as to keep correspondence between the personal ID and the anonymous ID secret; and
wherein the personal data management server includes an anonymous ID management server,wherein the method comprising;
the client apparatus generating and sending the another anonymous ID for the replacing operation,the personal data management server registering the received anonymous ID in the anonymity database if the anonymous ID does not overlap an existing anonymous ID, or not registering the received anonymous ID in the anonymity database if the anonymous ID overlaps an existing anonymous ID,the personal data management server sending a result indication of one of success and failure of the registration,if receiving the indication of success, the client apparatus sending the personal ID to the personal data management server, andif receiving the indication of failure, the client apparatus repeating the generation and sending one more another anonymous ID for the replacing operation and a receipt of the result,the client apparatus generating the anonymous ID by using a hash function that accepts the personal ID and a random number as input data, andthe client apparatus generating, if receiving the indication of failure, another random number and the one more another anonymous ID for the replacing operation.
1 Assignment
0 Petitions
Accused Products
Abstract
In the conventional technique for mainly performing access control, an entity (an individual) which provides information cannot grasp a state of use of personal information. In the conventional technique for encrypting stored data, a decryption key is always required when personal data is used and the personal data is not protected once decrypted. The invention constitute a system such that a purchase history is collected according to an anonymous ID and a response from a member card or an agent server is required for operation for associating the anonymous ID with a personal ID. Personal data itself is not encrypted but stored in a plain text with the personal ID and the anonymous ID as keys such that the anonymous ID is regenerated every time the anonymous ID is associated with the personal ID on a server side. At this point, the anonymous ID serving as a collection key for the purchase history, which is accumulated concurrently, is also regenerated.
21 Citations
7 Claims
-
1. A method of controlling linkability of a personal database and an anonymity database in a personal data management server, the personal database for storing individual data of a user in accordance with a personal ID as a key, and the anonymity database for storing data of the same user in accordance with an anonymous ID as a key,
the personal data management server responding to a request to retrieve data from the personal database by the personal ID as a key; - and
the personal data management server responding to a request to retrieve data from the anonymity database by the anonymous ID as a key and maintaining the anonymous ID, the method comprising; the personal data management server, in response to a request for retrieving data of the user from the personal database and the anonymity database by a present said anonymous ID taken as a present anonymous ID serving as a key, inquiring of a client apparatus about a personal ID corresponding to the present anonymous ID of the user, the personal data management server receiving the personal ID corresponding to the present anonymous ID and another anonymous ID for replacing the present anonymous ID from the client apparatus, the personal data management server retrieving data from the personal database according to the receiving personal ID and data from the anonymity database according to the present anonymous ID to respond to the retrieving request by the present anonymous ID as a key, and the personal data management server replacing the present anonymous ID with the another anonymous ID after the responding, so as to keep correspondence between the personal ID and the anonymous ID secret; and wherein the personal data management server includes an anonymous ID management server, wherein the method comprising; the client apparatus generating and sending the another anonymous ID for the replacing operation, the personal data management server registering the received anonymous ID in the anonymity database if the anonymous ID does not overlap an existing anonymous ID, or not registering the received anonymous ID in the anonymity database if the anonymous ID overlaps an existing anonymous ID, the personal data management server sending a result indication of one of success and failure of the registration, if receiving the indication of success, the client apparatus sending the personal ID to the personal data management server, and if receiving the indication of failure, the client apparatus repeating the generation and sending one more another anonymous ID for the replacing operation and a receipt of the result, the client apparatus generating the anonymous ID by using a hash function that accepts the personal ID and a random number as input data, and the client apparatus generating, if receiving the indication of failure, another random number and the one more another anonymous ID for the replacing operation. - View Dependent Claims (2, 3, 4, 5, 6)
- and
-
7. A method of controlling data linkability in a personal data management server that includes a personal database for storing individual data in accordance with a personal ID as a key, an anonymity database for storing data in accordance with a anonymous ID as a key, a personal ID database, an anonymous ID database, a data response means and an anonymous ID regeneration history database,
wherein the method for controlling data linkability comprises: -
the personal data management server, in response to a link request to link data having an anonymous ID as a key and individual data having the personal ID as a key, both of the data relating to a user for obtaining a personal ID of the user, inquiring about the personal ID of a user using a present said anonymous ID as a present anonymous ID, the personal data management server retrieving data from the personal database according to the personal ID and data from the anonymity database according to the present anonymous ID, for responding to the link request, the personal data management server replacing the present anonymous ID with another anonymous ID after the response, the personal data management server storing the present anonymous ID and the another anonymous ID as a pair of anonymous IDs, into the anonymous ID regeneration history database, and the personal data management server searching the anonymous ID regeneration history database for retrieving the pair of the anonymous IDs according to an anonymous ID of a client apparatus of the user coupling to the personal data management server, sending the retrieving anonymous ID to the client apparatus, and the client apparatus replacing the stored anonymous ID with received anonymous ID for replacement; and wherein the personal data management server includes an anonymous ID management server, wherein the method comprising; the client apparatus generating and sending the another anonymous ID for the replacing operation, the personal data management server registering the received anonymous ID in the anonymity database if the anonymous ID does not overlap an existing anonymous ID, or not registering the received anonymous ID in the anonymity database if the anonymous ID overlaps an existing anonymous ID, the personal data management server sending a result indication of one of success and failure of the registration, if receiving the indication of success, the client apparatus sending the personal ID to the personal data management server, and if receiving the indication of failure, the client apparatus repeating the generation and sending one more another anonymous ID for the replacing operation and a receipt of the result, the client apparatus generating the anonymous ID by using a hash function that accepts the personal ID and a random number as input data, and the client apparatus generating, if receiving the indication of failure, another random number and the one more another anonymous ID for the replacing operation.
-
Specification