Control of data linkability

US 7,814,119 B2
Filed: 03/16/2005
Issued: 10/12/2010
Est. Priority Date: 03/19/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of controlling linkability of a personal database and an anonymity database in a personal data management server, the personal database for storing individual data of a user in accordance with a personal ID as a key, and the anonymity database for storing data of the same user in accordance with an anonymous ID as a key,the personal data management server responding to a request to retrieve data from the personal database by the personal ID as a key;

andthe personal data management server responding to a request to retrieve data from the anonymity database by the anonymous ID as a key and maintaining the anonymous ID, the method comprising;

the personal data management server, in response to a request for retrieving data of the user from the personal database and the anonymity database by a present said anonymous ID taken as a present anonymous ID serving as a key, inquiring of a client apparatus about a personal ID corresponding to the present anonymous ID of the user,the personal data management server receiving the personal ID corresponding to the present anonymous ID and another anonymous ID for replacing the present anonymous ID from the client apparatus,the personal data management server retrieving data from the personal database according to the receiving personal ID and data from the anonymity database according to the present anonymous ID to respond to the retrieving request by the present anonymous ID as a key, andthe personal data management server replacing the present anonymous ID with the another anonymous ID after the responding, so as to keep correspondence between the personal ID and the anonymous ID secret; and

wherein the personal data management server includes an anonymous ID management server,wherein the method comprising;

the client apparatus generating and sending the another anonymous ID for the replacing operation,the personal data management server registering the received anonymous ID in the anonymity database if the anonymous ID does not overlap an existing anonymous ID, or not registering the received anonymous ID in the anonymity database if the anonymous ID overlaps an existing anonymous ID,the personal data management server sending a result indication of one of success and failure of the registration,if receiving the indication of success, the client apparatus sending the personal ID to the personal data management server, andif receiving the indication of failure, the client apparatus repeating the generation and sending one more another anonymous ID for the replacing operation and a receipt of the result,the client apparatus generating the anonymous ID by using a hash function that accepts the personal ID and a random number as input data, andthe client apparatus generating, if receiving the indication of failure, another random number and the one more another anonymous ID for the replacing operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In the conventional technique for mainly performing access control, an entity (an individual) which provides information cannot grasp a state of use of personal information. In the conventional technique for encrypting stored data, a decryption key is always required when personal data is used and the personal data is not protected once decrypted. The invention constitute a system such that a purchase history is collected according to an anonymous ID and a response from a member card or an agent server is required for operation for associating the anonymous ID with a personal ID. Personal data itself is not encrypted but stored in a plain text with the personal ID and the anonymous ID as keys such that the anonymous ID is regenerated every time the anonymous ID is associated with the personal ID on a server side. At this point, the anonymous ID serving as a collection key for the purchase history, which is accumulated concurrently, is also regenerated.

21 Citations

View as Search Results

7 Claims

1. A method of controlling linkability of a personal database and an anonymity database in a personal data management server, the personal database for storing individual data of a user in accordance with a personal ID as a key, and the anonymity database for storing data of the same user in accordance with an anonymous ID as a key,the personal data management server responding to a request to retrieve data from the personal database by the personal ID as a key;
- andthe personal data management server responding to a request to retrieve data from the anonymity database by the anonymous ID as a key and maintaining the anonymous ID, the method comprising;
  
  the personal data management server, in response to a request for retrieving data of the user from the personal database and the anonymity database by a present said anonymous ID taken as a present anonymous ID serving as a key, inquiring of a client apparatus about a personal ID corresponding to the present anonymous ID of the user,the personal data management server receiving the personal ID corresponding to the present anonymous ID and another anonymous ID for replacing the present anonymous ID from the client apparatus,the personal data management server retrieving data from the personal database according to the receiving personal ID and data from the anonymity database according to the present anonymous ID to respond to the retrieving request by the present anonymous ID as a key, andthe personal data management server replacing the present anonymous ID with the another anonymous ID after the responding, so as to keep correspondence between the personal ID and the anonymous ID secret; and
  
  wherein the personal data management server includes an anonymous ID management server,wherein the method comprising;
  
  the client apparatus generating and sending the another anonymous ID for the replacing operation,the personal data management server registering the received anonymous ID in the anonymity database if the anonymous ID does not overlap an existing anonymous ID, or not registering the received anonymous ID in the anonymity database if the anonymous ID overlaps an existing anonymous ID,the personal data management server sending a result indication of one of success and failure of the registration,if receiving the indication of success, the client apparatus sending the personal ID to the personal data management server, andif receiving the indication of failure, the client apparatus repeating the generation and sending one more another anonymous ID for the replacing operation and a receipt of the result,the client apparatus generating the anonymous ID by using a hash function that accepts the personal ID and a random number as input data, andthe client apparatus generating, if receiving the indication of failure, another random number and the one more another anonymous ID for the replacing operation.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method of controlling data linkability according to claim 1,wherein data in the anonymity database including at least one set condition for permitting data usage for each anonymous ID, the data relating to an anonymous ID in the anonymity database being specified as a condition for the data usage,wherein the method comprising:
    - the personal data management server receiving a stated purpose of usage with a link request, andthe personal data management server inquiring of the client apparatus for the personal ID and the another anonymous ID, if the stated purpose satisfies the condition relating to the present anonymous ID.
  - 3. A method of controlling data linkability according to claim 1,wherein the method comprising:
    - the personal data management server sending the stated purpose of usage to the client apparatus when inquiring about the personal ID of the user of the client apparatus to the client apparatus using the present anonymous ID,the client apparatus checking whether the stated purpose received is permitted or not for the client apparatus, andthe client apparatus responding to the inquiring if the purpose is permitted.
  - 4. A method of controlling data linkability according to claim 2,wherein the method comprising:
    - the personal data management server receiving the present anonymous ID when coupling to the client apparatus andthe personal data management server checking whether the stated purpose of usage is permitted or not.
  - 5. A method of controlling data linkability according to claim 1,wherein the personal data management server includes a plurality of anonymity databases,wherein the method comprising:
    - the personal data management server receiving, in response to a link request, the personal ID and a plurality of present anonymous IDs and a plurality of anonymous IDs for replacing,the personal data management server responding to the link request based on the personal ID and the plurality of present anonymous IDs, andthe personal data management server replacing, after responding, the plurality of present anonymous IDs with the received plurality of anonymous IDs for replacing.
  - 6. A method of controlling data linkability according to claim 1,wherein the method comprising:
    - the personal data management server accumulating electronic data with the anonymous ID as a key, the electronic data being able to be collated with personal data to identify a specific individual.

7. A method of controlling data linkability in a personal data management server that includes a personal database for storing individual data in accordance with a personal ID as a key, an anonymity database for storing data in accordance with a anonymous ID as a key, a personal ID database, an anonymous ID database, a data response means and an anonymous ID regeneration history database,wherein the method for controlling data linkability comprises:
- the personal data management server, in response to a link request to link data having an anonymous ID as a key and individual data having the personal ID as a key, both of the data relating to a user for obtaining a personal ID of the user, inquiring about the personal ID of a user using a present said anonymous ID as a present anonymous ID,the personal data management server retrieving data from the personal database according to the personal ID and data from the anonymity database according to the present anonymous ID, for responding to the link request,the personal data management server replacing the present anonymous ID with another anonymous ID after the response,the personal data management server storing the present anonymous ID and the another anonymous ID as a pair of anonymous IDs, into the anonymous ID regeneration history database, andthe personal data management server searching the anonymous ID regeneration history database for retrieving the pair of the anonymous IDs according to an anonymous ID of a client apparatus of the user coupling to the personal data management server,sending the retrieving anonymous ID to the client apparatus, andthe client apparatus replacing the stored anonymous ID with received anonymous ID for replacement; and
  
  wherein the personal data management server includes an anonymous ID management server,wherein the method comprising;
  
  the client apparatus generating and sending the another anonymous ID for the replacing operation,the personal data management server registering the received anonymous ID in the anonymity database if the anonymous ID does not overlap an existing anonymous ID, or not registering the received anonymous ID in the anonymity database if the anonymous ID overlaps an existing anonymous ID,the personal data management server sending a result indication of one of success and failure of the registration,if receiving the indication of success, the client apparatus sending the personal ID to the personal data management server, andif receiving the indication of failure, the client apparatus repeating the generation and sending one more another anonymous ID for the replacing operation and a receipt of the result,the client apparatus generating the anonymous ID by using a hash function that accepts the personal ID and a random number as input data, andthe client apparatus generating, if receiving the indication of failure, another random number and the one more another anonymous ID for the replacing operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Sato, Yoshinori, Fukumoto, Takashi, Morita, Toyohisa, Maki, Hideyuki
Primary Examiner(s)
STACE, BRENT S

Application Number

US11/080,641
Publication Number

US 20050283621A1
Time in Patent Office

2,036 Days
Field of Search

707/1, 707/9, 707/781, 707/705, 726 2- 5, 709/203, 709/201
US Class Current

707/781
CPC Class Codes

G06F 21/6254   by anonymising data, e.g. d...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3273   for mutual authentication n...

Control of data linkability

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

7 Claims

Specification

Use Cases

Quick Links

Others

Control of data linkability

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

7 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others