1. Field of the Invention
The present invention relates to techniques for controlling disclosure of trace data related to a moving object. More particularly, the present invention relates to a technique enabling a server computer connected to data provider systems to control disclosure of trace data related to a moving object.
2. Description of Related Art
In vehicle-to-any (V2X) (including vehicle-to-vehicle (V2V), vehicle-to-roadside (V2R), and vehicle-to-infrastructure (V2I)) communication systems, a data aggregator system is responsible for aggregating data into records, where each data provider system collects such data from vehicles or people. The data aggregator system is also responsible for providing the aggregated data to service provider systems. Entities who own the rights of the collected data can be owners of the vehicles, drivers of the vehicles, or managers who are associated with the vehicles. The collected data and the aggregated records can be used for identifying individuals, behaviors of the individuals, or interests of the individuals. Accordingly, to protect personal information, the data aggregator system has to be controlled in a way that the collected data or the aggregated records are selectively disclosed to the service provider systems under appropriate management.
Xu, T.; Ying Cai; “Exploring Historical Location Data for Anonymity Preservation in Location-Based Services,” INFOCOM 2008. The 27th Conference on Computer Communications, IEEE, vol., no., pp. 547-555, 13-18 Apr. 2008 discloses a location information that is depersonalized by ensuring that each location reported for location-based services (LBS) is a cloaking area containing K different footprints (i.e., historical locations of different mobile nodes). Therefore, Xu provides that the exact identity and location of a service requestor remain anonymous from LBS service providers (Abstract).
Gruteser, et al. “Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking,” In Proceedings of the 1st international conference on Mobile systems, applications and services (MobiSys '03). ACM, New York, N.Y., USA, 31-42 (2003) discloses a middleware architecture and algorithms that can be used by a centralized location broker service, and further discloses that the adaptive algorithms adjust the resolution of location information along spatial or temporal dimensions in order to meet anonymity constraints that are specified on the basis of the entities who can be using location services within a given area (Abstract).
Kashima “Chapter 16: Private Data Analysis via Output Perturbation in Aggarwal & Yu (Eds.): Privacy-preserving Data Mining”, The University of Tokyo, Department of Mathematical Informatics, 2007 describes preservation of data privacy via output perturbation and introduction of the concept of differential privacy thereof.
Japanese Unexamined Patent Application Publication No. 2007-219636 describes a data disclosure method carried out by a data disclosure apparatus that manages data including privacy information. In the data disclosure method, the data disclosure apparatus holds one or more pieces of data, each of which is composed of one or more attributes, calculates an anonymity level to be preserved if a specific attribute of the data is disclosed, changes the granularity of the data of the specific attribute if the calculated anonymity level does not reach a desired anonymity level, and discloses the data of the specific attribute so that the anonymity level higher than or equal to the desired threshold is maintained (Claim 1).
Japanese Unexamined Patent Application Publication No. 2007-219635 describes an information anonymizing method carried out by a personal-information operations management apparatus that manages information operations (Claim 1). The method includes the steps of: (1) storing each information as one or more pairs of an attribute and an attribute value; (2) statistically calculating an anonymity level that indicates how easily an attribute value of an attribute to be kept anonymous is identified in response to disclosure of the attribute; (3) selecting an attribute having the anonymity level that is higher than a preset anonymity threshold; and (4) disclosing the selected attribute and an attribute value of the selected attribute (Claim 1).
Japanese Unexamined Patent Application Publication No. 2009-278632 describes a method of diluting precise location information of a target device. The method includes the steps of: converting a measured latitude arc value of the precise location into a linear distance; rounding the linear distance having a predetermined linear precision to an adjusted linear distance value; converting the adjusted linear distance value into an adjusted latitude arc value; determining a measured longitude linear distance corresponding to the adjusted latitude arc value; rounding the measured longitude linear distance having a second predetermined linear precision to an adjusted measured longitude linear distance; converting the adjusted measured longitude linear distance into an adjusted longitude arc value; and transmitting the adjusted latitude arc value and the adjusted longitude arc value to a requesting entity (Paragraph 0008).
Japanese Unexamined Patent Application Publication No. 2005-99944 provides, when various services are provided to those who use privacy information, a privacy-information protection method that includes the steps of: (1) managing the privacy information and a privacy preference as a privacy capsule in an integrated fashion, where the privacy preference defines a condition for disclosing the privacy information to outside; (2) comparing a privacy policy with the corresponding privacy preference, where the privacy preference defines a usage condition for a user of the privacy information; (3) permitting the use of the privacy information within the privacy capsule if the privacy policy satisfies the condition of the privacy preference; and (4) preventing leakage of the privacy information to outside of the privacy capsule, whereby the privacy information is concealed from outside of the privacy capsule (Claim 1).