For the purpose of allowing the police and/or the like to promptly deal with calling reports from mobile phones, there has been proposed legislation that requires each mobile phone to include a function of identifying the current position, of the mobile phone. In addition, mobile phones including a global positioning system (GPS) installed therein have been widespread along with such a proposal. Meanwhile, the third-generation mobile communication network has made the connection from a mobile phone to the Internet easier.
With this technical background, there have been introduced various services using the Internet and acquisition of position information on condition that the GPS function is always activated as a standby application in recent years. Examples of such services include what are called life stream services or life log services (hereinafter collectively referred to as “life stream services”) in which a series of information having position information is shared with other people as an activity history of the user.
In life stream services, the receiver of information needs to re-identify the provider of the information (i.e., sender). This is because the receiver needs to verify that a plurality of pieces of information provided by a certain user are all provided by the same user. Meanwhile, from a viewpoint of ensuring privacy, a sender of an individual piece of information to be shared must be anonymized.
Hence, in such services, typically, identification information other than personal information, such as a handle name may be used to identify the sender of information. Anonymization refers to making information (i.e., personal information) that can identify the sender unknown to anyone. In addition, information the sender of which is anonymous is referred to as “anonymized information.”
Meanwhile, applying life stream services to various services or systems used for health management, or monitoring of disease has been attracting attention. Some examples of such services and systems include a lifestyle improvement application service provider (ASP) service, a health management system for seniors, an active mass meter, and a sphygmomanometer with a communication function.
For example, medical information, i.e., medical records of patients are conventionally stored by each medical institution. In addition, there is a system in which electric medical charts formed by computerizing the medical information indicating medical records of patients, such as electric medical records (EMRs) are shared by a plurality of medical institutions on a network. Such a system, however, has not prevailed because of the necessity of significant investment.
In contrast, as an application to health enhancement, disease prevention, and medical treatment, introduction of a personal health record (PHR) is expected in which individuals collect, record, and use their physical information, activity information, medical treatment information, prescription information, and the like.
The application of the above-described life stream services to PHRs allows a medical institution to easily acquire physical information, activity information, and the like in addition to the medical information on users stored in each medical institution and thus to know the lifestyles of the users. Furthermore, applying the above-described life stream services to PHRs enables individuals to manage health management information while associating information indicating where they have run as training, with health management information, and also share part of the information with friends or make part of the information publicly available.
However, any one who accesses the information can search for and access information about the vicinity of the position where he or she was at and find information of other persons about incidents that happened in the vicinity. Thus, the anonymity of the sender of the anonymized information may be lost from the position information and/or the like of anonymized information, depending on a situation.
For example, let us suppose that a certain user finds information posted in a life stream service by someone and indicating that he or she is at a certain bus stop at a specific time after the user and a resident in the neighborhood stayed together at the certain bus stop at the specific time. In this case, the user identifies the person who posted the information as the resident who stayed together with the user at the certain bus stop at the specific time.
Such a situation can be prevented if the sender of the anonymized information modifies or deletes anonymized information according to the situation. Thus, it is preferable that the sender of anonymized information can perform a process on its anonymized information even after the anonymized information has been shared, and can substantially put its anonymized information under the control of the sender.
In this respect, a technique that is disclosed in PTL 1 and that enables the sender of anonymized information to continuously manage the anonymized information may be applied to the life stream service.
FIG. 1 is a block diagram showing a configuration of an anonymized information sharing apparatus disclosed in PTL 1.
As shown in FIG. 1, anonymized information sharing apparatus 10 includes personal ID storage section 11 and anonymization number generating section 12. Personal ID storage section 11 acquires the personal ID number used for identifying the sender of anonymized information, and anonymization number generating section 12 applies a uni-directional function to the personal ID number to create an anonymization number.
Anonymized information sharing apparatus 10 manages a correspondence table in which pieces of anonymized information are associated with respective anonymization numbers. Anonymized information sharing apparatus 10 allows correspondence table discarding section 13 to discard the correspondence table when deemed necessary. Upon receiving a personal ID and a request for executing a predetermined process about anonymized information, anonymized information sharing apparatus 10 allows anonymization number generating section 12 to recreate the anonymization number from the received personal ID. Then, anonymized information sharing apparatus 10 performs the requested process on the anonymized information associated with the recreated anonymization number.
With this configuration, in the case where the anonymized information has been shared by other apparatuses, anonymized information sharing apparatus 10 can allow a sender of anonymized information to continuously manage the anonymized information while maintaining the anonymity of the anonymized information against apparatuses other than the sender and the recipient of the anonymized information.