In recent years, electronic value (simply referred to as “value”, hereinafter) such as electronic money, electronic ticket or the like, has been made available while being stored in mobile phone and other various terminal devices, and has also been utilized while being transferred or exchanged between terminal devices.
Methods of enabling this sort of transfer or exchange of the value between the terminal devices are classified into those making use of server or the like, and those based on direct process between the terminal devices. In this specification, the latter method based on direct process between the terminal devices will be explained.
A system, which transfers the value directly between the terminal devices without being mediated by a server or the like, is composed of a recording medium which stores data (value), and a storage unit which temporarily stores data in the process of transfer, and operates as described below (see Patent Document 1, for example).
First, when communication starts between the terminal devices, each of a data source terminal device and a destination terminal device preliminarily makes a copy of the initial state of its own recording medium into a temporary storage unit, and discards the copy stored in the temporary storage unit if the transfer successfully completes. On the other hand, if communication failure occurs in the process of transfer, the copy stored in the temporary storage unit is written back to the recording medium, to thereby recover the state before the transfer.
In general, in data transfer or exchange between the terminal devices, it is important to avoid any unexpected state such as duplication or loss of data between both terminal devices, even if communication failures should occur. According to the technique described in Patent Document 1, data in the recording medium before being transferred is preliminarily stored in the temporary storage unit, and is written back to the recording medium if communication failure should occur, so as to avoid any unexpected duplication or loss of data.
The method described in Patent Document 1 is, however, not perfect in the following point of view. Assuming now, for example, that a communication failure occurs immediately after issuing an “addition completion notification”. According to the method described in Patent Document 1, the device on the sending side judges that some abnormality has occurred after “checking completion of addition over a predetermined duration of time”, since the sending device did not receive an “addition completion notification” from the device on the receiving side, and then executes recovery.
However, in the method described in Patent Document 1, the device on the receiving side has already received “an erasure completion notification” from the device on the sending side, before issuing the “addition completion notification”, and erroneously assumes that the transfer has successfully completed, in “checking completion of erasure over a predetermined duration of time”. As a consequence, the data is duplicated in both of the devices on the sending side and the receiving side.
It is now assumable in the method described in Patent Document 1, that there may be a case where the erasure completion notification and the addition completion notification are issued in reverse order, that is, a case where the erasure completion notification is issued after the addition completion notification was issued. In this case, if some communication failure should occur, for example, immediately after the erasure completion notification was issued, the data is erased in the device on the server side assuming that the transfer was normally completed, but recovery is executed in the device on the client side assuming that some abnormality has occurred. This results in an unfavorable situation such that the data reside neither in the device on the server side nor in the device on the client side, which means erasure of data.
For the purpose of solving such problem, one possible method may be such as temporarily interrupting the process in the state of occurrence of abnormality when some abnormality should occur in either of the devices on the server side or on the client side, and the temporarily interrupted process is restarted after the device is re-connected, rather than immediately recovering the state of value (data) before the process as described in the above.
The method of recovery will be explained referring to FIG. 30. FIG. 30 illustrates a process in which value deletion and value addition are executed respectively by the server side terminal and the client side terminal, and decides value changes and completes the transfer, after receiving a notification from the opposite party (details of value deletion and value addition not illustrated) (steps S201, S202, S211, S212 in FIG. 30).
If, communication failure occurs at e1 or e2, and the terminal could not receive the notification, both terminal devices are re-connected to recover the communication, and the succeeding process is executed (steps S203, S204, S213, S214 in FIG. 30). The value in the terminal device, having been failed in receiving the notification, is locked to remain unavailable, until the communication is recovered and the process is completed.
The method of recovery described in the above is, however, not successfully adoptable in an environment where both terminal devices are not always guaranteed to establish re-connection in case of communication failure. Assuming now an exemplary case where two distant users are going to transfer electronic money using the respective terminal devices through a network, and where communication failure accidentally occurs at e1 in FIG. 30, the client side terminal may remain unconscious of communication failure because the electronic money has successfully been received, and may therefore not establish re-connection with the server side terminal. The electronic money in the server side terminal may therefore be remained locked, and this causes disadvantage to the user of the server side terminal.
Moreover, in this case, even if a trial should be made to forcedly recover the locked value, typically by bringing the server side terminal to a service supplier, so as to recover the state before the transfer by cancelling the value changes, or so as to decide the changes, such method of recovery is not available, since whether the changes have been committed by the client side terminal or not is unknown.
There may be another possible way to re-write the value recorded into the recording medium using a server, rather than using a terminal device alone as described in the above, from the viewpoint of security or the like. An exemplary operation of a system, which takes part in value transfer or exchange between the terminal devices using a server as described in the above, will be explained referring to FIG. 31. In this example, an electronic ticked stored in a terminal 210 is transferred to a terminal 220, and an electronic money stored in a terminal 220 is moved to the terminal 210.
First, communication starts between the terminals 210, 220, and data representing contents of exchange to be started (exchange of the electronic ticket in the terminal 210 and the electronic money in the terminal 220) is exchanged [(a) in FIG. 31], and contents of recording media 211, 221 are locked to be unchangeable by the others except a server 230.
Next, when the terminal 210 establishes connection through a public wireless network 200 to the server 230, and sends the data to the server 230, the server 230 makes authentication between itself and the recording medium 211, and moves the electronic ticket to the server 230 [(b) in FIG. 31]. Also the terminal 220 moves the electronic money to the server 230 [(c) in FIG. 31], similarly to as described in the above.
When both terminals 210, 220 establish connection to the server 230 and finish movement of the data to be exchanged to the server 230, the server 230 sends a message typically by means of E-mail to the individual terminals 210, 220. Upon reception of the message, the terminal 210 establishes connection to the server 230 again, the server 230 makes authentication between itself and the recording medium 211, and then moves the electronic money to the recording medium 211 [(d) in FIG. 31], and unlocks the recording medium 211. Also with respect to the terminal 220, the server 230 moves the electronic ticket to the recording medium 221 similarly to as described in the above [(e) in FIG. 31] and unlocks the recording medium 221. By the process described in the above, the electronic value exchange between the terminals 210, 220 completes.
In the procedure (b) or (c) in FIG. 31, if one of the terminals 210, 220 had established connection with the server 230, but the other terminal did not establish connection with the server 230 thereafter within a predetermined length of time, the server 230 assumes that the exchange was cancelled, then returns the value to the terminal which had established connection earlier, and unlocks the recording medium. The length of time before the cancellation is judged may be given by a predetermined value in some method, or may be decided based on negotiation between the terminals when the first communication is established therebetween in other method.
In the methods described in the above, exchange of the value does not complete until each of both terminals 210, 220 respectively moves the value to the server 230. Therefore, the values may not become inconsistent with each other, even if communication failure should occur in the process of exchange.
The method described in the above, however, suffers from complexity of procedures, since the user who moved the value to the server has to wait until the process in the terminal on the opposite party completes.
Moreover, the above-described method cannot smoothly complete the exchange, unless the users in both parties are cooperative. For an exemplary case where one terminal 210 established connection to the server 230, but the other terminal 220 did not immediately establish connection to the server 230, recording medium 211 of the terminal 210 is locked, and therefore the user cannot use other services.
For another exemplary case where a deadline electronic ticket is exchanged, the user may suffer from disadvantage if the terminal in the opposite party did not establish connection to the server to the very end, and the exchange was cancelled after the expiration date had passed, or immediately before the expiration date.
[Patent Document 1] Japanese Laid-Open Patent Publication No. 2001-84177 (FIG. 3, FIG. 4)