JP7493087B1 - Information processing device and information processing method - Google Patents

Abstract

[Problem] To provide an information processing device and an information processing method that prevent user information that has not been anonymized during the process of collecting user information from leaking. [Solution] An information processing device (1) has a generating unit (132) that generates a first noise-adding query for adding noise to a first data group such that noise is added with a predetermined probability to a plurality of data included in an integrated data group when a first data group and a second data group are integrated to form an integrated data group, a second noise-adding query for adding noise to a second data group, a first irreversible conversion query that is a query for irreversibly converting a plurality of data identification information included in the first data group, and a second irreversible conversion query that is a query for irreversibly converting a plurality of data identification information included in the second data group, and a transmitting unit (133) that transmits the first noise-adding query and the first irreversible conversion query to a first device (2) and transmits the second noise-adding query and the second irreversible conversion query to a second device (3). [Selected Figure] FIG.

Description

The present invention relates to an information processing device and an information processing method.

Conventionally, user information, which is information about users, is collected from multiple businesses and data analysis is performed. In this case, in order to protect the privacy of users, at least a portion of the user information collected from the multiple businesses is anonymized. For example, Patent Literature 1 discloses a system that performs irreversible conversion or the like on data that serves as a combining key for combining multiple pieces of user information, combines personal information of users corresponding to each of the multiple businesses using the converted combining key, and performs additional anonymization processing on the combined data.

JP 2021-117679 A

Conventional technology involves collecting user information from multiple businesses before anonymizing it, so there is a risk that unanonymized user information may be leaked during the process of collecting the user information.

The present invention has been made in consideration of these points, and aims to prevent the leakage of user information that has not been anonymized during the process of collecting user information.

The information processing device according to the first aspect of the present invention includes a first generation unit that generates a first noise-adding query, which is a query for adding noise to each of the plurality of first data included in a first data group including a plurality of first records associating first data with data identification information for identifying data, and a second data group including a plurality of second records associating the data identification information with second data, in a case where the first data group and the second data group are integrated to form an integrated data group, a first irreversible conversion query, which is a query for irreversibly converting the plurality of data identification information included in the first data group by a predetermined method; a second generation unit that generates a second noise-adding query, which is a query for adding noise to each of the plurality of second data included in the second data group, in a case where the first data group and the second data group are integrated to form an integrated data group, a second irreversible conversion query, which is a query for irreversibly converting the plurality of data identification information included in the second data group by the predetermined method; The data acquisition unit includes a transmission unit that transmits the first noise-added query and the first irreversible conversion query to a first device corresponding to a provider of the first data group, and transmits the second noise-added query and the second irreversible conversion query generated by the second generation unit to a second device corresponding to a provider of the second data group; a converted first data group including a plurality of first records that associate the data identification information converted based on the first irreversible conversion query with a plurality of first data to which noise has been added based on the first noise-added query; and a converted second data group including a plurality of second records that associate the data identification information converted based on the second irreversible conversion query with a plurality of second data to which noise has been added based on the second noise-added query; and an integration unit that generates the integrated data group by integrating the converted first data group and the converted second data group based on the data identification information of each of the plurality of first records included in the converted first data group acquired by the data group acquisition unit and the data identification information of each of the plurality of second records included in the converted second data group acquired by the data group acquisition unit.

The first record may include a plurality of first data corresponding to each of n ₁ attributes, the second record may include a plurality of second data corresponding to each of n ₂ attributes, and the plurality of data included in the integrated data group may satisfy ε-local differential privacy where ε is a parameter indicating a strength of privacy, the first generation unit may generate the first noise-added query to add noise when noise is added to the first data of each of the n ₁ attributes, such that the first data of each of the n ₁ attributes to which noise has been added satisfies ε ₁ -local differential privacy (wherein the parameter ε ₁ indicating a strength of privacy is ε ₁ =ε/(n ₁ +n ₂ )), and the second generation unit may generate the second noise-added query to add noise when noise is added to the second data of each of the n ₂ attributes, such that the second data of each of the n ₂ attributes to which noise has been added satisfies ε ₂ -local differential privacy (wherein the parameter ε ₂ indicating a strength of privacy is ε ₂ =ε/(n ₁ +n ₂ )).

The data identification information may include k data groups (where k is an integer equal to or greater than 3) associated with the data identification information, and the kth generation unit may generate a kth noise-adding query, which is a query for adding noise to each of a plurality of kth data included in the kth data group such that noise is added to a plurality of data included in the integrated data group with a predetermined probability when the k data groups are integrated into the integrated data group, and a kth irreversible conversion query, which is a query for irreversibly converting the plurality of data identification information included in the kth data group by a predetermined method, wherein the kth record included in the kth data group includes a plurality of kth data corresponding to each of n _k attributes, and the _kth generation unit may generate the kth noise-adding query for adding noise such that, when noise is added to the kth data of each of the n _k attributes, the kth data of each of the n k attributes to which noise has been added satisfies ε _k -local differential privacy (wherein a parameter ε _k indicating the strength of privacy is ε _k = ε/(n ₁ + n ₂ + ... + n _k )).

The information processing device may include a determination unit that acquires first item information indicating items corresponding to each of a plurality of attributes constituting the first record from the first device, and acquires second item information indicating items corresponding to each of a plurality of attributes constituting the second record from the second device, identifies _n1 being the number of attributes corresponding to the first data based on the acquired first item information, identifies _n2 being the number of attributes corresponding to the second data based on the acquired second item information, and determines a first parameter _ε1 and a second parameter _ε2 indicating a strength of privacy in local differential privacy satisfied by the first data and the second data after noise has been added, based on the identified numbers of attributes _n1 and _n2 .

At least one of the first generation unit and the second generation unit may reduce the number of possible values of data corresponding to at least one attribute among a plurality of data corresponding to each of a plurality of attributes included in a data group, and after reducing the number of possible values of the data, generate the noise-added query that adds the noise to each of the plurality of data.

The first generation unit may generate a first update query, which is a query that updates the converted first data group by replacing the first data included in the first record included in the converted first data group with the first data included in another first record at a first ratio, and the second generation unit may generate a second update query, which is a query that updates the converted second data group by replacing the second data included in the second record included in the converted second data group with the second data included in another second record at a second ratio, and the transmission unit may transmit the first update query generated by the first generation unit to the first device and transmit the second update query generated by the second generation unit to the second device.

The information processing device may have an update unit that updates the integrated data set by replacing data included in records included in the integrated data set with data included in other records at a third ratio.

The first generation unit may generate the first irreversible conversion query by adding random data to each of the plurality of pieces of data identification information included in the first data group and then performing irreversible conversion using the predetermined method, and the second generation unit may generate the second irreversible conversion query by adding random data that is the same as the random data added to the data identification information included in the first data group and corresponds to the data identification information, to each of the plurality of pieces of data identification information included in the second data group and then performing irreversible conversion using the predetermined method.

The integration unit may further process the integrated data group to generate statistical data, and may correct the statistical data to remove the noise using the predetermined probability used to add the noise.

The first data group and the second data group may include identification data that can be used to identify a newly added record, and when regenerating the first irreversible conversion query, the first generation unit may generate the first noise-adding query that adds the noise to the newly added first record based on the identification data, and when regenerating the second irreversible conversion query, the second generation unit may generate the second noise-adding query that adds the noise to the newly added second record based on the identification data.

The integration unit may integrate the converted first data group and the converted second data group based on the data identification information of each of a plurality of first records included in the converted first data group and the data identification information of each of a plurality of second records included in the converted second data group, and may generate the integrated data group by excluding the data identification information.

An information processing method according to a second aspect of the present invention includes a step of generating, executed by an information processing device, a first noise-adding query, which is a query for adding noise to each of the plurality of first data included in a first data group including a plurality of first records associating data identification information for identifying data with first data, and a second data group including a plurality of second records associating the data identification information with second data, in a case where the first data group and the second data group are integrated to form an integrated data group, so that noise is added to the plurality of data included in the integrated data group with a predetermined probability, and a first irreversible conversion query, which is a query for irreversibly converting the plurality of data identification information included in the first data group by a predetermined method; a second noise-adding query, which is a query for adding noise to each of the plurality of second data included in the second data group such that noise is added to the plurality of data included in the integrated data group with the predetermined probability; and a second irreversible conversion query, which is a query for irreversibly converting the plurality of data identification information included in the second data group by the predetermined method. a step of generating a first noise-added query and a first irreversible conversion query; a step of transmitting the generated first noise-added query and the generated first irreversible conversion query to a first device corresponding to a provider of the first data group, and a step of transmitting the generated second noise-added query and the generated second irreversible conversion query to a second device corresponding to a provider of the second data group; a step of acquiring a converted first data group including a plurality of first records associating the data identification information converted based on the first irreversible conversion query with a plurality of first data to which noise has been added based on the first noise-added query, and a converted second data group including a plurality of second records associating the data identification information converted based on the second irreversible conversion query with a plurality of second data to which noise has been added based on the second noise-added query; and a step of generating the integrated data group by integrating the converted first data group and the converted second data group based on the data identification information of each of the plurality of first records included in the acquired converted first data group and the data identification information of each of the plurality of second records included in the acquired converted second data group.

The present invention has the effect of preventing the leakage of user information that has not been anonymized during the process of collecting user information.

FIG. 1 is a diagram illustrating an overview of an information processing system. FIG. 2 is a diagram illustrating a functional configuration of an information processing device. FIG. 4 is a diagram showing an example of a first data group and a second data group. 11A and 11B are diagrams illustrating an example of a first data group after conversion and a second data group after conversion. FIG. 13 is a diagram illustrating an example of an integrated data group. 11 is a sequence diagram showing a processing flow up to when the information processing device generates an integrated data group. FIG.

[Overview of Information Processing System S]
1 is a diagram illustrating an overview of an information processing system S. The information processing system S includes an information processing device 1, a first device 2 that manages a first data group, and a second device 3 that manages a second data group, and is a system that generates an integrated data group by integrating the first data group and the second data group after anonymizing user information included in the first data group and the second data group.

The information processing device 1 is operated by an aggregator that provides a service of aggregating data and providing the aggregated data, and is communicatively connected to external devices such as a first device 2 and a second device 3 via a communication network (not shown) such as the Internet or a mobile phone line.

The first device 2 is operated, for example, by a first business operator, and manages a first data group including a plurality of first records that associate the first data with a data ID as data identification information for identifying the data. The second device 3 is operated, for example, by a second business operator, and manages a second data group including a plurality of second records that associate the second data with a data ID common to the data IDs included in the first data group.

The information processing device 1 generates a first noise-adding query that adds noise to each of a plurality of first data included in the first data group, and a first irreversible conversion query that is a query that irreversibly converts a plurality of data IDs included in the first data group by a predetermined method. The first noise-adding query is, for example, a query that adds noise to each of a plurality of first data included in the first data group such that noise is added with a predetermined probability to a plurality of data included in an integrated data group when the first data group and the second data group are integrated into an integrated data group. The query is, for example, a Structured Query Language (SQL) statement that can be executed in a relational database management system.

The information processing device 1 generates a second noise-adding query that adds noise to each of the multiple second data included in the second data group, and a second irreversible conversion query that is a query that irreversibly converts multiple data IDs included in the second data group by a predetermined method. The second noise-adding query, like the first noise-adding query, is a query that adds noise to each of the multiple second data included in the second data group in such a way that when the first data group and the second data group are integrated into an integrated data group, noise is added with a predetermined probability to the multiple data included in the integrated data group.

The information processing device 1 transmits the generated first noise-added query and the first irreversible conversion query to the first device 2, and transmits the generated second noise-added query and the second irreversible conversion query to the second device 3.

The first device 2 executes the first noise-added query and the first irreversible conversion query received from the information processing device 1, and generates a converted first data group including a plurality of first records that associate a data ID converted based on the first irreversible conversion query with a plurality of first data to which noise has been added based on the first noise-added query. The first device 2 transmits the generated converted first data group to the information processing device 1.

The second device 3 executes the second noise-added query and the second irreversible conversion query received from the information processing device 1, and generates a converted second data group including a plurality of second records that associate a data ID converted based on the second irreversible conversion query with a plurality of second data to which noise has been added based on the second noise-added query. The second device 3 transmits the generated converted second data group to the information processing device 1.

In this way, the first device 2 and the second device 3 can each perform anonymization processing on the data group before transmitting the data group to the information processing device 1, so that user information that has not been anonymized can be prevented from leaking during the process of collecting user information.

The information processing device 1 generates an integrated data group by integrating the converted first data group and the converted second data group based on the data IDs of each of the multiple first records included in the converted first data group received from the first device 2 and the data IDs of each of the multiple second records included in the converted second data group received from the second device 3.

The multiple data included in the integrated data group integrated in this way will be given noise with a certain probability. In addition, since the data ID is converted by an irreversible conversion query, it becomes difficult to identify an individual based on the converted data ID. This allows the information processing device 1 to ensure the privacy of user information included in the integrated data.

[Functional configuration of information processing device 1]
Next, a description will be given of the functional configuration of the information processing device 1. FIG.

As shown in FIG. 2 , the information processing device 1 includes a communication unit 11 , a storage unit 12 , and a control unit 13 .
The communication unit 11 is a communication interface for transmitting and receiving data to and from the first device 2, the second device 3, and the like via a communication network.

The storage unit 12 is a storage medium that stores various types of data, and includes a ROM (Read Only Memory), a RAM (Random Access Memory), a hard disk, an SSD (Solid State Drive), and a flash memory. The storage unit 12 stores programs executed by the control unit 13. The storage unit 12 stores programs that cause the control unit 13 to function as a determination unit 131, a generation unit 132, a transmission unit 133, a data group acquisition unit 134, and an integration unit 135.

The control unit 13 is, for example, a CPU (Central Processing Unit). The control unit 13 executes the programs stored in the storage unit 12, thereby functioning as a determination unit 131, a generation unit 132, a transmission unit 133, a data group acquisition unit 134, and an integration unit 135.

Below, the first data group and the second data group will be described in order to explain the functions of the control unit 13. FIG. 3 is a diagram showing an example of the first data group and the second data group. In FIG. 3, (A) shows the first data group, and (B) shows the second data group.

The first data group is a data group managed by the first business operator, and is stored in a database provided in the first device 2 or a database provided in a server accessible to the first device 2. As shown in Fig. 3, the first data group includes a data ID as data identification information for identifying data, and a plurality of first records in which a plurality of first data corresponding to each of the _n1 attributes are associated with each other. The data ID is, for example, a common user ID given to a user by the first business operator and the second business operator.

In the example shown in FIG. 3, the first data group is a data group that associates sales at a store operated by a first business operator with the age of the user, and includes first data for the items "age," "product category groceries," "product category daily necessities," and "purchase ranking" that correspond to each of a plurality of attributes. The first data group represents one table or a table generated by concatenating a plurality of tables, but is not limited to this and may be a view that references one or more tables.

The second data group is a data group managed by the second business operator, and is stored in a database provided in the second device 3 or a database provided in a server accessible to the second device 3. As shown in FIG. 3, the second data group includes a plurality of second records in which a data ID as data identification information for identifying data is associated with a plurality of second data corresponding to each of n ₂ attributes. In the example shown in FIG. 3, the second data group is a data group in which the user's age is associated with a visit history to a facility, and includes second data of the items "gender", "visited location supermarket", and "visited location park" corresponding to each of the multiple attributes. The second data group indicates one table or a table generated by linking multiple tables, but is not limited to this, and may be a view that references one or more tables.

The first data group and the second data group contain information about the same user, and the data ID of the same user is common in the first data group and the second data group. This makes it possible to link a first record included in the first data group and a second record included in the second data group using the data ID as a key.

Next, the functions of the control unit 13 will be described.
The determination unit 131 determines the probability that noise will be added to the first data group and the probability that noise will be added to the second data group, so that noise is added with a predetermined probability to multiple data included in the integrated data group obtained by integrating the first data group and the second data group.

The determination unit 131 determines a first parameter ε ₁ and a second parameter ε ₂ that indicate the strength of privacy in local differential privacy satisfied by the first data and the second data after noise is added.

When the determination unit 131 determines the first parameter ε ₁ and the second parameter ε ₂ , local differential privacy will be described. First, an arbitrary data pair in a certain data group is assumed to be x1 and x2. Then, when a function that randomly adds noise to data x is assumed to be R(x) and its output is assumed to be y, when the following formula (1) is established, the function R is defined as satisfying local differential privacy.

Here, Pr[ ] is a random variable. Also, e is the natural logarithm, and ε is a parameter indicating the strength of privacy. Also, local differential privacy with privacy strength of ε is called ε-local differential privacy.

The following is an example of data processing that satisfies ε-local differential privacy. For example, if data x can take k values, data y is output for input of data x based on the following formula (2).

The determination unit 131 acquires from the first device 2 first item information indicating items corresponding to each of the multiple attributes constituting the first record, and acquires from the second device 3 second item information indicating items corresponding to each of the multiple attributes constituting the second record. The item information is information indicating items to be included in the integrated data from the multiple items included in the first record. In the example shown in FIG. 3, the determination unit 131 acquires first item information indicating four items, namely "age," "product category groceries," "product category daily necessities," and "purchase ranking." The determination unit 131 also acquires first item information indicating three items, namely "gender," "visited location supermarket," and "visited location park."

The determination unit 131 specifies n ₁ , which is the number of attributes corresponding to the first data, based on the acquired first item information, and specifies n ₂ , which is the number of attributes corresponding to the second data, based on the acquired second item information. The sum of n ₁ , which is the number of attributes corresponding to the first data, and n ₂ , which is the number of attributes corresponding to the second data, is the number of attributes included in the integrated data group. The determination unit 131 determines a first parameter ε ₁ and a second parameter ε ₂ indicating the strength of privacy in local differential privacy satisfied by the first data and the second data of each of the multiple attributes after noise is added, based on the identified numbers of attributes n 1 and n _2. For example, the determination unit 131 determines the first parameter ε ₁ and the second parameter ε ₂ so that (ε/n ₁ +n ₂ )-local differential privacy is applied to each data of the multiple attributes, as shown in the following formula ( ₃ ).

As a result, the integrated data set obtained by aggregating data of n ₁ +n ₂ attributes to which (ε/n ₁ +n ₂ )-local differential privacy has been applied satisfies ε-local differential privacy.

The generation unit 132 functions as a first generation unit and generates a first noise-added query. The first noise-added query is a query that adds noise to each of the multiple first data included in the first data group such that when the first data group and the second data group are integrated into an integrated data group, noise is added with a predetermined probability to the multiple data included in the integrated data group. The predetermined probability is the probability that ε-local differential privacy is satisfied, and is determined by a parameter ε indicating the strength of privacy. For example, the predetermined probability is calculated using formula (2). As shown in formula (2), the smaller ε is, the higher the probability that data x is converted to another value.

For example, when noise is added to the first data of each of the n ₁ attributes indicated by the first item information, the generating unit 132 generates a first noise-added query for adding noise to the first data of each of the n ₁ attributes to which noise is added such that the first data satisfies ε ₁ -local differential privacy, where ε ₁ is the first parameter determined by the determining unit 131.

The generating unit 132 also generates a first irreversible conversion query, which is a query that irreversibly converts data IDs, which are multiple pieces of data identification information included in the first data group, using a predetermined method. The predetermined method is, for example, a method of irreversibly converting the data IDs using a hash function, but is not limited to this, and any other method that allows irreversible conversion may be used.

Furthermore, the generating unit 132 functions as a second generating unit and generates a second noise-added query. The second noise-added query is a query that adds noise to each of the multiple second data included in the second data group such that noise is added to the multiple data included in the integrated data group with a predetermined probability. For example, when noise is added to the second data of each of the n ₂ attributes indicated by the second item information, the generating unit 132 generates a second noise-added query that adds noise to each of the n ₂ attributes to which noise is added such that the second data satisfies ε ₂ -local differential privacy. Here, ε ₂ is the second parameter determined by the determining unit 131.

The generation unit 132 also generates a second irreversible conversion query, which is a query that irreversibly converts multiple data IDs included in the second data group using a predetermined method, similar to the first irreversible conversion query.

The generation unit 132 may generate a noise-added query that adds noise to each of the multiple data items by reducing the number of possible values of data corresponding to at least one attribute among the multiple data items corresponding to each of the multiple attributes included in the first data group and the second data group, and adding noise to each of the multiple data items after reducing the number of possible values of the data. For example, when data items having an attribute of "age" indicate the actual ages of multiple users, the generation unit 132 generates a noise-added query that includes a process of reducing the possible values of the data items by changing the data items to data indicating an age group, such as "teens" or "twenties." In this way, the privacy of the user can be improved.

The generation unit 132 may also generate a first irreversible conversion query that adds random data to each of a plurality of data IDs included in the first data group and then performs irreversible conversion using a predetermined method, and generate a second irreversible conversion query that adds random data that is the same as the random data added to the data ID included in the first data group and that corresponds to the data ID, to each of a plurality of data IDs included in the second data group and then performs irreversible conversion using a predetermined method. In this way, the information processing device 1 can reduce the risk that the converted data ID will be decoded into the data ID before conversion.

The generating unit 132 may also generate a first update query, which is a query that updates the converted first data group by replacing the first data included in a first record included in the converted first data group with the first data included in another first record at a first ratio. The generating unit 132 may also generate a second update query, which is a query that updates the converted second data group by replacing the second data included in a second record included in the converted second data group with the second data included in another second record at a second ratio.

Here, the first rate and the second rate may be the same or different. Furthermore, the first rate and the second rate may be changed depending on the number of values that the data can take. For example, when the number of values that the data can take is large, the rate at which the data is replaced may be increased.

In addition, after the integrated data group is generated by the integration unit 135 described below, new records may be added to each of the first data group and the second data group, and generation of an integrated data group with the new records added may be requested. When noise is added multiple times to all of the first data groups and all of the second data groups, multiple variations of data groups corresponding to the same data group are generated. In this case, by analyzing the multiple variations of data groups, it becomes easier to guess the contents of the data group before anonymization, which causes a problem of increased privacy risks such as increased user identifiability. In response to this, the generation unit 132 may generate a noise-added query that adds noise only to the newly added records.

In this case, the first data group and the second data group contain identification data that can be used to identify the newly added record. The identification data is, for example, date data indicating a date, or a flag indicating whether the record is included in the integrated data. When regenerating the first irreversible conversion query, the generation unit 132 generates a first noise-adding query that adds noise to the newly added first record based on the identification data, and when regenerating the second irreversible conversion query, the generation unit 132 generates a second noise-adding query that adds noise to the newly added second record based on the identification data. In this way, the information processing device 1 can suppress an increase in privacy risk when providing an integrated data group.

The transmission unit 133 transmits the first noise-added query and the first irreversible conversion query generated by the generation unit 132 to the first device 2 corresponding to the provider of the first data group. The transmission unit 133 also transmits the second noise-added query and the second irreversible conversion query generated by the generation unit 132 to the second device 3 corresponding to the provider of the second data group. The transmission unit 133 transmits the first noise-added query and the first irreversible conversion query to the first device 2, for example, via an Internet VPN (Virtual Private Network) provided by a first cloud service that is provided between the information processing device 1 and the first device 2 in advance. Similarly, the transmission unit 133 transmits the second noise-added query and the second irreversible conversion query to the second device 3, for example, via a second VPN that is provided between the information processing device 1 and the second device 3 in advance.

In addition, when the generation unit 132 generates a first update query and a second update query, the transmission unit 133 transmits the first update query to the first device 2 and transmits the second update query to the second device 3.

The first device 2 executes the query received from the information processing device 1 to generate a converted first data group including a plurality of first records that associate a converted data ID as data identification information converted from a data ID based on the first irreversible conversion query with a plurality of first data to which noise has been added based on the first noise-adding query. For example, when the first device 2 receives a first update query from the information processing device 1, the first device 2 executes the first update query before adding noise to the plurality of first data based on the first noise-adding query. After that, the first device 2 transmits the converted first data group to the information processing device 1, for example, via the first VPN. Note that a device different from the first device 2 may transmit the converted first data group to the information processing device 1.

The second device 3 executes the second noise-adding query and the second irreversible conversion query received from the information processing device 1 to generate a converted second data group including a plurality of second records that associate a converted data ID as data identification information converted from a data ID based on the second irreversible conversion query with a plurality of second data to which noise has been added based on the second noise-adding query. For example, when the second device 3 receives a second update query from the information processing device 1, the second device 3 executes the second update query before adding noise to the plurality of second data based on the second noise-adding query. After that, the second device 3 transmits the converted second data group to the information processing device 1, for example, via the second VPN. Note that a device different from the second device 3 may transmit the converted second data group to the information processing device 1.

The data group acquisition unit 134 acquires the converted first data group and the converted second data group. For example, the data group acquisition unit 134 acquires the converted first data group and the converted second data group by receiving the converted first data group transmitted from the first device 2 and the converted second data group transmitted from the second device 3.

Figure 4 is a diagram showing an example of a first data group after conversion and a second data group after conversion. In Figure 4, (A) shows the first data group after conversion, and (B) shows the second data group after conversion. Also, in Figure 4, it can be seen that the same data ID contained in the first data group and the second data group has been converted into the same character string. Also, in Figure 4, it can be seen that the data surrounded by cells with a bold frame has been converted.

The integration unit 135 generates an integrated data group by integrating the converted first data group and the converted second data group based on the data IDs (converted data IDs) of the first records included in the converted first data group acquired by the data group acquisition unit 134 and the data IDs (converted data IDs) of the second records included in the converted second data group acquired by the data group acquisition unit 134. Specifically, the integration unit 135 generates an integrated data group by combining the first data group and the second data group using the converted data ID as a key. FIG. 5 is a diagram showing an example of an integrated data group. As shown in FIG. 5, it can be seen that the first data and the second data associated with the converted data IDs included in both the first data group and the second data group are associated.

The integrating unit 135 generated an integrated data group including the converted data ID, the converted first data group, and the converted second data group, but this is not limited to the above. The integrating unit 135 may integrate the converted first data group and the converted second data group based on the data IDs of each of the multiple first records included in the converted first data group and the data IDs of each of the multiple second records included in the converted second data group, and may generate an integrated data group by excluding the data IDs. In this way, the integrated data does not include the data IDs, and therefore it is possible to reduce the risk that the first record and the second record will be restored from the integrated data based on the data IDs.

The integration unit 135 may further process the generated integrated data group to generate statistical data. The integration unit 135 may then perform correction to remove noise from the generated statistical data using a predetermined probability used to add noise. For example, when calculating a statistical value using the integrated data, the integration unit 135 statistically corrects the statistical value using at least one of the values of privacy strength parameters ε, ε ₁ , and ε ₂ to remove the influence of the noise added to the first data group and the second data group.

For example, let P be the transition matrix when adding noise to data of a certain attribute contained in the integrated data, and let p _i,j be the elements contained in the transition matrix P. p _i,j indicates the probability that the value i of a certain attribute randomly transitions to the value j, and is determined, for example, using an equation in which x is replaced with i and y is replaced with j in the above-mentioned equation (2). The integration unit 135 corrects the distribution Q=(q ₁ , ..., q _d ) ^T of a certain attribute obtained by processing the integrated data to a distribution Q' using the transition matrix P and the following equation (4).

Here, when data of a certain attribute is included in the first data group, a first parameter ε ₁ is applied to ε included in formula (2), and when data of a certain attribute is included in the second data group, a second parameter ε ₂ is applied to ε included in formula (2) to configure the transition matrix P. Also, when only ε is known, the first parameter ε ₁ and the second parameter ε ₂ are derived using formula (3), and the transition matrix P is similarly configured. In this way, the information processing device 1 can generate statistical data that is highly likely to correspond to the first data group and the second data group before noise is added.

The integrated data group integrated by the integration unit 135 may be transmitted by the transmission unit 133 to the first device 2 and the second device 3. In this manner, the first business operator can perform data analysis based on the second data collected by the second business operator, and the second business operator can perform data analysis based on the first data collected by the first business operator.

[Operation sequence]
Next, a description will be given of the flow of processing related to the information processing device 1. Fig. 6 is a sequence diagram showing the flow of processing up to when the information processing device 1 generates an integrated data group.

First, the determination unit 131 acquires from the first device 2 first item information indicating items corresponding to each of the multiple attributes constituting the first record (S1), and acquires from the second device 3 second item information indicating items corresponding to each of the multiple attributes constituting the second record (S2).

Next, the determination unit 131 identifies the number of attributes corresponding to the data based on the acquired first item information and the acquired second item information (S3). Specifically, the determination unit 131 identifies the number _n1 of attributes corresponding to the first data and the number _n2 of attributes corresponding to the second data. Then, based on the identified numbers _n1 and _n2 of attributes, the determination unit 131 determines a first parameter _ε1 and a second parameter _ε2 indicating the strength of privacy in local differential privacy satisfied by the first data and the second data for each of the multiple attributes after noise is added (S4).

Next, the generating unit 132 generates a first noise-added query, a second noise-added query, a first irreversible conversion query, and a second irreversible conversion query (S5). The generating unit 132 generates the first noise-added query based on the acquired first item information and the first parameter ε ₁ determined by the determining unit 131, and generates the second noise-added query based on the acquired second item information and the second parameter ε ₂ determined by the determining unit 131. The generating unit 132 also generates a first irreversible conversion query that irreversibly converts a data ID included in the first data, and a second irreversible conversion query that irreversibly converts a data ID included in the second data.

Then, the transmission unit 133 transmits the first noise-added query and the first irreversible conversion query to the first device 2 (S6), and transmits the second noise-added query and the second irreversible conversion query to the second device 3 (S7).

The first device 2 generates a converted first data group by executing the query received from the information processing device 1 (S8). The second device 3 generates a converted second data group by executing the query received from the information processing device 1 (S9). The first device 2 transmits the converted first data group to the information processing device 1 (S10), and the second device 3 transmits the converted second data group to the information processing device 1 (S11). The data group acquisition unit 134 receives the converted first data group transmitted from the first device 2, and receives the converted second data group transmitted from the second device 3.

The integration unit 135 generates an integrated data group by integrating the converted first data group and the converted second data group based on the converted data IDs of each of the multiple first records included in the converted first data group received by the data group acquisition unit 134 and the converted data IDs of each of the multiple second records included in the converted second data group acquired by the data group acquisition unit 134 (S12).

[Modification 1]
In the above embodiment, the information processing device 1 generates two noise-added queries and two lossy conversion queries corresponding to the first data group and the second data group, but this is not limited to the above. The information processing device 1 may generate noise-added queries and lossy conversion queries corresponding to three or more data groups.

For example, there are k data groups (where k is an integer greater than or equal to 3) associated with a data ID as data identification information, and the kth record included in the kth data group includes multiple kth data corresponding to each of the n _k attributes.

In this case, the generating unit 132 functions as a kth generating unit, and generates a kth noise-added query, which is a query for adding noise to each of the kth data included in the kth data group, such that noise is added to the multiple data included in the integrated data group with a predetermined probability when the k data groups are integrated into an integrated data group, and a kth irreversible conversion query, which is a query for irreversibly converting the multiple data identification information included in the kth data group by a predetermined method.Then, the generating unit 132 generates a kth noise-added query for adding noise to each of the kth data of the n _k attributes to which noise is added, such that the kth data of each of the n _k attributes to which noise is added satisfies ε _k -local differential privacy when noise is added to the kth data of each of the n k attributes.Here, the parameter ε _k indicating the strength of privacy is ε _k = ε/(n ₁ + n ₂ + ... + n _k ).

The generating unit 132 also generates a k-th irreversible conversion query, which is a query for irreversibly converting multiple users included in the k-th data group using a predetermined method. The transmitting unit 133 transmits the generated k-th noise-added query and the k-th irreversible conversion query to the k-th device.

The data group acquisition unit 134 acquires the converted k-th data group from the k-th device, and the integration unit 135 generates an integrated data group by combining k data groups based on the data identification information of each of the multiple k-th records included in the converted k-th data group acquired by the data group acquisition unit 134. In this way, the information processing device 1 can generate integrated data that satisfies ε-local differential privacy even when there are three or more data groups.

[Modification 2]
In the above embodiment, the generation unit 132 generates a first update query for replacing the first data included in a first record included in the converted first data group with the first data included in another first record, and a second update query for replacing the second data included in a second record included in the converted second data group with the second data included in another second record, and the first device 2 executes the first update query and the second device 3 executes the second update query, but this is not limited to the above. The information processing device 1 may execute the data replacement.

In this case, the control unit 13 has an update unit that updates the integrated data group by replacing data included in records included in the integrated data group with data included in other records at a third ratio. For example, the update unit updates the integrated data group by replacing a portion of data corresponding to each of a plurality of items included in records included in the integrated data group with data of the same item as the portion of data included in other records at a third ratio.

The update unit may also update the converted first data group by replacing the first data included in the first record included in the converted first data group acquired by the data group acquisition unit 134 with the first data included in the other first records at a first ratio, and update the converted second data group by replacing the second data included in the second record included in the converted second data group acquired by the data group acquisition unit 134 with the second data included in the other second records at a second ratio. For example, the update unit updates the converted first data group and the converted second data group by executing the first update query and the second update query generated by the generation unit 132. Then, the integration unit 135 generates integrated data by integrating the updated first data group and the updated second data group. In this way, the information processing device 1 can reduce the load associated with the conversion of the data groups in the first device 2 and the second device 3.

[Effects of information processing device 1]
As described above, the information processing device 1 of this embodiment generates a first noise-adding query that adds noise to the first data group so that noise is added with a predetermined probability to multiple data included in the integrated data group when the first data group and the second data group are integrated to form an integrated data group, a second noise-adding query that adds noise to the second data group, a first irreversible conversion query that is a query that irreversibly converts multiple pieces of data identification information included in the first data group, and a second irreversible conversion query that is a query that irreversibly converts multiple pieces of data identification information included in the second data group, and transmits the first noise-adding query and the first irreversible conversion query to the first device 2, and transmits the second noise-adding query and the second irreversible conversion query to the second device 3. Then, the information processing device 1 acquires a converted first data group including a plurality of first records in which the data identification information converted based on the first irreversible conversion query is associated with a plurality of first data to which noise is added based on the first noise-adding query, and a converted second data group including a plurality of second records in which the data identification information converted based on the second irreversible conversion query is associated with a plurality of second data to which noise is added based on the second noise-adding query, and integrates these data groups based on the data identification information included in these data groups, and generates an integrated data group by excluding the data identification information. In this way, the information processing device 1 can prevent user information that has not been anonymized from leaking during the process of collecting user information.

Furthermore, this invention will make it possible to contribute to Goal 9 of the United Nations' Sustainable Development Goals (SDGs), which is "Build resilient infrastructure, promote inclusive and sustainable industrialization, and promote innovation and infrastructure."

Although the present invention has been described above using embodiments, the technical scope of the present invention is not limited to the scope described in the above embodiments, and various modifications and changes are possible within the scope of the gist of the invention. For example, all or part of the device can be configured by distributing or integrating functionally or physically in any unit. In addition, new embodiments resulting from any combination of multiple embodiments are also included in the embodiments of the present invention. The effect of the new embodiment resulting from the combination also has the effect of the original embodiment.

Reference Signs List 1 Information processing device 2 First device 3 Second device 11 Communication unit 12 Storage unit 13 Control unit 131 Determination unit 132 Generation unit 133 Transmission unit 134 Data group acquisition unit 135 Integration unit S Information processing system

Claims (12)

a first generating unit that generates a first noise-adding query for each of a plurality of first data included in a first data group including a plurality of first records associating first data with data identification information for identifying data and a second data group including a plurality of second records associating the data identification information with second data; the first noise-adding query is a query for adding noise to a plurality of data included in the integrated data group by integrating the first data group and the second data group into an integrated data group such that noise is added with a predetermined probability to the plurality of data included in the integrated data group; and a first irreversible conversion query is a query for irreversibly converting a plurality of the data identification information included in the first data group by a predetermined method;
a second generation unit that generates a second noise-adding query, which is a query for adding noise to each of the plurality of second data included in the second data group in such a manner that noise is added to the plurality of data included in the integrated data group with the predetermined probability, and a second irreversible conversion query, which is a query for irreversibly converting the plurality of data identification information included in the second data group by the predetermined method;
a transmission unit that transmits the first noise-added query and the first irreversible conversion query generated by the first generation unit to a first device corresponding to a provider of the first data group, and transmits the second noise-added query and the second irreversible conversion query generated by the second generation unit to a second device corresponding to a provider of the second data group;
a data group acquiring unit that acquires a converted first data group including a plurality of first records that associate the data identification information converted based on the first irreversible conversion query with a plurality of first data to which noise has been added based on the first noise-adding query, and a converted second data group including a plurality of second records that associate the data identification information converted based on the second irreversible conversion query with a plurality of second data to which noise has been added based on the second noise-adding query;
an integration unit that generates an integrated data group by integrating the converted first data group and the converted second data group based on the data identification information of each of a plurality of first records included in the converted first data group acquired by the data group acquisition unit and the data identification information of each of a plurality of second records included in the converted second data group acquired by the data group acquisition unit;
An information processing device having the above configuration. the first record includes a plurality of first data corresponding to each of the n1 attributes;
the second record includes a plurality of second data corresponding to each of the n2 attributes;
The plurality of data included in the integrated data group satisfies ε-local differential privacy, where ε is a parameter indicating the strength of privacy,
the first generation unit generates the first noise-added query for adding noise such that, when noise is added to the first data of each of the n1 attributes, the first data of each of the n1 attributes to which noise has been added satisfies ε1-local differential privacy (wherein a parameter ε1 indicating a strength of privacy is ε1=ε/(n1+n2));
the second generation unit generates the second noise-added query for adding noise such that, when noise is added to the second data of each of the n2 attributes, the second data of each of the n2 attributes to which noise has been added satisfies ε2-local differential privacy (wherein a parameter ε2 indicating a strength of privacy is ε2=ε/(n1+n2));
The information processing device according to claim 1 . There are k data groups associated with the data identification information (where k is an integer of 3 or more);
The kth generation unit generates a kth noise-adding query, which is a query for adding noise to each of the kth data included in the kth data group so that noise is added to the multiple data included in the integrated data group with a predetermined probability when the k data groups are integrated to form the integrated data group, and a kth irreversible conversion query, which is a query for irreversibly converting the multiple pieces of data identification information included in the kth data group by a predetermined method;
a k-th record included in the k-th data group includes a plurality of k-th data corresponding to n k attributes,
The k generation unit generates the k noise-added query for adding noise such that, when noise is added to the k-th data of each of the n k attributes, the k-th data of each of the n k attributes to which noise has been added satisfies ε k -local differential privacy (wherein a parameter ε k indicating the strength of privacy is ε k = ε / (n 1 + n 2 + ... + n k )).
The information processing device according to claim 2 . a determination unit that obtains from the first device first item information indicating items corresponding to each of a plurality of attributes constituting the first record, and obtains from the second device second item information indicating items corresponding to each of a plurality of attributes constituting the second record, identifies n1, which is the number of attributes corresponding to the first data, based on the obtained first item information, identifies n2, which is the number of attributes corresponding to the second data, based on the obtained second item information, and determines a first parameter ε1 and a second parameter ε2 indicating a strength of privacy in local differential privacy satisfied by the first data and the second data after noise has been added, based on the identified numbers of attributes n1 and n2;
The information processing device according to claim 2 . At least one of the first noise-adding query and the second noise-adding query is a query that reduces a number of possible values of data corresponding to at least one attribute among a plurality of data corresponding to each of a plurality of attributes included in a data group to which noise is added, and adds the noise to each of the plurality of data after reducing the number of possible values of the data .
The information processing device according to claim 1 . the first generation unit generates a first update query that is a query that updates the first data group after the conversion by replacing first data included in the first record included in the first data group after the conversion with the first data included in another first record at a first ratio;
the second generation unit generates a second update query that is a query that updates the converted second data group by replacing second data included in the second records included in the converted second data group with the second data included in other second records at a second ratio;
The transmission unit transmits the first update query generated by the first generation unit to the first device, and transmits the second update query generated by the second generation unit to the second device.
The information processing device according to claim 1 . an updating unit that updates the integrated data set by replacing data included in records included in the integrated data set with data included in other records at a third ratio;
The information processing device according to claim 1 . the first generation unit generates the first irreversible conversion query by adding random data to each of the plurality of pieces of data identification information included in the first data group and then performing irreversible conversion using the predetermined method;
the second generation unit generates the second irreversible conversion query by performing irreversible conversion using the predetermined method after adding random data that is the same as the random data added to the data identification information included in the first data group and that corresponds to the data identification information, to each of the plurality of data identification information included in the second data group.
The information processing device according to claim 1 . the integration unit further processes the integrated data group to generate statistical data, and corrects the statistical data to remove the noise using the predetermined probability used to impart the noise.
The information processing device according to claim 1 . the first data group and the second data group include identification data that can be used to identify a newly added record;
When regenerating the first irreversible conversion query, the first generation unit generates the first noise-added query that adds the noise to a newly added first record based on the identification data;
When regenerating the second irreversible conversion query, the second generation unit generates the second noise-added query that adds the noise to a newly added second record based on the identification data.
The information processing device according to claim 1 . the integrating unit integrates the converted first data group and the converted second data group based on the data identification information of each of a plurality of first records included in the converted first data group and the data identification information of each of a plurality of second records included in the converted second data group, and generates the integrated data group by excluding the data identification information.
The information processing device according to claim 1 . Executed by the information processing device,
a step of generating a first noise-adding query for each of a plurality of first data included in a first data group including a plurality of first records associating first data with data identification information for identifying data and a second data group including a plurality of second records associating the data identification information with second data, the first data group being one of the first data group and the second data group being one of the second data groups, the first noise-adding query being a query for adding noise to the plurality of data included in the integrated data group by integrating the first data group and the second data group into an integrated data group such that noise is added with a predetermined probability to the plurality of data included in the integrated data group, and a first irreversible conversion query being a query for irreversibly converting the plurality of data identification information included in the first data group by a predetermined method;
generating a second noise-adding query that is a query for adding noise to each of the plurality of second data included in the second data group in such a manner that noise is added to the plurality of data included in the integrated data group with the predetermined probability, and a second irreversible conversion query that is a query for irreversibly converting the plurality of data identification information included in the second data group by the predetermined method;
transmitting the generated first noise-added query and the generated first lossy conversion query to a first device corresponding to a provider of the first data group, and transmitting the generated second noise-added query and the generated second lossy conversion query to a second device corresponding to a provider of the second data group;
acquiring a converted first data group including a plurality of first records associating the data identification information converted based on the first irreversible conversion query with a plurality of first data to which noise has been added based on the first noise-adding query, and acquiring a converted second data group including a plurality of second records associating the data identification information converted based on the second irreversible conversion query with a plurality of second data to which noise has been added based on the second noise-adding query;
generating an integrated data group by integrating the converted first data group and the converted second data group based on the data identification information of each of a plurality of first records included in the acquired converted first data group and the data identification information of each of a plurality of second records included in the acquired converted second data group;
An information processing method comprising the steps of:

Images