Songs of ANAGURA | From the materials of the researchers

From the materials of the researchers

Whose information is it after all?-Wakaranu

We are developing Wakaranu [Anonymity], a device for protecting people's personal information. At present, we are studying a method of safely using the location information of people obtained in Anagura. When we heard that there were people conducting research on the anonymity of location information in a national project, we went along to hear what they had to say in detail.

(At an office in Kanagawa Prefecture on a certain day in the year 2011)

What can be seen from location information?

Researcher:: I heard that in the Information Grand Voyage Project* you conducted a practical experiment on new services making use of the location information of users in various aspects of daily life. How do you think location information can be used? What can we understand when we collect information from many people?

Kobayashi:: In the Information Grand Voyage Project of the Ministry of Economy, Trade and Industry, we developed a method of safely using the location information of users while paying consideration to privacy, and investigated the effectiveness of services through a practical experiment. Recently mobile phones that can acquire location information have become common. And even in the case of mobile phones that don't have built-in GPS functions, since we know which base station area they are in, we can roughly estimate the user's location. In the practical experiment, by knowing such information not on an individual level but statistically, we were able to understand how people were moving and gathering in each area. Location information that violates the privacy of users is not necessary.
Such macro movement information can be used, for example, for safe urban design that enables people to evacuate smoothly without congestion. Also, at times of disaster, it can be used as basic information to determine how to evacuate, guide, and assist people.

Researcher:: I see. So it can be useful in disaster prevention and safe and secure community building.

Kobayashi:: Furthermore, it can be utilized effectively in daily life as well. The location information of users and the Internet access information on their mobile phones include information about their areas of movement, their lifestyle patterns, restaurants they frequent, and so on. Naturally, there is some information that infringes on privacy, but we conceived a mechanism for the safe use of that information, which we will explain later, and, while protecting privacy, attempted to realize a method of making location information useful for high-value services. In that experiment, with the consent of users, we obtained their GPS location information, analyzed their behavior patterns and tastes, and supplied the most appropriate information to them. For example, when a person who registered a liking for sweet things gets off the train at Jiyugaoka Station, information is delivered to them from a certain sweet store. And from a user's behavior pattern and present location, it can be speculated where they will head for next. By continuously tracing location information, it can be guessed, for example, that a place where the user often goes is a meaningful place for that person and where that person is likely to go next. Such information comes into view.

: *The Information Grand Voyage Project is a national project aimed at developing next-generation search and analysis technologies and studying frameworks of related regulations. It was implemented for three years from fiscal 2007 with the participation of industry, government, and academia.

Protecting personal information

Researcher:: In what way did you give consideration to the privacy of location information in your practical experiment?

Kobayashi:: Unless it is necessary, I don't think users want to disclose such information as their address and place of work. And while in some cases people might want to say where they are going in order to get restaurant and shopping information, conversely there will be cases where people do not want to be traced so much. Some people might feel that such information is very private too.

Researcher:: So how can we protect privacy?

Kobayashi:: What we tried in the practical experiment was a mechanism by which users could select the degree of information to be released for, for example, receiving a restaurant information service. If the user does not want to give detailed information about his or her present whereabouts, they can notify the service roughly of their location, so it is difficult to specify where they are. The flip side here is that there is a possibility of restaurants outside walking distance and restaurants outside the user's usual route being recommended. Conversely, if users give pinpoint information of their location, restaurants in that neighborhood will be introduced.

Researcher:: So there is a kind of tradeoff between the information disclosed and the service obtained.

Kobayashi:: What we developed in the practical experiment was a mechanism called "phased opt-in." Using this mechanism, the individual user can determine when and where to disclose information and to what extent. For example, when the user is in an entertainment district, he wants a lot of information, so he sets the highest level of disclosure. But when he goes out of that district, he can select the lowest level. So participants in the experiment were able to get just the right balance by raising and lowering the level. It was like a radar for detecting local information. Users raised and lowered the accuracy according to their own movement.

Techniques for not identifying the individual

Researcher:: How specifically did users go about raising and lowering the disclosure level?

Saji:: In the experiment, we assumed that the user's information would be first of all deposited with a platform operator and transferred from there to a service operator. When the platform operator transfers information to a service operator, it is necessary to appropriately process the information according to the type of information transferred and the receiving party. In lowering the disclosure level, there is a method of processing the information so that the individual and his characteristics cannot be identified. In that case, methods are adopted to obscure personal identifiable information by making it more general or to separate related information. This is a technology for enhancing anonymity.

Researcher:: Can you tell me a little more specifically about the method of enhancing anonymity?

Saji:: Suppose there is a list of members with their ages entered. If there is only person aged 24 years, for example, the moment someone realizes that a certain 24-year-old acquaintance is a member, that person is identified, isn't he? But if the ages in the list are lumped into units of 10 years, then it is only seen that there are, say, three members in their twenties, and it cannot be known which of those three persons is the member concerned. In this way, the condition when k persons or more have the same attribute is called "k-anonymity," and the processing of information to meet this condition is called "k-anonymization." In this case, the information was processed in order to meet the condition of "3-anonymity."

Researcher:: What happens in the case of location information?

Saji:: There are several methods. For example, when location is shown by an address, you can expand the scope to include other people by leaving the name of the town but deleting the name of the neighborhood. In our practical experiment, we showed location information by latitude and longitude, so the area including the location gradually became larger. As the area became larger, more and more people were included, so anonymity was enhanced. In practice, the area was expanded with regularity not as a circle but as a grid on a map.

Techniques for not identifying attributes

Researcher:: I'm relieved to hear that the risks can be controlled in this way.

Saji:: But that is still not sufficient. For example, if these three people in the list all cite Meguro as their nearest railway station, you still cannot identify the individual, but you know at least that he lives in Meguro, don't you? This happens because there is no variation in the attribute of nearest station. So what we conceived of here was the indicator l-diversity, whereby there is a variation of l or more types in the attribute. The processing of data so that the attribute has this l-diversity is called the "l-diversification" of information.

Researcher:: What happens when variation is taken into consideration for location information?

Saji:: If the location information is only the nearest station, the problem can be solved simply by applying the l-diversification for the nearest station. But it becomes more difficult if there is a set of data including multiple location information, such as home address, place of work, and often visited place. Suppose you want to keep the "often visited place" secret. If there is information about only you in the areas of your home and place of work, naturally the third place is going to be revealed as well. But if the areas of your home and place of work are widened so that there are two people in those areas, then a variation in the "often visited place" is created. The risk of that place being known is reduced by a half, isn't it? Of course, this doesn't work if the other person has the same "often visited place" as you!

Researcher:: I see. So it is better if the k and l numbers are increased as much as possible, is it?

Saji:: Of course it is better in terms of enhancing security, but there is a decline in accuracy, so the quality of the information drops as well. This is a problem of balance. There are no proper indicators. This part has to be decided on a case-by-case basis. So it is important to verify the situation in trials.

Increase of personal information

Researcher:: Besides location information, will there be an increase in the amount of other information that should be protected?

Saji:: Without a doubt, it's going to increase. Information can be used by itself, but different things come into view by combining it with other information. For example, when shopping records are kept on a person's credit card history, that person's interests and favorites can be revealed. In other words, the degree of privacy increases. Similarly, more than simple location information, there is a higher degree of privacy involved in information concerning a person's trace obtained from his location history. What is even more troublesome is that when different types of information obtained from multiple sources, such as purchase history and Internet browsing history, are compared, it is possible to estimate a person's interests and favorites in greater detail.

Researcher:: What will be necessary from now on?

Kobayashi:: In the Information Grand Voyage Project, the importance was discussed of a mechanism for people to control their personal information themselves. In practice, however, I think it would be difficult for users themselves to manage all their information.

Saji:: From the user's point of view, it is important to build a mechanism by which you can control even a little how much information is supplied to which service operator. For example, the user could deposit the information with a trusted platform operator and then, when receiving a service, disclose only necessary information to the service operator. Also, from now on it will be necessary to have third-party organizations like rating agencies to objectively evaluate the trustworthiness of platform operators and service operators.

Researcher:: Such mechanisms will be essential, won't they? I think I can see the road ahead for Wakaranu.

Isao Kobayashi

Solution Business Department, Corporate Marketing Division, NTT DoCoMo, Inc.

Nobuyuki Saji

Chief Manager, Community and Medical Solutions Development Division, NEC Corporation

Related contents: WAKARANU - Anonimity