WO2023119716A1 - Data distribution system and data usage condition determination method - Google Patents

Abstract

In a data distribution system 1, when data exchange is conducted between prescribed data traders, a negotiation mediation service unit (negotiation mediation service device 40) executes: a first process for calculating, for each usage condition of a plurality of usage conditions that can be enforced among data traders, an index of fulfillability representing the possibility of the data trader fulfilling the usage condition; and a second process for extracting a prescribed number of usage condition candidates from a plurality of usage conditions on the basis of the index of fulfillability, and notifying a provider device 10 and a user device 20 regarding the usage condition candidates.

Description

Data distribution system and data usage condition determination method

The present invention relates to a data distribution system and a data usage condition determination method, and is suitable for application to a data distribution system and a data usage condition determination method in which usage conditions are defined between a data provider and a data user to conduct data transactions. It is.

In recent years, data distribution services have been provided that utilize platforms that mediate between those who provide data (data providers) and those who want data (data users). For example, an information bank is considered to be one form of data distribution service, and the data distributed is personal data including personal information.

In data transactions, it is necessary to agree on data usage conditions (data usage conditions) between transactors. In open data transactions, data transactions are generally conducted when the data provider discloses the data usage conditions formulated and the data users agree to the data usage conditions. And by making data usage dynamic, flexibility increases, allowing data consumers to obtain data that meets their needs, and allowing data providers to provide data to more users. It is believed that.

Negotiation is a method of dynamically determining data usage conditions in data transactions, and methods of automatic negotiation have also been proposed. For example, in Non-Patent Document 1, it is assumed that the intervention of a third-party agent (mediator) can realize automatic negotiation with high social utility. is disclosed.

Takeshi Toshima, 3 others, "Automatic Negotiation Using a Third-Party Agent to Determine Compensation for Data Provision in Information Distribution," Transactions of Information Processing Society of Japan, February 15, 2021, Vol.62, No.2 , p.508-517

However, in the prior art including Non-Patent Document 1 mentioned above, even if the data usage conditions can be adjusted through automatic negotiation, it is not known whether the other party will actually comply with the usage conditions. It is assumed that it is difficult to realize secure data transactions. Therefore, there is a need for data traders to be able to determine the optimal data usage conditions, taking into account whether the other party will comply with the data usage conditions.

The present invention has been made in consideration of the above points. is to be able to select and determine a data distribution system and a data usage condition determination method capable of enhancing security and safety in data transactions.

In order to solve such problems, the present invention provides a data distribution system for dynamically negotiating usage conditions for data transactions, comprising: one or more provider devices used by a data provider who is one of data traders; one or more user devices used by the data user who is the other of the data traders; When the negotiation intermediary service unit is requested, for each usage condition of a plurality of usage conditions that can be enforced between the data traders, an index of performance feasibility representing the possibility of the data trader fulfilling the said usage condition and extracting a predetermined number of candidate terms of use from the plurality of terms of use based on the feasibility index, and sending the candidates of terms of use to the provider device and the user device A data distribution system is provided that executes a second process of notifying.

Further, in order to solve such problems, the present invention provides a method for determining data usage conditions by a data distribution system that dynamically negotiates usage conditions for data transactions, wherein the data distribution system is one of the data traders. one or more provider devices used by the data provider, one or more user devices used by the data user who is the other party of the data trader, and a negotiation intermediation service unit that mediates the negotiation of the terms of use. and when data trading is performed between predetermined data traders, the negotiation intermediation service unit provides that for each use condition of a plurality of use conditions that can be implemented between the data traders, the data traders a feasibility calculation step of calculating a feasibility index representing the possibility of fulfilling the terms of use; a candidate extracting step of extracting candidate terms of use of the above, notifying said candidate of terms of use to said provider device and said user device, and requesting evaluation by both said data trader; a data usage condition determining step of determining a final usage condition in said data transaction based on results of evaluation by both data traders and notifying said provider device and said user device. A determination method is provided.

According to the present invention, it is possible to enhance security and safety in data transactions in which data usage conditions are dynamically agreed upon. Problems, configurations, and effects other than those described above will be clarified by the following description of the embodiments.

1 is a block diagram showing a configuration example of a data distribution system 1 according to a first embodiment of the present invention; FIG. FIG. 10 is a diagram showing an example of a usage condition management table; FIG. FIG. 4 is a sequence diagram showing an example procedure for agreement on data usage conditions executed in the data distribution system 1 in the first embodiment; FIG. 11 is a flowchart illustrating an example of a processing procedure for calculating feasibility risk; FIG. FIG. 10 is a diagram showing an example of a usage control capability management table; FIG. 11 is a flowchart illustrating an example of a processing procedure for extracting usage rule candidates; FIG. It is a figure which shows an example of a candidate recommendation message. FIG. 11 is a sequence diagram showing an example procedure for agreeing on data usage conditions executed in the data distribution system 1 in the second embodiment;

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

In the following explanation, various information may be described using expressions such as "table", "table", "list", etc., but various information may be expressed in data structures other than these. "XX table", "XX list", etc. are sometimes referred to as "XX information" to indicate that they do not depend on the data structure. Expressions such as "identification information", "identifier", "name", "ID", and "number" are used when describing the contents of each piece of information, but these can be replaced with each other.

Further, in the following description, there are cases where processing performed by executing a program will be described. Since processing is performed using resources (eg, memory) and/or interface devices (eg, communication ports), etc., the subject of processing may be a processor. Similarly, the subject of processing performed by executing a program may be a controller having a processor, a device, a system, a computer, a node, a storage system, a storage device, a server, a management computer, a client, or a host. A main body (for example, a processor) that performs processing by executing a program may include a hardware circuit that performs part or all of the processing. For example, the subject of processing performed by executing a program may include a hardware circuit that performs encryption and decryption, or compression and decompression. A processor operates as a functional unit that implements a predetermined function by operating according to a program. Devices and systems that include processors are devices and systems that include these functional units.

A program may be installed on a device such as a computer from a program source. The program source may be, for example, a program distribution server or a computer-readable storage medium. When the program source is a program distribution server, the program distribution server includes a processor (eg, CPU) and storage resources, and the storage resources may further store the distribution programs and programs to be distributed. Then, the processor of the program distribution server may distribute the distribution target program to other computers by executing the distribution program by the processor of the program distribution server. Also, in the following description, two or more programs may be implemented as one program, and one program may be implemented as two or more programs.

In the following description, when describing elements of the same type without distinguishing between them, the common part (the part excluding the subscripts and branch numbers) of the reference signs including subscripts and branch numbers will be used, and the elements of the same type may be used with reference numerals including suffixes and branch numbers. For example, when the provider devices are described without particular distinction, the term “provider device 10” is used. 1”, “provider device 10-2”, . . . , “provider device 10-N”.

(1) First Embodiment (1-1) Configuration of Data Distribution System 1 FIG. 1 is a block diagram showing a configuration example of a data distribution system 1 according to a first embodiment of the present invention.

As shown in FIG. 1, the data distribution system 1 includes one or more provider devices 10, which are information processing devices used by data providers, and one or more user devices 20, which are information processing devices used by data users. , a catalog management service device 30 that centrally manages the data catalog, a negotiation mediation service device 40 that mediates the negotiation of data usage conditions (data usage conditions) between the data provider and the data user, It comprises a management terminal 51 that manages the provider device 10 via the network and a management terminal 52 that manages the user device 20 via the network. Provider device 10 , user device 20 , catalog management service device 30 , and negotiation mediation service device 40 are interconnected via network 60 . The provider device 10 and management terminal 51 are connected via a network 61 , and the user device 20 and management terminal 52 are connected via a network 62 .

In the following description, "data provider" and "provider device 10" can be read interchangeably when used from the standpoint of the data provider. Similarly, "data user" and "user device 20" can be read interchangeably when used from the standpoint of the data provider side (data user side).

(1-1-1) Provider device 10
Provider device 10 is configured with business system 110 and data transaction connector 120 .

The business system 110 is a system that the organization of the data provider processes in business, and processes customer data and other data necessary for business. The business system 110 also has a function of storing (accumulating) data processed by its own system as a data source. In the data transaction by the data distribution system 1 of this embodiment, data that can be provided to the data user from among the data sources stored in the business system 110 is provided to the user device 20 via the data transaction connector 120. be done.

The data transaction connector 120 is a processing unit through which the data stored in the business system 110 is provided to the data user. It has the function of processing data so that it can be used according to conditions, and controlling the destination of data. The data transaction connector 120 comprises a usage condition management section 121 and a usage control section 122 .

The usage condition management unit 121 is a processing unit that manages the data usage conditions applied to the data to be provided, and determines the data usage conditions that can be agreed upon by the business partners through communication with the negotiation mediation service device 40 .

The usage control unit 122 is a processing unit that provides data in a form that meets the data usage conditions determined by the usage condition management unit 121 . The usage control unit 122 exchanges data acquired from the business system 110 with the data transaction connector 220 of the user device 20, provides the data according to the data usage conditions, and transmits/receives control information regarding data provision. do.

(1-1-2) User device 20
User device 20 is configured with business system 210 and data transaction connector 220 .

The business system 210 is a system that the data user's organization processes in business, and processes the data necessary for the business obtained by the organization and the data obtained from the data provider. The business system 210 also has a function as a data sink, that is, it has a function of storing (accumulating) data obtained by the organization and required for business and data obtained from the data provider. In the data transaction by the data distribution system 1 of this embodiment, the data obtained from the data provider is stored (accumulated) in the business system 210 via the data transaction connector 220 and used for the business in the data user's organization. .

The data transaction connector 220 is a processing unit through which data obtained from a data provider is stored in the business system 210. The data transaction connector 220 processes the data so as to meet predetermined data usage conditions, It has a function to manage conditions. Similar to the data transaction connector 120 , the data transaction connector 220 is configured with a usage condition management section 221 and a usage control section 222 .

The usage condition management unit 221 is a processing unit that manages the data usage conditions applied to each data used by the data user, and determines the data usage that can be agreed between the business partners through the exchange with the negotiation mediation service device 40. Determine conditions.

The usage control unit 222 is a processing unit that uses data in a form that meets the data usage conditions determined by the usage condition management unit 221 . The usage control unit 222 exchanges the data received from the provider device 10 with the data transaction connector 120 of the provider device 10 so as to comply with the data usage conditions (for example, delete the data after a certain period of time, It is possible to acquire within the number of times), process data, and send and receive control information related to data use.

(1-1-3) Catalog management service device 30
The catalog management service device 30 has a function of collecting, holding, and managing metadata of data to be traded, metadata related to connectors (data trading connectors 120 and 220), and metadata of organizations trading data. Furthermore, it has a function of returning the corresponding metadata in response to these metadata acquisition requests.

The above data metadata includes data titles and descriptions, data specifications, data locations, and default terms of use. The metadata of the connector also includes information on general connector functions, such as a connector transaction history such as a history of data transactions via the connector, the ID and version of the connector, and a list of functions provided by the connector. In addition to the ID, name, and description of the organization, the metadata of the organization includes information such as history data of data transactions performed by the organization and creditworthiness of the organization's data transactions.

As shown in FIG. 1, the catalog management service device 30 includes a connector transaction history management unit 310, a connector function management unit 320, an organization transaction history management unit 330, an organization credit management unit 340, and a usage condition management unit 350. be done.

The connector transaction history management unit 310 collects and retains the history of data transactions via the connector from the connector. Here, the data transaction history includes the date and time when the transaction was performed, the ID of the data provider, the ID of the data user, the ID of the data, the details of the transaction (for example, data transmission, data processing, or data usage conditions). (execution of a predetermined process specified in ) is managed as a log. Also, the connector transaction history management unit 310 returns the corresponding metadata in response to an acquisition request for the metadata held by itself.

The connector function management unit 320 collects and retains connector function information such as connector IDs and versions, and a list of functions possessed by connectors. Also, the connector function management unit 320 returns the corresponding metadata in response to an acquisition request for the metadata held by itself.

The organization transaction history management unit 330 collects and retains information on history data of data transactions conducted by the organization. Also, the organizational transaction history management unit 330 returns the corresponding metadata in response to an acquisition request for the metadata held by itself. Note that the organization transaction history management unit 330 and the connector transaction history management unit 310 partially overlap in their functions and the data they handle. In contrast to managing history data, the organization transaction history management unit 330 manages history data of data transactions via all connectors owned by the organization on a per organization basis.

The organizational credibility management unit 340 holds credibility information related to data transactions of the organization. The “trustworthiness” referred to here is an index that quantifies the extent to which the agreed data usage conditions are likely to be observed. The credibility of an organization's data transactions is calculated by a person or a program based on a plurality of past transaction data that has been executed through the mediation of the data distribution system 1 . Specifically, for example, whether there is a certain amount of data transaction performance, how many times the agreed data usage conditions have been violated, information security incidents (information leakage of personal data) in the information system of the organization (operation system 210) etc.) has occurred, the creditworthiness of the organization's data transactions is calculated and determined. When the credit is calculated by a program, for example, the organizational credit management unit 340 executes the program. Based on the above, the data structure of the information held by the organization credibility management unit 340 includes the ID of the organization and the numerical value representing the credibility of the organization.

The terms of use management unit 350 acquires and manages default values of terms of use in data transactions (values of initial conditions applied when no negotiation is performed) and information on whether or not each item of the terms of use can be adjusted. The usage condition management unit 350 registers these values for each data provider or each data that can be provided. An example of the data structure of the information (use condition management table) held by the use condition management unit 350 will be described below, taking as an example a case of registering each piece of data that can be provided.

FIG. 2 is a diagram showing an example of a usage condition management table. The usage condition management table 710 illustrated in FIG. 2 is information acquired and managed by the usage condition management unit 350 as described above.

The usage condition management table 710 includes a data ID 711 indicating the transaction data ID, a usage condition item 712 indicating the name of each item constituting the data usage condition, a default value 713 indicating the default value of the usage condition item 712, and a usage condition It is configured with an adjustability 714 that indicates whether the value of item 712 is adjustable by negotiation.

The usage condition items 712 include whether or not a connector is used when providing data (connector usage), whether or not there are restrictions on the purpose of use (restriction on purpose of use), and whether or not there are restrictions on the location of use. (restrictions on places of use), etc. In the example of FIG. 2, the adjustability 714 is indicated as "adjustable" when the value of the target item can be adjusted through negotiation, and the adjustability 714 is indicated as "adjustable" when the value of the target item cannot be adjusted through negotiation. is represented.

Such a usage condition management table 710 is used, for example, by a data user administrator to view the usage conditions of data that is a transaction candidate, and determine whether or not the default values of the usage conditions are acceptable, and whether or not the usage conditions are unacceptable. It is used to confirm whether or not the item is an adjustable item, and to comprehensively determine whether or not to negotiate the terms of use. In addition, although it is assumed that the above judgment is usually made by a person, it may be configured such that the judgment is made automatically by a program based on predetermined judgment criteria.

(1-1-4) Negotiation mediation service device 40
The negotiation intermediation service device 40 is a device that mediates between the data provider and the data user without directly negotiating the terms of use of the data, and is a win-win for both (that is, profitable for both). Provide data usage terms. As shown in FIG. 1 , the negotiation mediation service device 40 includes a utility function management unit 410 , a usage condition fulfillability management unit 420 , and a usage condition candidate recommendation unit 430 .

The utility function management unit 410 manages what kind of utility value each data trader (data provider and data user) obtains when using the data usage conditions. Here, the utility function is a quantification of the utility (profit) obtained by the data trader when the value of each item of the data usage conditions is given. As a method of calculating utility, each data usage condition is given a numerical value (the total is 1) as a weight, and when the utility score for each item of the data usage condition alone is set to 0 to 1 (for example, the value is more useful), and the sum of the products of the weight and the utility value of each item alone is taken. This utility function may be determined by the user of the organization that will be the data trader, or by asking the user (or organization) several questions about the data usage conditions and automatically estimating the utility function from the results. may be determined by

The usage condition fulfillability management unit 420 numerically indicates how high the possibility of fulfillment is or how high the risk of failure to fulfill each item of the data usage conditions and its value is for each data trader. management. This numerical value is calculated, for example, based on the function of the connector. If there is a connector function corresponding to each item of the data usage conditions, it is judged that the possibility of fulfillment is high (the risk that it cannot be fulfilled is low), and if there is no corresponding connector function, the possibility of fulfillment is low (There is a high risk that it cannot be carried out). Moreover, it may be calculated based not only on the function of the connector, but also on the transaction history of the relevant organization and the creditworthiness of the organization.

The use condition candidate recommendation section 430 selects a predetermined number (one or (predetermined number)), and has a function of notifying those candidates via connectors of data providers and data users.

The management terminals 51 and 52 mainly perform connector settings for data providers and data users' information processing devices (provider device 10 and user device 20) to which they are connected, and set data usage conditions. It is an information processing device that is used when providing information to a user in accordance with an agreement between the two parties and when asking the user to determine data usage conditions and the like. That is, the management terminals 51 and 52 have a function of exchanging messages with the connector of the provider device 10 or the user device 20 to which they are connected.

Since the data distribution system 1 according to the present embodiment has the configuration described above, the provider device 10 communicates with the user device 20 via the negotiation mediation service device 40 to determine the optimum data usage conditions. can decide. In addition, since the negotiation intermediary service device 40 calculates candidates for the data usage conditions in consideration of the achievability of the data provider and the data user, the data provider and the data user are not required to comply with the data usage conditions of the business partner. Considering feasibility, more appropriate data usage conditions can be selected and agreed upon.

In the above description, the data catalog is centrally managed by the catalog management service device 30. However, in the data distribution system 1 according to the present embodiment, these data catalogs may be distributed and managed. good. Also, although the provider device 10 and the user device 20 are described separately, there are cases where a person (user) or an organization serves as both a data provider and a data user. and the user device 20 may be the same.

(1-2) Agreement Sequence for Data Use Conditions FIG. 3 is a sequence diagram showing an example of a procedure for agreeing on data use conditions executed in the data distribution system 1 in the first embodiment. The sequence for agreeing on the data usage conditions in this embodiment will be described below with reference to FIG.

In the description of FIG. 3, the procedure performed by the data provider or its organization actually means that the provider device 10 is the subject of the processing corresponding to the procedure. The procedure performed by the organization means that the user device 20 actually takes the lead in performing the processing corresponding to the procedure. These are the same in the description of another sequence diagram (FIG. 8) and flow charts (FIGS. 4 and 6) to be described later.

According to FIG. 3, first, the organization of the data user transmits a request to acquire the data usage conditions of the business partner to the catalog management service device 30 (step S101). In response to the request of step S101, the catalog management service device 30 sends back the corresponding supplier and data usage conditions to the data user (step S102).

Next, the data user examines the data use conditions acquired in step S102, and if he/she decides that he/she cannot agree on the data use conditions and wants to trade under other conditions, the data use conditions are notified to the negotiation mediation service device 40. A condition adjustment request is transmitted (step S103). This adjustment request includes information such as a supplier ID that can uniquely identify the supplier (for example, the supplier with the data usage conditions acquired in step S102).

When the negotiation mediation service device 40 receives the data usage condition adjustment request, based on the customer ID included in the adjustment request, the negotiation mediation service device 40 sends the data provider, who is the corresponding data trader, a data usage condition preference. is transmitted (step S104) and acquired (step S105). Here, the preference of the data usage condition is information indicating which item among the plurality of items constituting the data usage condition can be adjusted, which item has a higher priority among the plurality of items, etc. Represents information about utility functions and information such as acceptable achievability. This preference information is necessary for data traders to derive win-win data usage conditions candidates, and is decided in advance by data providers and data users and held in each connector. managed.

Negotiation mediation service device 40 also transmits a request for acquisition of data usage condition preferences to the data user who transmitted the data usage condition adjustment request in step S103 (step S106). acquire (step S107).

Next, the negotiation mediation service device 40 requests the catalog management service device 30 to acquire connector functions for the data user and the data provider (step S108). In response to this request, the catalog management service device 30 acquires function list information of the corresponding connector from the database held by the connector function management unit 320, and passes this information to the negotiation mediation service device 40 (step S109). ).

Next, the negotiation mediation service device 40 requests the catalog management service device 30 to acquire the organizational credibility of the data user and the data provider (step S110). In response to this request, the catalog management service device 30 acquires the credibility value of the corresponding organization from the database held by the organization credibility management unit 340, and passes it to the negotiation mediation service device 40 (step S111).

Next, the negotiation mediation service device 40 extracts all possible combinations of data usage conditions, and calculates the utility value and feasibility risk for each of these data usage conditions (step S112). Details of the processing in step S112 will be described later with reference to FIG.

Next, based on the utility value and the feasibility risk calculated in step S112, the negotiation mediation service device 40 selects the top N candidates from among the plurality of data usage conditions extracted in step S112 in consideration of the risk. is extracted as a recommended use condition candidate (step S113). The details of the process of extracting candidate usage conditions in step S113 will be described later with reference to FIG.

Next, the negotiation mediation service device 40 presents the use condition candidates determined in step S113 and their feasibility risks to the data provider and the data user, and evaluates each use condition candidate. A request is made to the data user (steps S114 and S115).

Then, the data provider and data user respond to the requests of steps S114 and S115, and transmit the evaluation results of the respective use condition candidates to the negotiation mediation service device 40 (steps S116 and S117).

Next, the negotiation mediation service device 40 evaluates the evaluation results (specifically, for example, OK/NG, a score representing the level of evaluation) from both the data provider and the data user acquired in steps S116 and S117. Based on this, the data provider and the data user determine a data usage condition that both the data provider and the data user can agree on (step S118), and notify the data provider and the data user of the determined data usage condition (steps S119 and S120). Here, the data usage conditions that can be agreed upon are determined, for example, by extracting the conditions for which both evaluation results are OK, and extracting the condition that maximizes the product of the evaluation scores of both. If there are a plurality of usage condition candidates with the largest product of evaluation scores, the candidate with the largest product of utility should be extracted.

Through the above processing, the negotiation mediation service device 40 can recommend win-win usage condition candidates in consideration of the feasibility risk of data usage conditions. In addition, the data provider and data user each evaluate the recommended conditions of use considering the feasibility risk, and the final conditions of use are determined based on the evaluation results. By doing so, it is possible to agree on data usage terms that take into account feasibility risk.

(1-2-1) Calculation of Feasibility Risk FIG. 4 is a flowchart showing an example of a processing procedure for calculating the feasibility risk. The series of processes shown in FIG. 4 correspond to the processes of steps S104 to S113 in FIG. performed by Details of the processing in step S206 (corresponding to step S113 in FIG. 3) will be described later with reference to FIG.

According to FIG. 4, first, the negotiation mediation service device 40 acquires the data usage condition preferences of the relevant data traders (provider device 10, user device 20) (step S201). As described above, preferences for data usage conditions are information indicating which of the multiple items that make up the data usage conditions can be adjusted, which item has a higher priority among the multiple items, and so on. represents information about the utility function and information such as acceptable achievability. This preference information is necessary for data traders to derive win-win data usage conditions candidates, and is decided in advance by data providers and data users and held in each connector. managed.

Next, the negotiation mediation service device 40 acquires information on the function of the connector and the usage environment of the data traders connected to the connector from the catalog management service device 30 (step S202). Regarding the functions of the connector, it is assumed that the correctness of the information is verified by someone other than the data trader, rather than accepting the functions declared by the data trader.

FIG. 5 is a diagram showing an example of a usage control capability management table. Usage control capability management table 720 shown in FIG. is stored in the database held by the connector function management unit 320 of (may be held by a device other than the catalog management service device 30).

As shown in FIG. 5, the usage control capability management table 720 includes items of connector ID 721 , item 722 , correspondence level 723 , correspondence location 724 , and related log output presence/absence 725 .

A connector ID 721 is an identifier for uniquely identifying a connector. Item 722 indicates the name of each item of data usage conditions provided by the connector. Correspondence level 723 indicates a value corresponding to each item. The corresponding part 724 indicates information on where the usage control of each item is implemented, and is indicated by a value such as "connector" or "usage environment", for example. The related log output presence/absence 725 indicates whether or not the relevant function is output as a related log.

By using such a capability management table 720, the negotiation mediation service device 40 can collect information on connectors and usage environments necessary for calculating feasibility.

Return to the description of Fig. 4. After step S202, the negotiation mediation service device 40 acquires the credibility of the organization from the catalog management service device 30 (step S203). Although it is assumed here that the catalog management service device 30 holds and manages this information, if similar information can be obtained from another organization or the like, it may be obtained from another source.

Next, the negotiation mediation service device 40 extracts all possible combinations of data usage conditions between the data provider and the data user (step S204). The process of step S204 means extracting a plurality of data usage conditions corresponding to all combination patterns by combining selectable values for each item constituting the data usage conditions.

Next, the negotiation mediation service device 40 calculates feasibility risk based on individual items and values for each data usage condition extracted in step S204 (step S205). Individual feasibility is determined comprehensively, for example, based on the presence or absence of connector functions, the presence or absence of past transaction records in the organization, and the creditworthiness of the organization. Specifically, for example, if there is a connector function, the performance is technically compulsory, so the possibility of fulfillment is extremely high, and the risk of not fulfilling the data usage conditions is extremely low (risk level: None). Also, even if there is no connector function, it is considered that the possibility of execution is high and the risk is low (risk level: Low) if the transaction was properly processed in the past transaction results. Also, if there is no connector function and no past transaction record, the determination can be made based on the creditworthiness of the organization. If the credibility of the organization is high, there is a high possibility that each data usage condition will be fulfilled, and the risk is considered to be low (risk level: Low). It can be determined that the risk is low and the risk is high (risk level: High). It should be noted that the degree of "high" or "low" in the above description may be considered to be classified based on a predetermined threshold value, and each threshold value may be statically determined in advance, or the situation, environment, etc. It may be set dynamically by a program or by a person depending on the situation.

After calculating individual risks for each data usage condition in step S205, negotiation mediation service device 40 finally calculates more preferable data usage condition candidates in consideration of both utility and risk (step S206). ). Details of the processing in step S206 will be described later with reference to FIG.

By performing the processing as described above, the negotiation mediation service device 40 can calculate the feasibility risk of each data usage condition and extract more appropriate data usage condition candidates based on this.

(1-2-2) Extraction of Usage Rule Candidates FIG. 6 is a flowchart showing an example of a processing procedure for extracting usage rule candidates. A series of processes shown in FIG. 6 correspond to the process of step S113 in FIG. 3, and are executed by the negotiation mediation service device 40 after the calculation of the feasibility risk is completed.

According to FIG. 6, the negotiation mediation service device 40 first derives all possible combinations of data usage conditions by combining data usage conditions from the preferences of the data provider and the data user (step S301). In the process of step S301, for example, if there are not many restrictions on the processing time, utility and risk are calculated for all combinations, and based on the calculated values, a more preferable part is selected. In cases where processing time is restricted or the number of combinations of usage conditions is enormous, it is not possible (or should not) be calculated for all combinations. It is also possible to limit the number of combinations and extract combinations of data usage conditions at random.

Next, the negotiation mediation service device 40 calculates utility values and risks for each combination of data usage conditions derived in step S502 (step S302). A specific method of calculating the risk is as described in step S205 of FIG.

Next, the negotiation mediation service device 40 calculates the risk-adjusted utility for each combination (step S303). Specifically, for the calculation method of step S303, for example, a calculation formula of “Σ{(utility value under condition i)×(1−(risk probability under condition i))}” can be used.

Next, the negotiation mediation service device 40 calculates the product of the adjusted utility of the data provider and the adjusted utility of the data user in each combination (step S304).

Next, the negotiation mediation service device 40 rearranges the combinations in descending order of the product calculated in step S304, extracts the top N candidates, and uses them as recommended usage condition candidates (step S305). Here, a high product means a high profit (utility) when both data traders are considered.

By performing the processing as described above, the negotiation mediation service device 40 can extract the data usage conditions near the Nash equilibrium point as usage condition candidates, so that candidates that are more preferable for both the data provider and the data user are calculated. can do.

Then, the negotiation mediation service device 40 presents the extracted use condition candidates and the feasibility of each use condition to the data trader (provider device 10, user device 20).

FIG. 7 is a diagram showing an example of a candidate recommendation message. Candidate recommendation message 730 shown in FIG. 7 is generated by the data trader (provider device 10, user device) in steps S114 and S115 of FIG. 20) is an example of a message for presenting usage condition candidates and their feasibility risks.

As shown in FIG. 7, the candidate recommendation message 730 includes items of candidate number 731, item 732, value 733, performance responsibility 734, risk level 735, risk reason 736, and utility function score 737.

The candidate number 731 indicates an identifier assigned to each usage rule candidate. An item 732 indicates the name of each item constituting the usage rule of the candidate, and a value 733 indicates its value. The name shown in the item 732 indicates, for example, whether the purpose of use is restricted (restriction of purpose of use) or whether the place of use is restricted (restriction of place of use).

The performance responsibility 734 indicates the location of the person responsible for each item, and describes the organization that should perform the item. Risk level 735 indicates a value representing the feasibility risk of each item. The risk level 735 may be expressed numerically or using an enumerated value. In the case of FIG. 7, the example of the risk level described in the explanation of step S205 of FIG. 3 is applied. The risk reason 736 indicates the reason on which the risk level was determined. For example, "No related function implemented In A. Trust level of organization A is low" means that "the related function is not implemented in organization A, and the trust level of organization A is low."

The utility function score 737 indicates the score of the utility function of the entire data usage condition for each candidate. Specifically, the utility function score 737 describes a ranged value in consideration of the risk (risk level 735) in each item of the data usage condition of the candidate. In this example, values from 0 to 1 are described, but it is not limited to this.

As described above, according to the data distribution system 1 according to the present embodiment, in the dynamic agreement of the data usage conditions, an index is calculated to indicate the extent to which each item of the data usage conditions is complied with by the trading partner, Taking this into account, the data trader can simplify consent by confirming the content of data provision when distributing personal data to a large number of data providers. As a result, data trading organizations can select and determine more optimal data usage terms in consideration of the likelihood of data usage terms being complied with by business partners, and data that dynamically agrees on data usage terms. Security and safety can be enhanced in transactions.

(2) Second Embodiment In the data distribution system 1 according to the first embodiment, when determining the terms of use of data, the negotiation mediation service device 40 considers utility and feasibility of data transactions. The catalog management service device 30 and the negotiation intermediation service device 40 are necessary for recommending candidates for terms of use that are highly likely to be agreed upon by both parties. However, the present invention is not limited to the configuration having mediation devices such as the catalog management service device 30 and the negotiation mediation service device 40. ) or the data user (user device 20).

Therefore, in the second embodiment, the data trader (provider device 10, user device 20) grasps the function of the connector of the information processing device that is the trading partner and inquires about the past performance. Next, a data distribution system 2 that calculates feasibility by itself and negotiates data usage conditions between traders based on the calculation results will be described, focusing on differences from the first embodiment.

Compared to the configuration of the data distribution system 1 shown in FIG. 1, the data distribution system 2 according to the second embodiment does not include the negotiation mediation service device 40, and the functions of the negotiation mediation service device 40 are the provider device 10 and the data distribution system 1 shown in FIG. It differs in that it is arranged in the user device 20 . The data distribution system 2 according to the second embodiment is different from the agreement sequence of the data usage conditions in the first embodiment in that the data provider and the data user directly negotiate the agreement sequence of the data usage conditions. is different.

FIG. 8 is a sequence diagram showing an example of a procedure for agreeing on data usage conditions executed in the data distribution system 1 in the second embodiment. The procedure shown in FIG. 8 will be described below, but the detailed technical contents performed in each procedure can basically be diverted from the description given with reference to FIG. 3 in the first embodiment. Therefore, the description is omitted.

According to FIG. 8, first, the data user requests acquisition of the data usage conditions of the business partner (data provider) (step S401), and receives the response (step S402). Next, the data user examines the data usage conditions acquired in step S402, and if he or she does not agree to the data usage conditions and decides that he or she wishes to trade under other conditions, the data user directly asks the data provider to confirm the data usage conditions. An adjustment request is transmitted (step S403).

Next, when the data provider receives the data usage condition adjustment request, the data provider transmits a data usage condition preference acquisition request to the data provider (step S404), and acquires preference information from the data provider. (step S405). Here, since the data provider itself holds the preference information on the data provider side, it is not necessary to issue a preference acquisition request.

Also, the data provider requests the catalog management service device 30 to acquire the connector function of the data user (step S406), and receives this from the catalog management service device 30 (step S407). On the other hand, the data user similarly requests the catalog management service device 30 to acquire the connector function of the data provider (step S408), and receives it from the catalog management service device 30 (step S409).

Also, the data provider requests the catalog management service device 30 to acquire the credibility of the data user's organization (step S410), and receives it from the catalog management service device 30 (step S411). On the other hand, the data user similarly requests the catalog management service device 30 to acquire the credibility of the data provider's organization (step S412), and receives it from the catalog management service device 30 (step S413).

Next, the data provider extracts all possible combinations of data usage conditions, and calculates the utility value and feasibility risk for each combination of data usage conditions (step S414). Furthermore, based on the calculated utility value and the feasibility risk, the data provider extracts the top N candidates from among the data usage conditions extracted in step S414 in consideration of the risks, and recommends them. It is set as a use condition candidate (step S415). Then, the data provider presents the use condition candidate determined in step S415 and its feasibility risk to the data user (step S417).

The data user, to whom the usage condition candidates are presented in step S417, evaluates each usage condition candidate, and uses the evaluation results to determine agreeable data usage conditions by a predetermined determination method (step S418). The evaluation result is indicated by, for example, OK/NG and a score representing the level of evaluation. Determination of agreeable data usage conditions is performed, for example, by extracting the conditions for which the evaluation results of both data traders are OK, and extracting the condition that maximizes the product of the evaluation scores of both parties. If there are a plurality of use condition candidates with the largest product of evaluation scores, the candidate with the largest product of utility should be extracted. Then, the data user notifies the data provider of the agreeable data usage conditions determined in step S418 (step S419).

In this example, data usage conditions that can be agreed upon by data users are determined based on presentation of usage condition candidates from data providers. Exchange the evaluation results for each candidate for terms of use, determine and present the final candidate for terms of use using the mutual evaluation results, and if both parties agree on this, decide as agreeable data terms of use You may do so.

Finally, in order to certify that the data provider and the data user have agreed to the finally selected data usage conditions, the data usage conditions are digitally signed (step S420), and the process is completed. finish. The use of digital signatures is expected to prevent tampering with agreed data usage conditions.

It can be said that the processing procedure of FIG. 8 described above differs greatly from the processing procedure of FIG. 3 shown in the first embodiment in the following points. That is, in the processing procedure of FIG. 8, the data trader makes a preference acquisition request for data usage conditions (step S404), a connector function acquisition request (steps S406 and S408), and an organization credibility acquisition request (steps S410, S408). S412), it collects information necessary for calculating the feasibility risk by itself. Further, the feasibility risk is independently calculated by the data trader (not the negotiation mediation service device 40).

By performing the processing shown in FIG. 8 as described above, in the data distribution system 2 according to the second embodiment, the feasibility risk can be determined between the data traders without using the negotiation mediation service. It is possible to adjust the data usage conditions in consideration of the above, and reach an agreement on the data usage conditions that will be a win-win for both data traders.

It should be noted that each of the above-described embodiments has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to those having all the configurations described. Also, part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Moreover, it is possible to add, delete, or replace a part of the configuration of each embodiment with another configuration.

Also, in each of the above-described embodiments, the single catalog management service device 30 and the negotiation mediation service device 40 perform the processing, but the processing may be distributed to a plurality of devices. Also, each function of the device may be executed on a separate machine.

In addition, the control lines and information lines indicate what is considered necessary for explanation, and not all control lines and information lines are necessarily indicated on the product. In fact, it may be considered that almost all configurations are interconnected.

1, 2 data distribution system 10 provider device 110 business system 120 data transaction connector 121 usage condition management unit 122 usage control unit 20 user device 210 business system 220 data transaction connector 221 usage condition management unit 222 usage control unit 30 catalog management service Device 310 connector transaction history management unit 320 connector function management unit 330 organization transaction history management unit 340 organization credit management unit 350 usage condition management unit 40 negotiation mediation service device 410 utility function management unit 420 usage condition fulfillability management unit 430 usage condition candidates Recommendation unit 51, 52 Management terminal 60, 61, 62 Network 710 Usage condition management table 720 Capability management table 730 Candidate recommendation message

Claims (10)

A data distribution system that dynamically negotiates terms of use for data transactions,
one or more provider devices used by a data provider who is one of the data traders;
one or more user devices used by a data user who is the other party of the data trader;
a negotiation mediation service unit that mediates negotiation of the terms of use;
with
When data transactions are conducted between designated data traders,
The Negotiation Brokerage Service Department,
a first process of calculating, for each usage condition of a plurality of usage conditions that can be enforced among the data traders, a performance possibility index representing the possibility of the data trader fulfilling the usage condition;
a second process of extracting a predetermined number of use condition candidates from the plurality of use condition candidates based on the feasibility index and notifying the provider device and the user device of the use condition candidates; A data distribution system characterized by executing the provider device and the user device perform data transmission/reception and transactions via their own connectors;
In the first process, the negotiation mediation service unit, based on the functions of the connectors of the provider device and the user device used by the data trader, 2. The data distribution system according to claim 1, wherein: In the first process, the negotiation mediation service unit calculates the feasibility indicator for the terms of use based on the performance record of past data transactions via the connector in the organization of the data trader. 3. The data distribution system according to claim 2, characterized by: In the first process, the negotiation mediation service unit calculates the feasibility indicator for the terms of use based on creditworthiness derived from past data transactions of the data trader's organization. 2. The data distribution system according to claim 1. each of the provider device and the user device holds preference information indicating items that can be adjusted in the terms of use that the data provider or the data user permits;
The Negotiation Brokerage Service Department,
In the first process, the plurality of usage conditions are extracted based on the preference information of each of the data traders of the data transaction subject to the usage conditions, and for each usage condition of the plurality of usage conditions, Calculating the feasibility index for each item that constitutes the terms of use, and calculating a utility value that indicates the utility that the data provider and the data user can obtain when using the terms of use,
3. The method according to claim 1, wherein in said second processing, a predetermined number of use condition candidates are extracted from said plurality of use conditions based on said performance possibility index and said utility value calculated for each of said use conditions. 1. The data distribution system according to 1. In the second process, the negotiation mediation service unit exists near a Nash equilibrium point based on the risk derived from the feasibility indicator and the utility values of the data provider and the data user. 6. The data distribution system according to claim 5, wherein said usage rule to be used is extracted as said usage rule candidate. The Negotiation Brokerage Service Department,
In the second process, the provider device and the user device are notified of the extracted usage rule candidate, along with the performance possibility index and the range of the utility value in the usage rule of each usage rule candidate. and request evaluation by both of said data traders;
Further, executing a third process of determining the final terms of use in the data transaction and notifying the provider device and the user device based on the results of evaluation by both of the data traders. 6. The data distribution system according to claim 5. 2. The data distribution according to claim 1, wherein said negotiation mediation service unit is implemented in another device connected to said one or more provider devices and said one or more user devices via a network. system. the negotiation mediation service unit is implemented in each of at least the one or more provider devices;
2. The data distribution system according to claim 1, wherein said provider device executes said first processing and said second processing while exchanging information with said user device. A data usage condition determination method by a data distribution system that dynamically negotiates usage conditions for data transactions,
The data distribution system is
one or more provider devices used by a data provider who is one of the data traders;
one or more user devices used by a data user who is the other party of the data trader;
a negotiation mediation service unit that mediates negotiation of the terms of use;
has
When data transactions are conducted between designated data traders,
The negotiation mediation service unit calculates, for each usage condition of a plurality of usage conditions that can be enforced among the data traders, an index of feasibility representing the possibility of the data trader fulfilling the said usage condition. a feasibility calculation step;
The negotiation mediation service unit extracts a predetermined number of candidate terms of use from the plurality of terms of use based on the index of feasibility of execution, and notifies the candidate device of the provider device and the user device of the candidate terms of use. a candidate extraction step requesting evaluation by both of said data traders;
a use condition determination step in which the negotiation mediation service unit determines final use conditions in the data transaction based on evaluation results by both the data traders, and notifies the provider device and the user device; and,
A data usage condition determination method characterized by comprising:

Images