This application claims priority to German Patent Application No. DE 10 2019 209 226.8, filed Jun. 26, 2019 with the German Patent and Trademark Office. The contents of the aforesaid Patent Application are incorporated herein for all purposes.
The present invention relates to a method, a computer program with instructions, and a device for processing data recorded by a motor vehicle. The invention further relates to a motor vehicle and a back end in which a method according to the invention or a device according to the invention is used.
This background section is provided for the purpose of generally describing the context of the disclosure. Work of the presently named inventor(s), to the extent the work is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
In modern motor vehicles, a variety of data is collected. With increasing vehicle connectivity, there is an interest in using the data collected by a vehicle for further evaluation. For this purpose, data may be taken from the motor vehicle and fed to a back end. For example, data may be extracted from vehicle sensors in a location- or time-dependent manner for applications relating to weather forecasts, parking space occupancy, or traffic flow data. In the back end, the data are then combined with other data on a map and fed back to the functions using said data.
One application scenario for data collection is the creation of a database for anonymized swarm data for researching, developing, and safeguarding automatic driving functions. Highly automated vehicles are expected to cope with a plethora of different and sometimes complex road traffic scenarios without there being an accident. However, since the majority of these scenarios occur only very rarely, testing in real road traffic is both time- and cost-intensive. A substantial database is therefore required for the development of automatic driving functions to series maturity in order to safeguard the algorithms, as this may no longer be achieved by means of classic endurance test runs. Therefore, a data pool is required which has data from as wide a variety of challenging traffic situations as possible, ideally supplied from real driving situations, by means of which data pool the algorithms may be trained and continuously improved such that the vehicles may make appropriate decisions and act safely in road traffic in all eventualities.
However, the data taken from a vehicle may sometimes provide an indication of the personal or material circumstances of an identified or at least identifiable natural person, for example the driver of the motor vehicle.
Such collection and use of the data is generally only possible with a declaration of consent of the relevant person, as per applicable data protection regulations. Although consumers today, in particular in the software field, are quite familiar with accepting conditions of use and granting approval for the evaluation of data, this is not very common in the automotive sector. It is therefore not always easy to obtain a declaration of consent for the use of the data. In addition, software updates may potentially require a new declaration of consent to be obtained from the user, which could become a nuisance for the user over time.
In order to ensure the protection of data, the data may be subjected to different anonymization methods. The aim of these anonymization methods is to conceal the identity of the data originator in an anonymization group.
A need exists to provide solutions for processing data recorded by a motor vehicle that enables segmentation of data recorded along a traversed route with reduced gaps between the segments.
The need is addressed by a method, by a computer program, and by a device having the features of the independent claims.
Embodiments of the invention are described in the dependent claims, the following description, and the drawings.
The details of one or more embodiments are set forth in the accompanying drawings and the description below. Other features will be apparent from the description, drawings, and from the claims.
In the following description of embodiments of the invention, specific details are described in order to provide a thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid unnecessarily complicating the instant description.
In some embodiments, a method for processing data recorded by a motor vehicle comprises:
In some embodiments, a computer program contains instructions which, when executed by a computer, prompt the computer to carry out the following steps for processing data recorded by a motor vehicle:
The term “computer” is to be understood broadly. In particular, it may also include control units, workstations, and other processor-based data processing devices.
The computer program may for example be provided for electronic retrieval or be stored on a computer-readable storage medium.
In some embodiments, a device for processing data recorded by a motor vehicle comprises:
In the solution, the division of the recorded data into segments is combined with a spatial obfuscation. This significantly increases the probability of only segments with non-recombinable signals being present. As a result, the gaps between the segments may be kept small, which is desirable from a data collection point of view, without it being necessary to increase the size of the required anonymization group, which could otherwise significantly limit the usefulness of the data.
In some embodiments, the spatial obfuscation is applied for each segment individually. For this purpose, start points of the segments are shifted by a noise value from a noise interval. In this way, the desired spatial obfuscation may be implemented in a simple manner.
In some embodiments, lengths of the gaps between the segments are selected randomly from a length interval. This ensures that successive segments are independent of one another. Otherwise, in the event of gaps of a constant length, it could be established whether segments come from the same vehicle by evaluating the start and end points of the segments.
In some embodiments, a temporal obfuscation is additionally applied to the data of the segments of the traversed route. This measure leads to a greater increase in group anonymity.
In some embodiments, an originally required group size of an anonymization group is increased by a correction factor that takes into account that the application of the spatial obfuscation takes place in combination with division of the recorded data into segments of the traversed route. The noise interval for the spatial obfuscation may be taken into account within the framework of a correction factor by means of which a corrected group size may be calculated. Although said correction factor approaches the value of one with increasing size of the noise interval, the correction factor should not be neglected in view of the importance of group anonymity.
For example, a method according to the teachings herein or a device according to the teachings herein may be used in an autonomously or manually controlled vehicle, in particular a motor vehicle. Alternatively, the solution may also be used in a back end to which the data is transmitted from the vehicle.
Additional features of the present invention will become apparent from the following description and the appended claims in conjunction with the FIGS.
In order to improve understanding of the principles of the present invention, further embodiments of the invention will be explained in detail in the following based on the FIGS. It should be understood that the invention is not limited to these embodiments and that the features described may also be combined or modified without departing from the scope of protection of the invention as defined in the appended claims.
The data processing unit 22 and the anonymization unit 23 may be controlled by a control unit 24. Settings of the data processing unit 22, anonymization unit 23, or control unit 24 may be changed, if required, via a user interface 27. The data accumulating in the device 20 may be deposited in a memory 26 of the device 20 if required, for example for later evaluation or to be used by the components of the device 20. The data processing unit 22, anonymization unit 23, and control unit 24 may be designed as dedicated hardware, for example as integrated circuits. Of course, they may also be partially or fully combined or be implemented as software running on a suitable processor, for example a GPU. The input 21 and the output 25 may be implemented as separate interfaces or as a combined bidirectional interface.
The processor 32 may comprise one or more processor units, for example microprocessors, digital signal processors, or combinations thereof.
The memories 26, 31 of the embodiments described may have volatile and/or non-volatile memory regions and comprise a wide variety of storage units and storage media, for example hard drives, optical storage media, or semiconductor memories.
The two embodiments of the device may be integrated in the motor vehicle or be part of a back end that is connected to the motor vehicle.
If the different obfuscated segments then need to be assigned to the original segments S⋅, the obfuscated segments may only be recombined if the end of a segment S⋅, and the start of the next segment S⋅, are at a distance within the interval of (lgap−lgap_rand) to (lgap+lgap_rand) from one another. If it is further assumed that the start points SP, of the respective segments S⋅, are randomly distributed in a uniform manner, the probability Pag that only non-recombinable segments are present is defined as follows:
Since the aim is to obtain as much data as possible, the gap must be kept as small as possible. Therefore (lgap+lgap_rand)<lsag. This results in a very low probability of non-recombinable segments. For example, at a segment length lseg of 10 km and gap of 500 to 1000 m, only 10% of the segments are non-recombinable. In order to nonetheless achieve the anonymization group size, the number of detected vehicles and thus the size of the obfuscation would have to increase by a factor of 10. This would significantly limit the usefulness of the data.
In order to prevent this, both methods are combined with one another. For example, it is assumed that each segment S⋅, is obfuscated individually. Noise is applied to each of the start points SP, of the segments S⋅, in the form of an offset lrausch. If this is taken into account in the above-mentioned relationships, the gap between the segments is increased in proportion with the noise value:
If it is then assumed that (lgap+lgap_rand+lrausch)>lseg, since the penetration of the vehicles is very low at the start in particular, the probability Pag is close to one. The “penetration” is to be understood as the proportion of total vehicles involved in the data collection.
By way of example, it is assumed that a measuring vehicle from the swarm traverses the segment of a route every 10 minutes on a highway. Thus, at an assumed anonymization group size of five and a speed of 60 m/s, an obfuscation in the region of 180 km is required. This contrasts with a significantly smaller segment length of 10 km.
The two methods are now combined by means of a correction factor kseg applied to the group size k of the anonymization group. The factor kkorr thus corrected is obtained as follows:
Assuming that (lgap+lgap_rand+lrausch)>lseg the correction factor kseg approaches one. As such, by combining, there is much less influence on the corrected group size. However, this influence should for example be taken into account nonetheless.
10 Receiving data recorded along a route traversed by a motor vehicle
11 Dividing the recorded data into segments of the traversed route, said segments being separated by gaps
12 Applying a spatial obfuscation to the data of the segments
13 Forwarding the obfuscated data for further processing
20 Device
21 Input
22 Data processing unit
23 Anonymization unit
24 Control unit
25 Output
26 Memory
27 User interface
30 Device
31 Memory
32 Processor
33 Input
34 Output
40 Motor vehicle
41 Sensor system
42 Navigation system
43 Data transmission unit
44 Assistance system
45 Memory
46 Network
50 Back end
D Item of data
lgap Length of a gap
Li Gap
Lseg Length of a segment
Si Segment
SPi Start point of a segment
VD Obfuscated item of data
WS Route
The invention has been described in the preceding using various exemplary embodiments. Other variations to the disclosed embodiments may be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single processor, module or other unit or device may fulfill the functions of several items recited in the claims.
The term “exemplary” used throughout the specification means “serving as an example, instance, or exemplification” and does not mean “preferred” or “having advantages” over other embodiments. The term “in particular” used throughout the specification means “serving as an example, instance, or exemplification”.
The mere fact that certain measures are recited in mutually different dependent claims or embodiments does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims should not be construed as limiting the scope.
Number | Date | Country | Kind |
---|---|---|---|
10 2019 209 226.8 | Jun 2019 | DE | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2020/064087 | 5/20/2020 | WO |