This application claims priority to German Patent Application No. DE 10 2019 209 711.1, filed Jul. 2, 2019 with the German Patent and Trademark Office. The contents of the aforesaid Patent Application are incorporated herein for all purposes.
The present invention relates to a method, a computer program with instructions, and a device for processing data recorded by a motor vehicle. The invention additionally relates to a method, a computer program with instructions, and a device for providing parameters for the processing of data recorded by a motor vehicle. The invention further relates to a motor vehicle and a back end in which a method according to the invention or a device according to the invention is used.
This background section is provided for the purpose of generally describing the context of the disclosure. Work of the presently named inventor(s), to the extent the work is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
In modern motor vehicles, a variety of data is collected. With increasing vehicle connectivity, there is an interest in using the data collected by a vehicle for further evaluation. For this purpose, data may be taken from the motor vehicle and fed to a back end. For example, data may be extracted from vehicle sensors in a location- or time-dependent manner for applications relating to weather forecasts, parking space occupancy, or traffic flow data. In the back end, the data are then combined with other data on a map and fed back to the functions using said data.
One important application scenario for data collection is the creation of a database for anonymized swarm data for researching, developing, and safeguarding automatic driving functions. Highly automated vehicles are expected to cope with a plethora of different and sometimes complex road traffic scenarios without there being an accident. However, since the majority of these scenarios occur only very rarely, testing in real road traffic is both time- and cost-intensive. A substantial database is therefore required for the development of automatic driving functions to series maturity in order to safeguard the algorithms, as this may no longer be achieved by means of classic endurance test runs. Therefore, a data pool is required which has data from as wide a variety of challenging traffic situations as possible, ideally supplied from real driving situations, by means of which data pool the algorithms may be trained and continuously improved such that the vehicles may make appropriate decisions and act safely in road traffic in all eventualities.
However, the data taken from a vehicle may sometimes provide an indication of the personal or material circumstances of an identified or at least identifiable natural person, for example the driver of the motor vehicle.
Such collection and use of the data is generally only possible with a declaration of consent of the driver, as per applicable data protection laws. Although consumers today, in particular in the software field, are quite familiar with accepting conditions of use and granting approval for the evaluation of data, this is not very common in the automotive sector. It is therefore not always easy to obtain a declaration of consent for the use of the data. In addition, software updates may potentially require a new declaration of consent to be obtained from the user, which could become a nuisance for the user over time.
In order to ensure the protection of data, the data may be subjected to different anonymization methods. The aim of these anonymization methods is to conceal the identity of the data originator in an anonymization group.
In one anonymization approach, the data are segmented. In this case, the data of a vehicle are split into different segments during travel. In this way, it is ensured that potential data users cannot obtain the full data set relating to the vehicle's journey. The entire distance is generally only traveled by very few vehicles, and potentially only one individual vehicle. However, the individual segments are traveled by many vehicles.
In another anonymization approach, the data are obfuscated in terms of location or time. In this case, the data are randomly additively shifted in space or time. In this way, identification of the original vehicle is only possible with respect to a group of vehicles.
Although methods for spatial and temporal obfuscation are well suited for concealing the identity of the data originator within an anonymization group, the data user must always compromise on the extent of the spatial and temporal obfuscation.
A need exists to provide solutions for anonymizing data recorded by a motor vehicle that allow for a temporal and spatial obfuscation of the recorded data that is less subjected to compromise.
The need is addressed by a method, by a computer program, and by a device according to the independent claims. Embodiments of the invention are described in the dependent claims, the following description, and the drawings.
The details of one or more embodiments are set forth in the accompanying drawings and the description below. Other features will be apparent from the description, drawings, and from the claims.
In the following description of embodiments of the invention, specific details are described in order to provide a thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid unnecessarily complicating the instant description.
In some embodiments, a method for processing data recorded by a motor vehicle comprises the steps of:
In some embodiments, a computer program contains instructions which, when executed by a computer, prompt the computer to carry out the following steps for processing data recorded by a motor vehicle:
The term “computer” is to be understood broadly. In particular, it may also include control units, workstations, and other processor-based data processing devices.
The computer program may for example be provided for electronic retrieval or be stored on a computer-readable storage medium.
In some embodiments, a device for processing data recorded by a motor vehicle comprises:
From the point of view of the data originator, the anonymization method does not function with fixed settings for the temporal and spatial obfuscation, but rather allows for adjustable mixed anonymization. For this purpose, previously received sets of parameters that allow for situation-dependent adaptation of the anonymization settings are used. In this way, quick recognition of events in the recorded data as well as subsequent precise spatial detection of said events are possible.
In some embodiments, the method for providing parameters for the processing of data recorded by a motor vehicle comprises the steps of:
In some embodiments, a computer program contains instructions which, when executed by a computer, prompt the computer to carry out the following steps for providing parameters for the processing of data recorded by a motor vehicle:
The term “computer” is to be understood broadly. In particular, it may also include control units, workstations, and other processor-based data processing devices.
The computer program may for example be provided for electronic retrieval or be stored on a computer-readable storage medium.
In some embodiments, a device for providing parameters for the processing of data recorded by a motor vehicle comprises:
From the point of view of the data user, this is not restricted to data that were anonymized with temporal and spatial obfuscation settings subjected to compromise. Rather, the data user may prompt the data originator to use an adapted set of parameters for the anonymization depending on the situation or event. For this purpose, the desired set of parameters may for example be transmitted to the data originator. Alternatively, it is also possible to merely transmit a request to the data originator to use a set of parameters already available to the data originator for the anonymization. In this way, the data user is always able to change the sets of parameters for the obfuscation algorithm.
In some embodiments, the at least one set of parameters comprises specifications as to which position or which area the at least one set of parameters may be applied for. For example, it is possible to adapt the set of parameters not only for the obfuscation filter as a whole but rather precisely for specific positions or areas. This makes it possible, for example, to apply a slow and precise obfuscation, i.e., a large-scale temporal obfuscation in combination with a small-scale spatial obfuscation, to a previously identified site of an accident, without thereby causing a large-scale temporal obfuscation in other regions.
In some embodiments, the at least one set of parameters comprises specifications as to which type of recorded data the at least one set of parameters may be applied for. This makes it possible to only adapt the anonymization for specific data sets or identified events. For example, a fast and imprecise obfuscation may be permitted for an identified emergency vehicle, i.e., a small-scale temporal obfuscation in combination with a large-scale spatial obfuscation.
In some embodiments, a selection is made between two or more sets of parameters for the temporal and spatial obfuscation of the recorded data. Another possibility is an obfuscation with multiple sets of parameters that may be selected at random. It may be beneficial if, for example, 50% of the data are anonymized with a large-scale temporal obfuscation in combination with a small-scale spatial obfuscation, whereas the remaining 50% of the data are anonymized with a small-scale temporal obfuscation in combination with a large-scale spatial obfuscation. This makes it statistically certain that new events or fundamental changes to events, for example, are identified quickly, while known data may be measured more accurately over time on account of the slow detection. This approach of using multiple sets of parameters is helpful, in particular, if a precise adaptation of the sets of parameters is not possible or not possible with sufficient certainty. Of course, a combination of the methods is also possible, i.e., the use of multiple sets of parameters with adaptable, precisely executed parameters. The percentage distribution used is for example adaptable depending on the application.
In some embodiments, firstly, a first set of parameters that causes an obfuscation of the recorded data involving a small-scale temporal obfuscation in combination with a large-scale spatial obfuscation is transmitted. Then, in response to an event being identified in the obfuscated data, a second set of parameters that causes an obfuscation of the recorded data involving a large-scale temporal obfuscation in combination with a small-scale spatial obfuscation is transmitted. In this way, it is possible, for example, to detect a traffic jam or the end of a traffic jam within approximately 60 seconds to the nearest 5 km. As soon as this is known to the data user, said data user may change the parameters and thus locate the end of the traffic jam to the nearest 500 m, for example. However, this is done with a time offset. The data user is thus able to quickly warn traffic or to divert traffic over a large area by means of navigation instructions. In the long term, the data user will also be able to warn drivers of the exact point at which the traffic jam ends.
For example, a method or a device according to the teachings herein may be used in an autonomously or manually controlled vehicle, in particular a motor vehicle. Alternatively, the solution may also be used in a back end to which the data are transmitted from the vehicle.
Additional features of the present invention will become apparent from the following description and the appended claims in conjunction with the FIGS.
In order to improve understanding of the principles of the present invention, further embodiments will be explained in detail in the following based on the FIGS. It should be understood that the invention is not limited to these embodiments and that the features described may also be combined or modified without departing from the scope of protection of the invention as defined in the appended claims.
The data processing unit 22 and the anonymization unit 23 may be controlled by a control unit 24. Settings of the data processing unit 22, anonymization unit 23, or control unit 24 may be changed, if required, via a user interface 27. The data accumulating in the device 20 may be deposited in a memory 26 of the device 20 if required, for example for later evaluation or to be used by the components of the device 20. The data processing unit 22, anonymization unit 23, and control unit 24 may be designed as dedicated hardware, for example as integrated circuits. Of course, they may also be partially or fully combined or be implemented as software running on a suitable processor, for example a GPU. The input 21 and the output 25 may be implemented as separate interfaces or as a combined bidirectional interface.
The processor 32 may comprise one or more processor units, for example microprocessors, digital signal processors, or combinations thereof.
The memories 26, 31 of the embodiments described may have volatile and/or non-volatile memory regions and comprise a wide variety of storage units and storage media, for example hard drives, optical storage media, or semiconductor memories.
The two embodiments of the device may be integrated in the motor vehicle or be part of a back end that is connected to the motor vehicle.
The parameter determination unit 62 and the transmission unit 63 may be controlled by a control unit 64. Settings of the parameter determination unit 62, transmission unit 63, or control unit 64 may be changed, if required, via a user interface 67. The data accumulating in the device 60 may be deposited in a memory 66 of the device 60 if required, for example for later evaluation or to be used by the components of the device 60. The parameter determination unit 62, transmission unit 63, and control unit 64 may be designed as dedicated hardware, for example as integrated circuits. Of course, they may also be partially or fully combined or be implemented as software running on a suitable processor, for example a GPU. The input 61 and the output 65 may be implemented as separate interfaces or as a combined bidirectional interface.
The processor 72 may comprise one or more processor units, for example microprocessors, digital signal processors, or combinations thereof.
The memories 66, 71 of the embodiments described may have volatile and/or non-volatile memory regions and comprise a wide variety of storage units and storage media, for example hard drives, optical storage media, or semiconductor memories.
By way of example, it is therefore possible to detect a traffic jam or the end of a traffic jam within approximately 60 seconds to the nearest 5 km. As soon as this is known to the data user 91, said data user may change the parameters and thus locate the end of the traffic jam to the nearest 500 m, for example. However, this is done with a time offset of 600 seconds. The data user 91 is thus able to quickly warn traffic or to divert traffic over a large area by means of navigation instructions. In the long term, the data user will also be able to warn drivers of the exact point at which the traffic jam ends.
It is possible to adapt the set of parameters P not only for the obfuscation algorithm 92 as a whole but also precisely for specific positions or areas or for specific data sets or identified events. This makes it possible to apply a slow and precise obfuscation, i.e. a large-scale temporal obfuscation in combination with a small-scale spatial obfuscation, to a previously identified end point of a traffic jam. Equally, a fast and imprecise obfuscation may be permitted for an identified emergency vehicle, i.e. a small-scale temporal obfuscation in combination with a large-scale spatial obfuscation.
Another possibility is an obfuscation with multiple sets of parameters P that are selected at random. It may be beneficial if, for example, 50% of the data are anonymized with a large-scale temporal obfuscation in combination with a small-scale spatial obfuscation, whereas the remaining 50% of the data are anonymized with a small-scale temporal obfuscation in combination with a large-scale spatial obfuscation. This makes it statistically certain that new events or fundamental changes to events, for example, are identified quickly, while known data may be measured more accurately over time on account of the slow detection. This approach of using multiple sets of parameters P is beneficial in particular, if a precise adaptation of the sets of parameters P is not possible or not possible with sufficient certainty.
One possible application scenario for obfuscation with multiple sets of parameters P is the identification of an icy road. For this application scenario, 30% of the measurements, for example, may be obfuscated by means of spatial blurring of 5 km and temporal blurring of 1 min. As such, icy regions may be detected quickly. The warnings are therefore provided quickly, but are very imprecise from a spatial point of view. In contrast, 70% of the measurements are obfuscated with spatial blurring of 250 m and temporal blurring of 20 min. As such, the boundaries of the icy regions on the road may be accurately identified. The warnings are therefore accurate, but very sluggish.
The associated set of parameters P or parameter matrix is as follows:
[30%, 5 km, 1 min; 70%, 250 m, 20 min].
Of course, a combination of the methods is also possible, i.e. the use of multiple sets of parameters P with adaptable, precisely executed parameters.
The invention has been described in the preceding using various exemplary embodiments. Other variations to the disclosed embodiments may be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single processor, module or other unit or device may fulfil the functions of several items recited in the claims.
The term “exemplary” used throughout the specification means “serving as an example, instance, or exemplification” and does not mean “preferred” or “having advantages” over other embodiments. The term “in particular” used throughout the specification means “serving as an example, instance, or exemplification”.
The mere fact that certain measures are recited in mutually different dependent claims or embodiments does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims should not be construed as limiting the scope.
Number | Date | Country | Kind |
---|---|---|---|
10 2019 209 711.1 | Jul 2019 | DE | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2020/067453 | 6/23/2020 | WO |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2021/001207 | 1/7/2021 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
8255393 | Yu et al. | Aug 2012 | B1 |
8611650 | Klein et al. | Dec 2013 | B2 |
8711688 | Smith et al. | Apr 2014 | B1 |
8978153 | Cuthbertson | Mar 2015 | B1 |
9471852 | Feris | Oct 2016 | B1 |
9794373 | Steinmetz | Oct 2017 | B1 |
10032368 | Thompson et al. | Jul 2018 | B1 |
10311446 | Prehofer | Jun 2019 | B2 |
10679077 | Kinoshita et al. | Jun 2020 | B2 |
10846428 | Max et al. | Nov 2020 | B2 |
11868479 | Lysecky et al. | Jan 2024 | B2 |
20020177950 | Davies | Nov 2002 | A1 |
20050069138 | De Jong | Mar 2005 | A1 |
20080027627 | Ikeda et al. | Jan 2008 | A1 |
20090157566 | Grush | Jun 2009 | A1 |
20100079590 | Kuehnle et al. | Apr 2010 | A1 |
20120042046 | Petersen et al. | Feb 2012 | A1 |
20120121183 | Joshi | May 2012 | A1 |
20120197873 | Uramoto | Aug 2012 | A1 |
20130117830 | Erickson et al. | May 2013 | A1 |
20130335237 | Zarka et al. | Dec 2013 | A1 |
20150300835 | Fowe et al. | Oct 2015 | A1 |
20160065559 | Archer et al. | Mar 2016 | A1 |
20160104377 | French et al. | Apr 2016 | A1 |
20160150361 | Zhu et al. | May 2016 | A1 |
20160358349 | Dorum | Dec 2016 | A1 |
20160364983 | Downs et al. | Dec 2016 | A1 |
20170010618 | Shashua et al. | Jan 2017 | A1 |
20170083708 | Braghin et al. | Mar 2017 | A1 |
20170118634 | Xiong et al. | Apr 2017 | A1 |
20170358204 | Modica et al. | Dec 2017 | A1 |
20170366513 | Kumaran | Dec 2017 | A1 |
20180173895 | Max et al. | Jun 2018 | A1 |
20180173970 | Bayer et al. | Jun 2018 | A1 |
20180261021 | Rosenbaum | Sep 2018 | A1 |
20180315180 | Townsend | Nov 2018 | A1 |
20190017832 | Busser | Jan 2019 | A1 |
20190051062 | Mueck | Feb 2019 | A1 |
20190051172 | Stenneth et al. | Feb 2019 | A1 |
20190086925 | Fan et al. | Mar 2019 | A1 |
20190156062 | Busser | May 2019 | A1 |
20190196481 | Tay et al. | Jun 2019 | A1 |
20190258260 | Sunil Kumar et al. | Aug 2019 | A1 |
20190271551 | Stess | Sep 2019 | A1 |
20190272389 | Viente et al. | Sep 2019 | A1 |
20190272746 | Aguiar et al. | Sep 2019 | A1 |
20200042620 | Aggarwal et al. | Feb 2020 | A1 |
20200132476 | Roeth et al. | Apr 2020 | A1 |
20200271458 | Berry et al. | Aug 2020 | A1 |
20200379122 | Tontiruttananon et al. | Dec 2020 | A1 |
20200386569 | Stajner et al. | Dec 2020 | A1 |
20200387632 | Mcerlean | Dec 2020 | A1 |
20210027117 | Mcgavran et al. | Jan 2021 | A1 |
20210075775 | Cheng et al. | Mar 2021 | A1 |
20210176597 | Li et al. | Jun 2021 | A1 |
20220116742 | Tal et al. | Apr 2022 | A1 |
20220120585 | Max et al. | Apr 2022 | A1 |
20220136846 | Bhorkar et al. | May 2022 | A1 |
Number | Date | Country |
---|---|---|
105871831 | Aug 2016 | CN |
102011106295 | Jan 2012 | DE |
102013204128 | Sep 2014 | DE |
102014208465 | Nov 2015 | DE |
102016200855 | Sep 2016 | DE |
102015213393 | Jan 2017 | DE |
102015216414 | Mar 2017 | DE |
102016110331 | Jun 2017 | DE |
102016225287 | Jun 2018 | DE |
102018006281 | Feb 2019 | DE |
102019209226 | Dec 2020 | DE |
102019209711 | Jan 2021 | DE |
2423885 | Feb 2012 | EP |
2827547 | Jan 2015 | EP |
2020259932 | Dec 2020 | WO |
2020259933 | Dec 2020 | WO |
2021001207 | Jan 2021 | WO |
Entry |
---|
P. M. Wightman, M. A. Jimeno, D. Jabba and M. Labrador, “Matlock: A location obfuscation technique for accuracy-restricted applications,” 2012 IEEE Wireless Communications and Networking Conference (WCNC), Paris, France, 2012, pp. 1829-1834, doi: 10.1109/WCNC.2012.6214082. (Year: 2012). |
U.S. Non-Final Office Action, U.S. Appl. No. 17/623,004, 23 pages. |
Gruteser, Marco et al., “Anonymous Usage of Location-Based Services Through Spacial and Temporal Cloaking,” Proceedings of MobiSys 2003: The First International Conference on Mobile Systems, Applications, and Services, pp. 31-42, May 5, 2003. |
Gedik, Bu{tilde over (g)}ra et al., “Location Privacy in Mobile Systems: A Personalized Anonymization Model,” Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, pp. 620-629, Jun. 6, 2005. |
Mascetti, Sergio et al., “κ-Anonymity in Databases with Timestamped Data,” IEEE 13th International Symposium on Temporal Representation and Reasoning (TIME'06), pp. 177-186, 2006. |
Gedik, Bura et al., “Protecting Location Privacy with Personalized κ-Anonymity: Architecture and Algorithms,” IEEE Transactions on Mobile Computing, vol. 7, No. 1, 18 pages, Jan. 1, 2008. |
German Office Action, Application No. 102019209485.6, 10 pages, Jan. 14, 2020. |
German Office Action, Application No. 102019209711.1, 6 pages, Jun. 10, 2020. |
International Search Report and Written Opinion, Application No. PCT/EP2020/064084, 7 pages, Aug. 14, 2020. |
International Search Report and Written Opinion, Application No. PCT/EP2020/064087, 11 pages, Sep. 14, 2020. |
International Search Report and Written Opinion, Application No. PCT/EP2020/067453, 10 pages, Oct. 5, 2020. |
U.S. Non-Final Office Action, U.S. Appl. No. 17/623,160, 31 pages, Jan. 18, 2024. |
Number | Date | Country | |
---|---|---|---|
20220358248 A1 | Nov 2022 | US |