Information processing device

The information processing device informs users about data risks and benefits, enabling them to make informed decisions on data provision, thus addressing privacy issues in vehicle data sharing.

JP7878200B2Active Publication Date: 2026-06-23TOYOTA JIDOSHA KK

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
TOYOTA JIDOSHA KK
Filing Date
2023-07-21
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing systems fail to adequately inform users about the potential risks and benefits associated with providing vehicle data to business operators, leading to hesitation in data provision agreements.

Method used

An information processing device that obtains and presents risk and benefit information to users before data provision, allowing them to consent to specific data types and conditions.

Benefits of technology

Enables informed decision-making by users regarding data provision, addressing privacy concerns and enhancing user trust in data sharing processes.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007878200000001
    Figure 0007878200000001
  • Figure 0007878200000002
    Figure 0007878200000002
  • Figure 0007878200000003
    Figure 0007878200000003
Patent Text Reader

Abstract

To appropriately provide information about information collection to an information provider.SOLUTION: Information on a risk occurring when first data obtained during traveling by a first vehicle is provided to a first business operator is obtained, information on the risk is presented to a user associated with the first vehicle, and the user is asked whether to consent to provide the first data to the first business operator.SELECTED DRAWING: Figure 1
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present disclosure relates to a technique for collecting information from a vehicle.

Background Art

[0002] In recent years, proper management of personal information has been demanded. Regarding this, for example, Patent Document 1 discloses an evaluation device capable of calculating the risk of an individual being identified in a system for anonymizing and externally providing personal information.

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] An object of the present disclosure is to appropriately guide an information provider regarding information collection.

Means for Solving the Problems

[0005] One aspect of an embodiment of the present disclosure is obtaining information regarding a risk that occurs when first data acquired during travel by a first vehicle is provided to a first operator, presenting the information regarding the risk to a user associated with the first vehicle, and querying the user as to whether to consent to the provision of the first data to the first operator, and an information processing apparatus having a control unit that executes the above.

[0006] Also, as another aspect, there are a method executed by the above apparatus, a program for causing a computer to execute the method, or a computer-readable storage medium that stores the program non-temporarily.

Effects of the Invention

[0007] According to this disclosure, information providers can be appropriately guided regarding information collection. [Brief explanation of the drawing]

[0008] [Figure 1] A schematic diagram of the vehicle system according to the first embodiment. [Figure 2] A diagram showing the components of an in-vehicle device and a server device. [Figure 3] An example of data stored by in-vehicle devices and server devices. [Figure 4] A flowchart of the processes performed by the in-vehicle device. [Figure 5] A flowchart of the processes performed by the in-vehicle device. [Figure 6] An example of a screen used to request consent for data provision. [Modes for carrying out the invention]

[0009] In recent years, attempts have been made to utilize data collected from automobiles. It is expected that using vehicle-based data as big data will enable the provision of a variety of services. On the other hand, data transmitted from vehicles may include personal information or similar information. This includes not only personal information itself, but also location information and other data linked to an individual. This could potentially lead to privacy issues.

[0010] For this reason, attempts are being made to explain the collection and use of data to users (for example, vehicle drivers) in advance before concluding a data provision agreement. However, when entering into data provision agreements, it is not common practice to explain what impact providing the data will have on the user, which is a cause of hesitation in providing data. The information processing device relating to this disclosure solves such problems.

[0011] The information processing device relating to the first aspect of this disclosure is: The control unit has the following functions: to obtain information regarding the risks that may arise if the first data acquired by the first vehicle while it is in motion is provided to the first business operator; to present the information regarding the risks to the user associated with the first vehicle; and to ask the user whether or not they consent to the provision of the first data to the first business operator.

[0012] The first data refers to data acquired while the first vehicle is in motion, and includes the driver's personal information and data related to the first vehicle's operation (e.g., location information and speed information). The first data is also referred to as sensor data. The control unit acquires information regarding the risks that may arise from providing the first data to the first business operator. The first business operator is a business operator that provides a predetermined service using the first data. The information regarding risks may describe specific damages that may occur, such as "events that can be expected if the information is leaked," or it may describe things other than damages, such as "which business operator will have access to the personal information." Therefore, the control unit may acquire predefined risk-related information and provide guidance to the user based on that information. The user associated with the first vehicle is typically the driver of the first vehicle, but the user associated with the first vehicle may also be a passenger, the owner of the first vehicle, etc.

[0013] Furthermore, if there are multiple types of first data, the control unit may acquire and present risk information for each type of first data. In this case, the user may be allowed to select the type of first data to be provided to the first business operator.

[0014] Further, when obtaining consent, the control unit may further present to the user the acquisition conditions of the first data by the first vehicle. According to such a configuration, it becomes possible for the user to grasp under what conditions the first data is acquired.

[0015] Further, the control unit may further present data regarding the ratio of users who have consented to the provision of the first data to the whole. For example, when there are a plurality of users under the management of the system, it may be presented what percentage of the whole has consented to data provision.

[0016] Hereinafter, specific embodiments of the present disclosure will be described based on the drawings. The hardware configuration, module configuration, functional configuration, etc. described in each embodiment are not intended to limit the technical scope of the disclosure only to them unless otherwise specified.

[0017] (First Embodiment) The outline of the vehicle system according to the first embodiment will be described with reference to FIG. 1. The vehicle system according to the present embodiment includes a vehicle 10 equipped with an in-vehicle device 100 and a server device 2 00. There may be a plurality of vehicles 10 (in-vehicle devices 100) included in the system.

[0018] The vehicle 10 is a probe vehicle for collecting data. The vehicle 10 is configured to be able to collect data related to driving and data related to passengers, and can transmit the collected data to the server device 200 via the in-vehicle device 100. Examples of the data related to driving include, for example, the speed of the vehicle, the traveling direction, the position information, the information related to the driving operation, the information related to the behavior of the vehicle, or the image data captured by the in-vehicle camera. Examples of the data related to passengers include, for example, an individual identifier, gender, or age. In the following explanation, the data collected by vehicle 10 will be referred to as sensor data. Sensor data is an example of "first data," but the data collected by vehicle 10 does not necessarily have to be obtained through sensing.

[0019] The server device 200 is a device that provides predetermined services based on sensor data collected from the vehicles 10. For example, by collecting location information and speed information from multiple vehicles 10, it can generate congestion information and traffic information and provide it to other vehicles. Furthermore, by collecting data on the occupants of the vehicles, it becomes possible to provide information tailored to individuals. In addition, by collecting images captured by on-board cameras, it becomes possible to generate road map data. The server device 200 requests multiple vehicles 10 to transmit predetermined sensor data, and the vehicles 10 (onboard devices 100) respond by transmitting the sensor data.

[0020] The server device 200 may be a device that provides services to vehicle 10 (or other vehicles) based on sensor data collected from vehicle 10, or it may be a device that relays sensor data collected from vehicle 10 to further external devices. For example, if there are multiple types of sensor data collected from vehicle 10, the server device 200 may relay the sensor data for each type of sensor data to different external devices under the management of different operators.

[0021] Furthermore, the server device 200 obtains consent from the user associated with the vehicle 10 (for example, the driver) to provide sensor data (i.e., to transmit sensor data to the server device 200). Whether or not consent has been given is stored in both the server device 200 and the in-vehicle device 100. The in-vehicle device 100 transmits data to the server device 200 only if consent has been given for data provision. The in-vehicle device 100 has a database that stores whether or not consent has been given for each type of sensor data, and based on this database, it determines whether or not the user has consented to the transmission of certain sensor data (whether they have consented in the past).

[0022] In the vehicle system according to this embodiment, multiple in-vehicle devices 100 and server devices 200 are interconnected by a network. The network may include, for example, a Wide Area Network (WAN), which is a global public communication network such as the Internet, or other communication networks. The network may also include a telephone communication network such as a mobile phone network, or a wireless communication network such as Wi-Fi (registered trademark).

[0023] Each element that makes up the system will be explained. Figure 2 shows the system configuration of the in-vehicle device 100 and the server device 200.

[0024] First, let's explain the configuration of server device 200. The server device 200 includes a processor such as a CPU or GPU, and main memory such as RAM or ROM. The system can be configured as a computer having auxiliary storage devices such as EPROMs, hard disk drives, and removable media. The auxiliary storage devices store the operating system (OS), various programs, various tables, etc., and by executing the programs stored therein, various functions that match the predetermined purpose, as described later, can be realized. However, some or all of the functions may be realized by hardware circuits such as ASICs or FPGAs. The server device 200 may consist of a single computer or multiple computers that cooperate with each other.

[0025] The server device 200 is comprised of a control unit 201, a storage unit 202, and a communication unit 203.

[0026] The control unit 201 is a computing device that manages the control performed by the server device 200. The control unit 201 can be implemented by a computing device such as a CPU. The control unit 201 is configured with two functional modules: a consent acquisition unit 2011 and a data acquisition unit 2012. Each functional module may be implemented by the CPU executing a program stored in an auxiliary storage means.

[0027] Prior to acquiring sensor data from the vehicle 10, the consent acquisition unit 2011 obtains consent from the user of the vehicle 10 for data provision. The server device 200 is configured to acquire or store data related to the intended use of the sensor data to be acquired (hereinafter referred to as "intended use data"). The intended use data includes data related to the intended use of the sensor data, the destination of the sensor data, the conditions for acquiring the sensor data, the timing of the sensor data transmission, and the entity (business operator) that will use the sensor data. The consent acquisition unit 2011 presents this information to the user of the vehicle 10 via the in-vehicle device 100.

[0028] Furthermore, the usage data includes data regarding the risks that may arise from providing sensor data. The consent acquisition unit 2011 presents explanations of these risks to the user of the vehicle 10 via the in-vehicle device 100. Furthermore, the usage data includes data regarding the benefits generated by providing the sensor data. The consent acquisition unit 2011 presents an explanation of these benefits to the user of the vehicle 10 via the in-vehicle device 100.

[0029] The consent acquisition unit 2011 determines whether consent to provide data exists for each type of sensor data, based on the response from the user of the vehicle 10. Furthermore, if consent is obtained for a specific type of sensor data, the consent acquisition unit 2011 stores the presence or absence of consent in both the server device 200 and the in-vehicle device 100. Note that if there are multiple types of sensor data to be provided, or if there are multiple businesses using the sensor data, comprehensive consent may be obtained, or multiple consents may be obtained. Furthermore, once the user of vehicle 10 has consented to the provision of data, it can be considered that a data provision agreement has been established between the user and the business operator receiving the sensor data.

[0030] The data acquisition unit 2012 requests the transmission of sensor data from each of the multiple vehicles 10 (onboard devices 100). For example, if the server device 200 performs a service that generates road map data based on images taken by the vehicles 10, the server device 200 requests the vehicles 10 to transmit image data. The type of sensor data requested by the server device 200 may vary depending on the service performed by the server device 200. The data acquisition unit 2012 also receives sensor data from the multiple vehicles 10 (onboard devices 100) and stores it in the storage unit 202. The stored sensor data is used to provide a predetermined service.

[0031] The storage unit 202 comprises a main memory and an auxiliary storage device. The main memory is the memory where programs executed by the control unit 201 and data used by said control programs are stored. The auxiliary storage device is the device where programs executed by the control unit 201 and data used by said control programs are stored. Sensor data collected from the vehicle 10 is stored in the storage unit 202.

[0032] Furthermore, the aforementioned usage data is stored in the memory unit 202. Figure 3(A) shows an example of the usage data 202A. Usage data is data related to the handling of sensor data, and includes information such as the sensor data identifier (data ID), the type of sensor data, the destination of the sensor data, the conditions for acquiring the sensor data, the transmission cycle of the sensor data, and the businesses that utilize the sensor data. The destination of the sensor data may be represented by a network address or the like. Examples of conditions for acquiring sensor data include: "an image is captured at a specific location," "video is captured in a specific section," and "location information is acquired every second during a specific time period."

[0033] Furthermore, the application data includes data (risk-related data) to inform users about the risks that may arise from providing sensor data. Risk-related data may include, for example, the following information: • What information is collected and by which business operator? • What impact will the collected information have on the user? • What kind of data would be accessible to a third party if information were to be leaked? Is there a risk that data obtained by a third party could be misused? Risk-related data may include explanations for events that do not normally occur, such as data breaches, or for events that occur during normal operation. The events covered may be anything that the user considers to be a risk.

[0034] Furthermore, the application data includes data (profit-related data) that informs users about the benefits that will be generated by providing sensor data. Profit-related data may include, for example, the following information: • What information is collected and by which business operator? • What benefits will users gain as a result of information being collected by businesses? • What benefits, other than those of the user, result from the information collected by the business operator? • Is there any compensation (incentive) for gathering information? If so, what is the nature of that compensation (amount, etc.)? Furthermore, the benefits generated by providing sensor data may include benefits other than direct benefits to the user. For example, the benefits generated by providing sensor data may include public benefits, such as "improving security in areas where vehicles travel by providing image data" or "improving the accuracy of traffic congestion predictions by providing location information." In addition, the benefits generated by providing sensor data may relate to the benefits that businesses utilizing the sensor data can obtain.

[0035] Furthermore, the memory unit 202 stores data for managing the user's consent to provide sensor data (hereinafter referred to as consent data). Here, we will explain consent data. Consent data is data that records whether or not transmission of sensor data to an external location is permitted, for each driver, destination, and type of sensor data. Consent data can be generated, for example, based on the results of interaction with the driver.

[0036] Figure 3(B) shows an example of consent data 202B. As illustrated, the consent data includes the following fields: Driver ID, Data ID, Destination, and Availability. The Driver ID field stores an identifier that uniquely identifies the driver. The Data ID field stores information that identifies the type of sensor data. The Destination field stores information that identifies the destination of the sensor data. The Availability field stores whether consent has been given regarding the provision of the sensor data ("Allow" or "Deny").

[0037] The communication unit 203 is a communication interface for connecting the server device 200 to a network. The communication unit 203 is comprised of, for example, a network interface board and a wireless communication circuit for wireless communication.

[0038] Next, the in-vehicle device 100 will be described. Vehicle 10 is a connected car that has the ability to communicate with an external network. Vehicle 10 is equipped with an in-vehicle device 100.

[0039] The in-vehicle device 100 is a computer for collecting information. In this embodiment, the in-vehicle device 100 has a plurality of sensors for collecting information related to the driving of the vehicle 10, and transmits the collected sensor data to the server device 200 at a predetermined timing. The in-vehicle device 100 may be a device that provides information to the occupants of the vehicle 10 (for example, a car navigation system), or it may be an electronic control unit (ECU) of the vehicle 10. Alternatively, the in-vehicle device 100 may be a data communication module (DCM) with communication functions.

[0040] The in-vehicle device 100 can be configured as a computer having a processor such as a CPU or GPU, main memory such as RAM or ROM, and auxiliary storage such as an EPROM, hard disk drive, or removable media. The auxiliary storage contains an operating system (OS), various programs, various tables, etc., and by executing the programs stored therein, various functions that match a predetermined purpose, as described later, can be realized. However, some or all of the functions may be realized by hardware circuits such as ASICs or FPGAs.

[0041] The in-vehicle device 100 comprises a control unit 101, a storage unit 102, a communication unit 103, and an input / output unit 104. The in-vehicle device 100 is also connected to a sensor group 110 and a camera 120.

[0042] The control unit 101 is a computing unit that realizes various functions of the in-vehicle device 100 by executing a predetermined program. The control unit 101 may be implemented by, for example, a CPU. The control unit 101 is configured with a data acquisition unit 1011, a management unit 1012, and a data transmission unit 1013 as functional modules. Each functional module may be implemented by executing a stored program using a CPU.

[0043] The data acquisition unit 1011 acquires sensor data from one or more sensors included in the sensor group 110 at predetermined timings and stores it in the sensor DB 102A of the storage unit 102. If multiple sensor data can be acquired, the data acquisition unit 1011 may acquire all of them. The sensor DB 102A is a database that stores sensor data collected from sensors on the vehicle 10. The data acquisition unit 1011 may also acquire image data via the camera 120, which is an image sensor, and store the acquired image data in the sensor DB 102A.

[0044] Figure 3(C) shows an example of data stored in the sensor DB102A. In addition to sensor data, the sensor DB102A stores the driver's identifier, the date and time the sensor data was acquired, the location where the sensor data was acquired (location information), and the ID of the sensor data.

[0045] Based on the consent obtained from the driver, the management unit 1012 determines which sensor data stored in the sensor DB 102A should be transmitted to the server device 200. Specifically, the management unit 1012 performs the following processes.

[0046] (1) Processing to receive usage data from server device 200 The server device 200 requests data from the vehicle 10 by transmitting the aforementioned usage data to the in-vehicle device 100. In other words, the usage data also functions as data to request the vehicle 10 to transmit specific sensor data. As mentioned above, the usage data includes the sensor data identifier (data ID), the type of sensor data (data type), the destination of the sensor data, the conditions for acquiring the sensor data, and the transmission cycle of the sensor data. The usage data may also include information to explain the purpose of the sensor data, the businesses that use the sensor data, the risks, and the benefits. The usage data transmitted from the server device 200 is stored in the storage unit 102.

[0047] (2) Process for managing user consent regarding the transmission of sensor data to external parties. External transmission refers to sending sensor data to a device located outside the vehicle 10 (for example, a server device 200) (i.e., providing sensor data to an external party). The management unit 1012 obtains from the driver whether or not they consent to the provision of specific sensor data included in the usage data received from the server device 200, and generates the aforementioned consent data. The consent data is stored in the storage unit 102 (consent data 102B), and is also transmitted to the server device 200 and stored in the storage unit 202 (consent data 202B). The management unit 1012 determines whether or not to transmit the sensor data requested by the server device 200, based on the consent data and the driver detection results.

[0048] (3) Process to identify sensor data that has been requested by the server device 200 and for which permission for external transmission has been obtained. The management unit 1012 determines, based on the consent data and usage data, whether or not the requested sensor data is permitted to be transmitted externally, and if transmission is permitted, it decides to transmit the sensor data.

[0049] For example, the management unit 1012 determines whether the in-vehicle device 100 possesses the sensor data specified by the request data. The management unit 1012 recognizes what type of sensor data is requested by referring to the data ID included in the request data. The management unit 1012 also determines whether the in-vehicle device 100 possesses matching sensor data by comparing the acquisition conditions included in the request data with the records recorded in the sensor DB 102A.

[0050] If the in-vehicle device 100 possesses the sensor data specified by the request data, and consent has been given for the provision of said sensor data, the management unit 1012 determines that said sensor data should be transmitted. If the driver of vehicle 10 has no history of authorizing the external transmission of the target sensor data, the management unit 1012 may inquire with the driver of vehicle 10 about the permission to transmit the data and update the consent data based on the result.

[0051] The data transmission unit 1013 acquires the sensor data determined by the management unit 1012 from the storage unit 102 and transmits it to the server device 200.

[0052] The storage unit 102 is a memory device that includes a main memory and an auxiliary storage device. The auxiliary storage device stores the operating system (OS), various programs, various tables, etc., and by loading the programs stored therein into the main memory and executing them, various functions that match a predetermined purpose, as described later, can be realized. Main memory may include RAM (Random Access Memory) and ROM (Read Only Memory). Auxiliary storage may include EPROM (Erasable Programmable ROM) and hardware. This may include disk drives (HDD, Hard Disk Drive). Furthermore, auxiliary storage devices may also be included. This may include removable media, i.e., portable recording media.

[0053] The communication unit 103 is a wireless communication interface for connecting the in-vehicle device 100 to a network. The communication unit 103 is configured to communicate with the server device 200 using communication standards such as a mobile communication network, wireless LAN, or Bluetooth®.

[0054] The input / output unit 104 is a means for receiving input operations performed by the user of the device and presenting information. In this embodiment, it consists of a single touch panel display. That is, it is composed of a liquid crystal display and its control means, and a touch panel and its control means.

[0055] The sensor group 110 is a collection of multiple sensors on the vehicle 10. These multiple sensors may include, for example, a speed sensor, an acceleration sensor, and a GPS module, which acquire data related to the vehicle's movement. Alternatively, these multiple sensors may include an image sensor, an illuminance sensor, and a rain sensor, which acquire data related to the vehicle's driving environment. The sensor group 110 may also include sensors for collecting data about the driver or occupants of the vehicle 10. For example, the occupants of the vehicle can be identified based on images obtained by capturing images of the interior of the vehicle, and data about those occupants can be transmitted as sensor data.

[0056] Camera 120 includes a first camera mounted facing outwards from the vehicle and a second camera mounted in a position to capture the face of an occupant seated in the driver's seat. The first camera functions as an image sensor to acquire images, and the second camera is used to identify the driver of vehicle 10 based on the facial image. The image acquired by the first camera is also an example of sensor data.

[0057] Note that the configuration shown in Figure 2 is just one example, and all or part of the illustrated functions may be performed using specially designed circuits. Furthermore, program storage and execution may be performed using combinations of main memory and auxiliary memory other than those shown.

[0058] Next, we will describe the details of the processes performed by the in-vehicle device 100. Figures 4 and 5 are flowcharts of the processes performed by the in-vehicle device 100.

[0059] In parallel with the execution of the flowchart shown in the diagram, the data acquisition unit 1011 periodically acquires sensor data from the sensors (or first camera) included in the sensor group 110 and stores it in the sensor DB 102A of the storage unit 102.

[0060] The management unit 1012 performs the process of receiving usage data from the server device 200 and the process of transmitting sensor data based on the received usage data. Figure 4 is a flowchart of the process by which the in-vehicle device 100 receives application data from the server device 200. The illustrated process is executed at predetermined timings (for example, when the vehicle's driving system is started).

[0061] First, in step S11, the management unit 1012 queries the server device 200 to determine whether or not there is any usage data to be received. Whether or not there is any usage data to be received can be determined, for example, based on the last update date and time or version number of the usage data. For this reason, the server device 200 may notify the in-vehicle device 100 of the last update date and time or version number of the usage data. Alternatively, the in-vehicle device 100 may store this information in the storage unit 102. If there is any usage data to be received, the process proceeds to step S12. In step S12, the management unit 1012 receives usage data from the server device 200 and stores it in the storage unit 102. At this time, old usage data may be deleted.

[0062] Figure 5 is a flowchart showing the process by which the in-vehicle device 100 transmits sensor data to the server device 200 based on the application data. The illustrated process is executed periodically while the vehicle 10 is in motion. First, in step S21, the management unit 1012 acquires a facial image of the driver via the camera 120 (second camera) and identifies the driver based on the facial image. Driver identification can be performed, for example, by comparing the feature quantities obtained by transforming the facial image with feature quantities corresponding to one or more drivers that have been stored in advance. In step S22, the management unit 1012 identifies the sensor data requested by the server device 200 based on the usage data. In this step, the sensor data requested by the server device 200 and stored in the storage unit 102 is identified. Multiple types of sensor data may be identified in this step.

[0063] The processing in steps S23 to S26 is performed for each of the multiple sensor data identified in step S22. First, in step S23, the management unit 1012 determines whether the driver's consent has been obtained to transmit the target sensor data to the server device 200. For example, if there is a record in the consent data 102B in which the data ID and destination match, and the provision permission field is set to "permitted", then this step is determined to be positive. This step is determined to be negative if the provision permission field is set to "rejected", or if no such record exists (i.e., the driver has not expressed any intention regarding the external transmission of the target sensor data).

[0064] If the result in step S23 is positive, the process proceeds to step S24, and the data transmission unit 1013 transmits the corresponding sensor data.

[0065] If the result in step S23 is negative, the process proceeds to step S25. In step S25, the management unit 1012 determines whether the driver has previously expressed refusal to transmit sensor data with the corresponding data ID. For example, if there is a record in the consent data 102B where the data ID and recipient match, and the availability field is set to "rejected," then this step results in a positive determination. If the determination in step S25 is positive, the corresponding sensor data will not be transmitted.

[0066] If a negative result is obtained in step S25, it means that the driver has not previously expressed their consent regarding the sensor data for the corresponding data ID. In this case, the process proceeds to step S26, where the driver is asked whether they consented or not. In step S26, the management unit 1012 confirms with the driver whether it is acceptable to transmit the appropriate type of sensor data via the input / output unit 104. This confirmation can be performed, for example, via a screen like the one shown in Figure 6(A). This screen may include information regarding the type of sensor data, its purpose, destination, acquisition conditions, the business operator using the sensor data, and the risks and benefits arising from providing the sensor data.

[0067] For example, GUI components for guiding users through risks and benefits may be placed on the screen, and the specific details of risks and benefits may be guided based on user actions. Figure 6(B) is an example of a screen that guides users through information about risks, and Figure 6(C) is an example of a screen that guides users through information about benefits. These screens can be generated based on information included in the usage data. If there are multiple types of sensor data to be transmitted, consent may be obtained on separate screens for each type, or the user may be given the option to consent to the provision of each type of sensor data on the same screen.

[0068] Once the driver provides their response, the result is reflected in consent data 102B and consent data 202B. Based on this information, steps S23 and S24 are repeated.

[0069] As described above, according to the first embodiment, data regarding whether or not consent to data transmission has been given is stored in the in-vehicle device 100 for each sensor data transmitted from the vehicle 10 to the server device 200, and for each driver. The in-vehicle device 100 also controls the transmission of data to the server device 200 based on this data.

[0070] Furthermore, when the in-vehicle device 100 seeks the driver's consent to provide data, it presents information that specifically outlines the risks and benefits that may arise from providing the data. This allows the driver to recognize the risks and benefits associated with providing the data and to make appropriate decisions.

[0071] (Second Embodiment) In the first embodiment, the in-vehicle device 100 provided information such as the purpose of the sensor data, the business operator using the sensor data, and explanations regarding risks and benefits, based on the usage data received from the server device 200. Alternatively, the usage data may include other statistical information, which may be provided in step S26.

[0072] For example, the server device 200 may calculate a value for each data ID, such as "what percentage of users have consented to data provision," based on consent data obtained from multiple vehicles 10 (in-vehicle devices 100) under its management. The calculated value may also be included in the usage data.

[0073] In this case, when the in-vehicle device 100 (management unit 1012) asks the driver whether or not they consent to data provision in step S26, it may, for example, notify the driver on the screen shown in Figure 6(A) of "what percentage of all users have consented to data provision" and then ask for the driver's judgment. In this embodiment, we provided the percentage of users who consented to data provision relative to the total; however, other information related to the overall trend of consent may be provided instead.

[0074] (modified version) The embodiments described above are merely examples, and this disclosure may be modified as appropriate without departing from its essence. For example, the processes and means described in this disclosure can be freely combined and implemented, as long as no technical inconsistencies arise.

[0075] Furthermore, in the first and second embodiments, as information for identifying the driver of the vehicle 10 Although facial images were used, the driver of vehicle 10 may also be identified based on other biometric information. Examples of such biometric information include fingerprints, voiceprints, or iris patterns.

[0076] Furthermore, although the description of the embodiment only illustrates the server device 200 as the destination for sensor data transmission, there may be multiple destinations for sensor data transmission. In this case, application data may be received from each of the multiple external devices. The destination for sensor data transmission may be the manufacturer or related businesses of the vehicle 10, or a third party with whom a data provision agreement has been concluded. Furthermore, while the description of the embodiment mentions obtaining consent for "transmitting sensor data to an external location of the vehicle 10," consent may also be given for "providing sensor data to a designated business operator" or "allowing the business operator to use the sensor data."

[0077] Furthermore, while the description of the embodiment involved obtaining consent from the driver of vehicle 10, the subject of the confirmation could also be a passenger or the owner of vehicle 10.

[0078] Furthermore, if the risks and benefits of providing sensor data differ depending on the data provision conditions, the driver may be informed of the risks and benefits for each condition and allowed to choose which conditions under which to enter into a data provision agreement.

[0079] Furthermore, a process described as being performed by a single device may be divided and executed by multiple devices. Conversely, a process described as being performed by different devices may be executed by a single device. In a computer system, the hardware configuration (server configuration) by which each function is implemented can be flexibly changed.

[0080] The present disclosure can also be realized by supplying a computer program implementing the functions described in the embodiments above to a computer, and having one or more processors in the computer read and execute the program. Such a computer program may be provided to the computer by a non-temporary computer-readable storage medium that can be connected to the computer's system bus, or it may be provided to the computer via a network. Non-temporary computer-readable storage mediums include, for example, any type of disk such as magnetic disks (floppy disks, hard disk drives (HDDs), etc.), optical disks (CD-ROMs, DVDs, Blu-ray discs, etc.), read-only memory (ROM), random access memory (RAM), EPROM, EEPROM, magnetic cards, flash memory, optical cards, and any type of medium suitable for storing electronic instructions. [Explanation of Symbols]

[0081] 10.. Vehicles 100...In-vehicle equipment 200... Server equipment 101,201...Control Unit 102,202...Storage section 103,203... Communications Department 104...Input / output section 110... Sensor group 120...Camera

Claims

1. To obtain information regarding the risks that may arise if the first data acquired by the first vehicle while it is in motion is provided to the first business operator, To obtain information regarding the profits that would be generated if the aforementioned first data were provided to the aforementioned first business operator, To present the information regarding the risks and the information regarding the benefits to the user associated with the first vehicle, To ask the user whether or not they consent to the provision of the first data to the first business operator, It has a control unit that performs the following: The information regarding the aforementioned risks is, The above-mentioned first data includes at least an explanation of the risks that may arise if it is leaked to a third party unintended by the above-mentioned first business operator, The information regarding the aforementioned profits is, The first business operator shall include at least an explanatory statement regarding the benefits that will be incurred by parties other than the user as a result of the collection of the first data, Information processing device.

2. The aforementioned first data consists of multiple types, The control unit acquires and presents the risk information and the benefit information for each of the first data types. The information processing apparatus according to claim 1.

3. The information relating to the aforementioned risks includes information relating to the entity that uses the first data, The information processing apparatus according to claim 1.

4. The control unit further presents the conditions for acquiring the first data by the first vehicle. The information processing apparatus according to claim 1.

5. The control unit further presents data relating to the percentage of users who have agreed to receive the first data. The information processing apparatus according to claim 1.