Search

CN-113961960-B - Data privacy system

CN113961960BCN 113961960 BCN113961960 BCN 113961960BCN-113961960-B

Abstract

A data privacy system is provided. A back-end computer and a method of using the back-end computer are described. The method may include receiving sensor data associated with a vehicle at a first back-end computer, determining an annotation of the sensor data, including determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data includes annotation data, wherein the personal data includes information related to at least one identified or identifiable natural person, and performing, at the first back-end computer, data processing associated with collecting the sensor data associated with the vehicle via the personal data and the non-personal data separate from the personal data.

Inventors

  • S. Trevlinger
  • S.Jian
  • 5. Ruskin

Assignees

  • 罗伯特·博世有限公司

Dates

Publication Date
20260508
Application Date
20210719
Priority Date
20200720

Claims (19)

  1. 1. A method of managing personal data associated with a vehicle, comprising: providing one or more random masks to the vehicle; In response to providing the one or more random masks, receiving, at a first back-end computer, sensor data associated with the vehicle, wherein the receiving includes receiving a first partial masking share and a second partial masking share, wherein the first partial masking share and the second partial masking share each include personal data; Determining a annotation of the sensor data comprising determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data comprises annotation data, wherein the personal data comprises information related to at least one identified or identifiable natural person, and Data processing associated with collecting sensor data associated with a vehicle is performed via personal data and non-personal data separate from the personal data, wherein the data processing is performed by communicating with a second back-end computer in accordance with a multiparty computing (MPC) framework such that neither the first portion of the masking share nor the second portion of the masking share is shared between the first and second back-end computers.
  2. 2. The method of claim 1, wherein the sensor data is collected by the vehicle while the vehicle is operating in the autonomous driving mode or by an infrastructure associated with the vehicle operating in the autonomous driving mode.
  3. 3. The method of claim 1, wherein the personal data comprises image data of the at least one identified or identifiable natural person, wherein the image data is captured by at least one sensor in a vehicle, wherein the image data comprises one or more of human biometric information of the at least one identified or identifiable natural person, physical characteristics of the at least one identified or identifiable natural person, an address number associated with the at least one identified or identifiable natural person, license plate number or other vehicle information associated with the at least one identified or identifiable natural person, or neighbor information associated with the at least one identified or identifiable natural person.
  4. 4. The method of claim 1, wherein the sensor data comprises image data comprising Personally Identifiable Information (PII) of the at least one identified or identifiable natural person.
  5. 5. The method of claim 1, wherein receiving sensor data associated with a vehicle further comprises receiving masked sensor data, wherein the masked sensor data comprises both personal data and non-personal data.
  6. 6. The method of claim 1, wherein determining the annotation of the sensor data further comprises providing at least a portion of the sensor data to a third party server, and receiving the annotated sensor data in return in response to providing the at least a portion of the sensor data to the third party server.
  7. 7. The method of claim 1, further comprising providing a cryptographic key from a Trusted Execution Environment (TEE) to the vehicle prior to receiving the sensor data at the first back-end computer, receiving at least a portion of the sensor data encrypted with the cryptographic key in response to providing the cryptographic key to the vehicle, and then determining decrypted sensor data within the TEE.
  8. 8. The method of claim 7, further comprising separating personal data from non-personal data within the TEE prior to determining the annotation of the sensor data.
  9. 9. The method of claim 7, further comprising storing the non-personal data in a database, encrypting the personal data with the sealing key after determining the decrypted sensor data, and then storing the personal data encrypted with the sealing key in the database.
  10. 10. The method of claim 9, further comprising proving the slave enclave such that the slave enclave may retrieve personal data using a copy of the sealing key stored within its TEE in combination with the unique signature of the slave enclave.
  11. 11. The method of claim 7, further comprising requesting one or more random masks from a second back-end computer, requesting one or more random masks from a third back-end computer, performing a first masking of the decrypted sensor data, performing a second masking of the decrypted sensor data, and providing the first masking of the decrypted sensor data to the second back-end computer and the second masking of the decrypted sensor data to the third back-end computer such that the second and third back-end computers can process the sensor data in accordance with a multiparty computing (MPC) framework to maintain separation of the sensor data associated with the first masking and the sensor data associated with the second masking.
  12. 12. The method of claim 7, wherein labeling of sensor data occurs within the TEE.
  13. 13. The method of claim 1, wherein at least a portion of the sensor data received at the first back-end computer is encrypted with a cryptographic key of a Trusted Execution Environment (TEE) within the first back-end computer, wherein after the at least a portion of the sensor data is received, a mask share is generated for a first portion of the sensor data within the TEE and a mask share is generated for a second portion of the sensor data within the TEE, wherein the mask share for the first portion is provided to the second back-end computer, and wherein the mask share for the second portion is provided to the third back-end computer such that at least one of the second or third back-end computers performs data processing.
  14. 14. The method of claim 1, wherein at least a portion of the sensor data received at the first back-end computer includes a first partial masking share, and further comprising providing the first partial masking share to a Trusted Execution Environment (TEE) within another computer such that the TEE can perform labeling or data processing, or both, wherein the TEE receives the first partial masking share from the first back-end computer and receives a second partial masking share associated with the sensor data from a second back-end computer, wherein the first and second back-end computers participate in accordance with a multiparty computing (MPC) framework.
  15. 15. The method of claim 1, wherein determining the separation of personal data from non-personal data, determining the annotation, or performing the data processing occurs within a Trusted Execution Environment (TEE) associated with the master or slave enclave.
  16. 16. A first back-end computer, comprising: one or more processors, and A memory storing a plurality of instructions executable by the one or more processors, wherein the plurality of instructions comprise: providing one or more random masks to the vehicle; In response to providing the one or more random masks, receiving, at a first back-end computer, sensor data associated with the vehicle, wherein the receiving includes receiving a first partial masking share and a second partial masking share, wherein the first partial masking share and the second partial masking share each include personal data; Determining a annotation of the sensor data comprising determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data comprises annotation data, wherein the personal data comprises information related to at least one identified or identifiable natural person, and Data processing associated with collecting sensor data associated with a vehicle is performed via personal data and non-personal data separate from the personal data, wherein the data processing is performed by communicating with a second back-end computer in accordance with a multiparty computing (MPC) framework such that neither the first portion of the masking share nor the second portion of the masking share is shared between the first and second back-end computers.
  17. 17. The first back-end computer of claim 16, wherein the plurality of instructions further comprise providing a cryptographic key from a Trusted Execution Environment (TEE) to the vehicle prior to receiving the sensor data at the first back-end computer, receiving at least a portion of the sensor data encrypted with the cryptographic key in response to providing the cryptographic key to the vehicle, and then determining decrypted sensor data within the TEE.
  18. 18. The first back-end computer of claim 17, wherein the plurality of instructions further comprises requesting one or more random masks from the second back-end computer, requesting one or more random masks from the third back-end computer, performing a first masking of the decrypted sensor data, performing a second masking of the decrypted sensor data, and providing the first masking of the decrypted sensor data to the second back-end computer and the second masking of the decrypted sensor data to the third back-end computer.
  19. 19. A non-transitory computer-readable medium comprising a plurality of instructions stored thereon, wherein the plurality of instructions are executable by one or more processors of a first back-end computer, wherein the plurality of instructions comprise: providing one or more random masks to the vehicle; In response to providing the one or more random masks, receiving, at a first back-end computer, sensor data associated with the vehicle, wherein the receiving includes receiving a first partial masking share and a second partial masking share, wherein the first partial masking share and the second partial masking share each include personal data; Determining a annotation of the sensor data comprising determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data comprises annotation data, wherein the personal data comprises information related to at least one identified or identifiable natural person, and Data processing associated with collecting sensor data associated with a vehicle is performed via personal data and non-personal data separate from the personal data, wherein the data processing is performed by communicating with a second back-end computer in accordance with a multiparty computing (MPC) framework such that neither the first portion of the masking share nor the second portion of the masking share is shared between the first and second back-end computers.

Description

Data privacy system Technical Field The present disclosure relates generally to data security and data privacy. Background Private and/or public (e.g., government) entities may desire to use data collected by cameras or the like for various purposes. In some cases, the data may include Personally Identifiable Information (PII). Improper processing of this data may violate local, regional, or global privacy laws, such as common data protection regulations (GDPR) or california consumer privacy laws (CCPA). Disclosure of Invention According to one embodiment, a method of managing personal data associated with a vehicle is disclosed. The method may include receiving sensor data associated with a vehicle at a first back-end computer, determining an annotation of the sensor data, including determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data includes annotation data, wherein the personal data includes information related to at least one identified or identifiable natural person, and performing, at the first back-end computer, data processing associated with collecting the sensor data associated with the vehicle via the personal data and the non-personal data separate from the personal data. According to another embodiment, a first back-end computer is disclosed that may include one or more processors, and a memory storing a plurality of instructions executable by the one or more processors, wherein the plurality of instructions include receiving sensor data associated with a vehicle at the first back-end computer, determining a labeling of the sensor data, including determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data includes labeling data, wherein the personal data includes information related to at least one identified or identifiable natural person, and performing, at the first back-end computer, data processing associated with collecting the sensor data associated with the vehicle via the personal data and the non-personal data separate from the personal data. According to another embodiment, a non-transitory computer-readable medium is disclosed. The medium may include a plurality of instructions stored thereon, wherein the plurality of instructions are executable by one or more processors of a first back-end computer, wherein the plurality of instructions include receiving, at the first back-end computer, sensor data associated with a vehicle, determining an annotation of the sensor data, including determining personal data and determining non-personal data separate from the personal data, wherein each of the personal data and the non-personal data includes annotation data, wherein the personal data includes information related to at least one identified or identifiable natural person, and performing, at the first back-end computer, data processing associated with collecting the sensor data associated with the vehicle via the personal data and the non-personal data separate from the personal data. Drawings Fig. 1 is a schematic diagram illustrating an example of a data privacy system including a data collection system and a plurality of data protection systems. Fig. 2A, 2B, 2C are flowcharts illustrating a process of using the data privacy system. Fig. 3 is a flow chart illustrating another process of using a data privacy system. Fig. 4A, 4B, 4C are flowcharts illustrating another process of using a data privacy system. Fig. 5A, 5B, 5C are flowcharts illustrating another process of using the data privacy system. Fig. 6A, 6B are flowcharts illustrating another process of using a data privacy system. Fig. 7 is a flow chart illustrating another process of using a data privacy system. Fig. 8 illustrates another embodiment of a data collection system. Detailed Description Embodiments of the present disclosure are described herein. However, it is to be understood that the disclosed embodiments are merely examples and that other embodiments may take various and alternative forms. The figures are not necessarily to scale, some features may be exaggerated or minimized to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the embodiments. As will be appreciated by one of ordinary skill in the art, the various features illustrated and described with reference to any one figure may be combined with features illustrated in one or more other figures to produce embodiments that are not explicitly illustrated or described. The combination of features illustrated provides representative embodiments of typical applications. However, various combinations and modifications of the features consistent with the teachings of the present disclosur