DE102010047117A1 - Method for protecting personal data in network monitoring with customer terminals - Google Patents

Abstract

The inventive method described here provides personality data from mobile radio customers with simultaneously improved positioning accuracy in various monitoring applications such as monitoring radio coverage with customer terminals for the optimization and planning of mobile networks. The customer and terminal identities such as phone numbers or IMEI are not needed and are therefore not transmitted. In addition, further statistical dilution of the measurement data is carried out so that tracing of individual customers and customer movements is effectively prevented even in the case of unauthorized data use and unauthorized data access, without jeopardizing the quality of the radio coverage recording.

Description

Current situation

Under the application number 10 2010 018 282.6-56 at the German Patent Office (the same applicant and inventor), a method is described, which serves the detection of quality characteristics of the radio coverage using customer terminals (cell phones, notebooks with PC cards, etc.). The customer terminals are used as probes for the field strength measurement or other quality features of the radio coverage. Each reading is associated with the customer's GPS position or the position of the terminal. There is a risk that even in the absence of identification features such as MSISDN number (phone number) or the device number such as IMEI the customer can be identified. This would also open the way to get sensitive data of his daily routine and his way of life in experience. This would be contrary to the right of the customer to protect his privacy - regardless of the benefits that brings the above-cited method of the entirety of the customers of the respective network operator. This danger exists even if other data such. For example, so-called trouble reports can be sent together with location coordinates and possibly also with the time to the mobile network operator or other entity. Although mobile network operators or these other entities act and provide their own code of practice in accordance with their respective legal requirements, abuse by individual employees who violate the instructions is conceivable.

The process presented here also takes into account the latter situation, allowing for cost-effective quality improvements that benefit customers without having to sacrifice effective protection of their personal data.

improvement

The inventive method described herein is associated with the areas of quality improvement in mobile networks, trouble shooting and error reports in smart phones, mobile applications, and telecommunications in general.

The ways and places where customers move and stop, where and how they communicate (tele-), are recorded with terminals and terminals (mobile phones, notebooks, etc.) of mobile customers. In addition to the geographic data, the field strength and timing of the field strength measurement are also captured and sent manually by customer request or customer confirmation or automatically together to a Data Acquisition Device (DTE) for further evaluation for network planning or optimization. The terminal at the customer acts here as a probe whose position for the further use of the data is just as important as the associated data. Instead of or in addition to the field strength data, other information or events may be initiated either automatically or by the customer. It can also be reported on events such as malfunction of increasingly complex end devices such as iPhone or devices with Androit operating system - fully automatically in the background or alternatively with a request to the customer whether the current event should be sent. Before submitting such a trouble ticket, the appropriate reporting application would provide the relevant information (especially versions) about the operating system, the affected software and / or hardware and / or a currently blocked application, and / or a spyware application against the Customers, and / or an application that uses network resources at the expense of the customer without the customer's knowledge, recorded and attached to the report. In the case of a trouble ticket, the customer is optionally asked whether he has his identity such. B. would like to attach his phone number for queries. The information about the radio coverage is used in a central processing station (automatically, or manually by a specialist) to rule out a network failure or vice versa, even in the presence of an obvious or already known error in the terminal (mobile phone) a search for a network error saved.

In the event that the customer agrees to the release of his identity such as phone number, it is procedurally ensured that only those concerned with the Trouble Shooting bodies or persons receive this information and even this only an anonymous link to the phone number and possibly to the place / Time coordinates are stored in a protected database and only then and that person becomes available, if this becomes necessary for further processing of the process, which is more likely to be regarded as an individual problem of a single customer.

Otherwise, the inventive method described herein is directed to the treatment of the data which has been transmitted anonymously to a central data collection device (DEE) and intended for use in statistical methods. As examples, the detection of the (large area) state of a radio network or the type of device related detection of disturbances can be mentioned here. The statistical recording and the possibility of the spatial allocation in particular allows the detection of rare errors. The knowledge of the network status can possibly exclude influences of the network. Knowledge of the distribution of causes and device types in In a narrow geographic area, more precise error boundaries are allowed and the identification of errors due to the interaction of network and terminal type is possible. It lays the foundation for efficient troubleshooting to improve the quality that ultimately benefits the mobile operator's customer.

Particularly in the detection of the network state, a high accuracy of the spatial resolution is desirable (if possible GPS). The location coordinates are z. B. associated with the field strength. However, the more accurate the location coordinates and the more specific the time of day and the smaller the number of measurements made by different terminals, the greater the risk for a customer to be identified by time and location (eg if only one) single terminal is involved in a particular measurement program and the recorded path begins in the morning in front of the customer's residence) and ends there in the evening).

Privacy protection and personality data

• 1. Die Terminals, die an den Messungen und Erhebungen („Messprogramm”) teilnehmen melden sich von selbst bei der Applikations-Management-Entität (AME) in bestimmten Zeitabständen, um neue Steuerungsanweisungen (z. B. Messanweisungen) oder auch Updates der endgeräteseitigen Applikation (ESA) zu erhalten. Die Terminals werden also nicht angesprochen und sie geben nur ihren Geräte-Typ an und keinerleii Identität – weder die des Terminals noch die des Kunden. Der Geräte-Type ist wichtig, da die Steuerungsanweisungen (StA) und die ESA Updates insbesondere Betriebssystemabhängig sind. Durch Zufallszahlen, die im Terminal (= stellvertretend für Endgerät, Handy, Notebook, etc.) von der endgeräteseitigen Applikation (ESA) erzeugt werden, werden optional unregelmäßige Zeitpunkte des Zurückmeldens generiert. Dies schafft eine zusätzliche Sicherheit gegen ein Identifizieren durch die Evaluierung des Meldezeitpunktes und/oder der -Reihenfolge. Als weitere Option hat der Zeitpunkt für das Hochladen von der ESA zur DEE einen Mindestabstand zur letzten Messung, um eine Korrelation oder Überprüfung von Aufenthaltsorten in Realzeit weiter zu verwässern – ohne das eigentliche Ziel z. B. die Netzzustandserfassung zu beeinträchtigen.
• 2. Optional teilt die DEE der ESA mit, wann sie sich frühestens bei der AME zur eventuellen Entgegennahme von neuen Messaufträgen (StA) melden soll, derart, dass sie keine Daten oder Messungen erfassen kann, die mit dem gerade laufenden und noch nicht abgeschlossenen Programm interferieren würden (Vermeidung von Fehlwichtungen durch Mehrfachmessungen von einzelnen Terminals, die verfahrensgemäß nicht identifizierbar und unterscheidbar sind).
• 3. Die AME kann mit der Datenerfassungseinheit (DEE), bei der die Messergebnisse oder allgemein die Reports hochgeladen werden, identisch sein (funktionale Einheit). Durch die Trennung der beiden Einheiten wird ein zusätzlicher Schutz erreicht, dadurch dass die AME nicht erfahren wird, wo die ESA gemessen hat. In diesem Fall würde die AME grundsätzlich alle StA an das Terminal geben, die für diesen Gerätetyp vorliegen – unabhängig vom aktuellen geographischen Aufenthaltsort des sich gerade meldenden Terminals. Die ESA wird danach selbst entscheiden ob die StA für ihren Aufenthaltsort bestimmt ist oder nicht – im Falle von geographisch begrenztem Messauftrag (Messprogramm).
• 4. Geographisch begrenzte StA erhalten eine Mindest-Größe (z. B. in Quadratkillometer), die nicht unterschritten werden kann, derart dass die Prüfung des vermuteten Aufenthaltes einer einzelnen Person zusätzlich erschwert wird. Das Gleiche gilt auch für die zeitliche Beschränkung, derart dass die beauftragte Messperiode eine Mindestdauer umfasst. Eine weitere Maßnahme ist die Minimum-Anzahl von Messpunkten, die aufzunehmen ist, bevor sich die ESA bei der DEE meldet, um die Mess-Ergebnisse abzuliefern. Wenn die Mess-Periode abgelaufen ist oder der Zeitpunkt gekommen ist, an dem Zwischenergebnisse von der ESA hochgeladen werden sollen, dann prüft die ESA zusätzlich ob diese Minimum-Anzahl erreicht wurde. Ist dies nicht der Fall, gleich aus welchem Grunde, dann ignoriert die ESA die Anweisung für das Hochladen des Zwischenergebnisses und misst bis zum nächsten Zeitpunkt weiter oder falls die Messperiode beendet ist, verwirft sie die Daten. Diese Maßnahmen werden derart realisiert, dass entweder nur festgelegte Zeitraster als Mess-Muster zur Auswahl stehen oder dass ein Editor für die StA diese Überprüfung gegen einen entsprechenden Satz von Regeln vornimmt. Nur derart geprüfte StA gelangen zur AME und letztlich zur ESA. Ein weiteres Verfahrenselement zur Anonymisierung ist die Mindestzahl von Terminals, die sich bei der AME melden müssen, um sich die Anweisungen für ein Messprogramm (StA) abzuholen, derart dass die statistische Basis für die Messergebnisse oder Erfassungsergebnisse hinreichend groß wird, um die Verfolgung und Identifizierung von einzelnen Teilnehmer (oder Terminals) hinreichend zu erschweren.
• 5. Die DEE nimmt die hochgeladenen Datensätze von der ESA entgegen. Wenn sie einen Datensatz für das Trouble Shooting erhält (wird einzeln geliefert), gibt sie diesen an das Trouble Ticketing System weiter. Andere Datensätze ordnet die DEE entsprechend der Messzeiten (zu denen die Messungen oder die Erfassung von Ereignissen erfolgten). Sie nimmt ggf. eine Normierung an Messwerten vor, die z. B. gerätetypische Messwertunterschiede aufweisen und/oder sie nimmt Formatierungen an den Datensätzen vor, die für die spätere Weiterverarbeitung definiert sind. Sie durchsucht die Datensätze nach solchen, die keine hinreichende GPS-Genauigkeit aufweisen oder zu denen das Endgerät (ESA) kein GPS-Signal erhalten hat (wird durch Markierung von der ESA oder durch das Format der GPS-Daten gekennzeichnet). Optional hat die ESA eine Evaluierung von Ersatzwerten beigefügt oder die DEE nimmt eine solche vor oder überschreibt die von der ESA gelieferten nach eigenem algorithmischen Ablauf (siehe unten) oder sie verwirft diese Datensätze. Die Datensätze, die nicht verworfen werden aber mit evaluierten Orts-Koordinaten assoziiert sind, werden entsprechend markiert, um dies bei der späteren Weiterverarbeitung insbesondere in Netzmonitoring- oder Planungstools zu berücksichtigen oder statistisch geringer zu wichten oder in Kartendarstellungen mit entsprechenden Symbolen unterscheidbar zu machen. Die nach den bisherigen Verfahrensschritten vorliegenden Datensätze sind alle von einem einzelnen Endgerät aktuell hochgeladen und bearbeitet worden. Die Identität des Endgerätes oder des Halters des Endgeräte wird niemals geliefert (die Trouble Ticket Datensätze werden nie gemeinsam mit den Netz-Monitoringdaten zur DEE hochgeladen; sie durchlaufen nur kurz die DEE und werden an das Trouble Ticketing System weitergegeben, wo sie nach anderen Regeln anonymisiert und bearbeitet werden; in der DEE werden sie gelöscht). Optional werden die Trouble Tickets an einen separaten Link zu einer Trouble Ticket Erfassungseinheit (TTE) übertragen. Die DEE (und die TTE) arbeitet nicht interaktiv und benötigt kein Eingreifen durch Personal. Der Zugang zu dem entsprechenden Server muss trotzdem mit den üblichen logischen Zugangskontrollen geschützt werden. Nur Personal mit besonderer Berechtigung und nur in besonders begründbaren (Störungs-)Fällen, darf auf diesen Server zugreifen. Ein weiterer Schutz wird durch das Einbringen des Servers in zusätzlich mechanisch/physisch geschützte Räume z. B. mit anderen Servern mit besonders sensiblen Daten erreicht. Nach dieser Vorverarbeitung werden die Datensätze in eine Datenbank übertragen. In diese werden alle Datensätze von allen Geräten übertragen, die an einer bestimmten Maßnahme teilgenommen haben (der Name der Maßname auch Messprogramm oder Messvorhaben genannt, wird den teilnehmenden Geräten jeweils mit der StA mitgeteilt, und die Geräte wiederum teilen es der DEE beim Hochladen mit). Diese Datenbank heißt Messprogramm spezifische Datenbank (MPSDB). Sind alle aktuellen Datensätze von einem individuellen Endgerät Gerät in die MPSDB übertragen worden, werden sie in aus der intermediären Datenbank (ImDB) der DEE gelöscht. In der MPSDB werden alle Datensätze nach ihrem Eintreffen bei der DEE und nach Messzeiten eingeordnet. Erst wenn alle Datensätze von allen teilnehmenden Geräten (wie viele das bei einem bestimmten Messprogramm sind, ist bei der AME bekannt und wird dort abgefragt) eingeordnet sind, wird der Zugriff auf die Daten der MPSDB für den nächsten Prozessschritt freigegeben. Um eine Blockade der MPSDB durch verspätete oder nie eintreffende Endgeräte zu verhindern wird ein Timer gesetzt. Alle später an die DEE berichteten Datensätze zu diesem Messprogramm werden von der DEE verworfen. Ebenfalls aus Datenschutzgründen ist eine Minimumanzahl von Gerätereports gesetzt, die erreicht werden muss, um die MPSDB für den Zugriff freizugeben. Wird diese Minimumanzahl nicht erreicht wird die MPSDB gelöscht. Auch die MPSDB ist noch nicht hinreichend verwürfelt, so dass die Daten vor Zugriff durch Personal geschützt bleiben müssen (siehe oben). Ist die MPSDB komplett mit den Datensätzen der notwendigen Anzahl von Messteilnehmern populiert, werden die Daten in die Messprogramm spezifische Zustandsdatenbank (MPSZ) übertragen. Jedes Messprogramm ist einem geografischen Rechteck zugeordnet. Dieses Rechteck wird virtuell in Quadrate von z. B. 50 × 50 Meter unterteilt (die AME und der StA Editor enthalten verfahrensgemäß Einstellwerte, damit eine ganzzahlige Unterteilung ohne wesentlich kleinere Reste stets möglich ist). Die Datensätze der MPSDB werden systematisch nach dieser (virtuellen) Unterteilung in die MPSZ eingetragen (z. B. von Nordwest nach Südost oder von „links” nach „rechts” und von „oben” nach „unten”). Die genaueren GPS Koordinaten verschwinden und werden durch entsprechende Rasternummern ersetzt, aus denen die Bereiche der jeweiligen Dimension wieder errechnet werden können. Die Datensätze erhalten außerdem ein Zeitraster von z. B. 30 Minuten und eine Wochentagszuordnung oder Tageskategorie (z. B. Werktag, Wochenende). Innerhalb eines geographischen Quadrates werden die verschieden Messpunkte (oder Ereignisdatensätze) nach diesem Zeitraster geordnet eingebracht. Die geographische und die zeitliche Rasterung sind derart ausgestaltet, dass sie der weiteren Anonymisierung und Verwässerung im Sine des Datenschutzes dienen, ohne das eigentliche Ziel der statistischen Netzzustandserfassung zu verfehlen. Jeder Rasterwürfel der MPSZ (gleich ob real oder virtuell auf der Basis der MPSDB realisiert) enthält jetzt Messwerte (z. B. Feldstärke und/oder Geschwindigkeiten und/oder Empfangsqualitätsgrößen) und/oder Ereignisse („Datenverbindung verwendet” oder „Sprachverbindung aufgebaut”) und/oder Gerätetypen (z. B. iPhone 4, Androit Version x.y) mit denen die Messungen oder Ereignisse erfasst wurden. Die verschiedenen Daten werden von unterschiedlichen Anwendern (z. B. Funkplanung, Marketing) unterschiedlich verwendet. Deshalb werden unterschiedliche Abfragen vorgenommen mit unterschiedlichen Daten und Informationsinhalten, die unterschiedlich dargestellt werden, wie z. B. auf geographischen Karten (z. B. Google Earth). Verfahrensgemäß sind die Zugriffsmethoden so gestaltet, dass keine Aufenthaltsorte oder Bewegungsmuster von Individuen evaluiert werden können. Die Rasterwürfel können mit unterschiedlich vielen Datensätzen gefüllt sein. Die MPSZ muss keineswegs physisch dieser Struktur entsprechen. Übliche verfügbare Technologien werden hierbei Speicherplatz sparend eingesetzt. Auch eine dynamische Realisierung der MPSZ aus der MPSDB ist eine verfahrensgemäße Option, d. h. die Zugriffsmethoden werden derart gestaltet, dass sie weder die genaueren Messzeiten noch die genaueren Ort-Koordinaten erfahrbar werden lassen und insbesondere nicht die zusammengehörigen Mess-Sequenzen, die von einem individuellen Endgerät hochgeladen wurden. Wenn Häufigkeiten von Kunden oder Ereignissen oder Messwertverteilungen innerhalb eines Rasterwürfels erfragt werden, werden verschiedene Prüfungen von den (MPSZ-)Zugriffsprozeduren durchgeführt und das Raster ggf. bei zu geringen Stichprobengrößen im Rahmen einer verfahrensgemäßen Unschärferelation verändert (typischerweise vergrößert). Die Unschärferelation wird derart angewendet, dass für eine bestimmte Rasterwürfelgröße (kann auch mehr als 3 Dimensionen haben) eine Mindestanzahl der erfragten Ereignisse (oder Messwerte) vorliegen muss. Ist dies nicht der Fall wird der Rasterwürfel sukzessive vergrößert bis dies zutrifft – wobei jedoch bei größerem Rasterwürfel auch höhere Werte erreicht werden müssen, die jedoch weniger als proportional mit dem Rasterwürfel wachsen. Wenn z. B. nach der Anzahl der Datensätze mit iPhone4 in einem bestimmten Rasterwürfel (Orts-Raster und ein bestimmter Tag und eine bestimmte Uhrzeit) gefragt wird, wird von der Zugriffsprozedur auf die verfahrensgemäßen Regeln zugegriffen, die in diesem Fall sagen, es müssen mindestens n solcher Datensätze vorliegen (auch im Zeitraster von in diesem Fall 30 Minuten), um diese Information zu geben. Die Zahl n wäre in diesem Fall größer als die Anzahl der Messungen die von einem einzelnen Gerät (ESA) innerhalb des Messprogramms (der MPSZ) und innerhalb des Zeitrasters (von im Beispiel 30 Minuten) durchgeführt wurde. Ist die Zahl nicht erreicht, wird der Rasterwürfel verfahrensgemäß in bestimmter Folge vergrößert (z. B. Verdoppelung des Zeitrasters, d. h. die nächsten 30 Minuten werden hinzugefügt) und eine Vergrößerung des Ortsrasters (im Beispiel: die nächsten 50 m Seitenlänge des Rasterquadrates nach „rechts” und nach „unten” werden hinzugefügt). Die Prüfung wird jetzt gegen ein neues „n2” durchgeführt, das kleiner sein darf als das 8-fache von n (8 fachen Rasterwürfelgröße). Wenn sich nicht die hinreichend große Zahl von Datensätzen in diesem vergrößerten Raster befindet, wird die Prozedur so oft sinngemäß wiederholt, bis das Kriterium erfüllt ist oder bis der verfahrensgemäße Einstellwert für Wiederholungen den Abbruch veranlasst. Verfahrensgemäße Varianten für die schrittweise Rasterwürfelvergrößerungen sind auch die Vergrößerung von nur jeweils einer Dimension (z. B. nur die Vergrößerung des Ortsrasters). Die Zugriffsprozedur erfährt dies aus den spezifischen Einstellwerten der jeweiligen Installation des Verfahrens.
• 6. Die Daten von mehreren Messprogrammen oder Erfassungsmaßnamen (z. B. Feststellung dass Sprach- oder Datendienst bei Ortraster xy aktiv oder von Kunden gewünscht) können verfahrensgemäß in eine weitere Datenbank mit größerem geographischen Bereich eingeordnet werden, wenn dies zu den zuvor hier eingebrachten Messprogrammen passt (vom Standpunkt der Messhäufigkeit und der Anzahl der beteiligten Terminals; ggf. muss eine angemessene Normierung vorgenommen werden, die z. B. eine Verzerrung oder Missdeutung von Verkehrsschwerpunkten verhindert). Hierbei gewinnt man ggf. eine netzweite Darstellung von Funkversorgung oder von Verkehrswerten oder von Aussagen zur geografischen Verteilung von Sprach- oder Datendiensten. Hierbei wächst die statistische Basis was die Identifizierung von einzelnen Kunden weiter erschwert. Die Zugriffsmethoden müssen trotzdem die Unschärferelation (siehe Punkt 4. oben) verwenden. Dies gilt insbesondere da eine solche umfassende Datenbank auch einem größeren Kreis von Nutzern zugänglich ist (es können auch temporäre externe Kräfte für Planungs- und Marketing-Projekte zum Kreis der Nutzer gehören).

The inventive method described herein uses several mechanisms to statistically anonymize the records and to statistically aggregate them with those of other clients. Each of the measures described below will make an amount for anonymisation, but the interaction of all these measures is much more effective.

• 1. The terminals participating in the measurements and surveys ("Measurement Program") report themselves at the Application Management Entity (AME) at certain intervals, new control instructions (eg measurement instructions) or also updates of the terminal-side Application (ESA). The terminals are therefore not addressed and they indicate only their device type and anyi identity - neither the terminal nor the customer. The device type is important because the control instructions (StA) and ESA updates are specific to the operating system. By random numbers, which are generated in the terminal (= representative of terminal, mobile phone, notebook, etc.) of the terminal-side application (ESA), optionally irregular time points of the return are generated. This provides additional security against identification by evaluating the time and / or order of registration. As a further option, the time to upload from the ESA to the DEE has a minimum distance to the last measurement, in order to further dilute a correlation or check of real-time locations - without the actual goal of: B. affect the network condition detection.
• 2. Optionally, the DEE informs the ESA when it should first contact the AME for the eventual acceptance of new measurement tasks (StA), so that it can not collect any data or measurements with the program that is ongoing and not yet completed would interfere (avoiding misweights due to multiple measurements of individual terminals that are not identifiable and distinguishable by the method).
• 3. The AME may be the same as the functional unit of the Data Acquisition Unit (DEE) where the measurement results or general reports are uploaded. By separating the two units, additional protection is achieved by not knowing where the ESA has measured the AME. In this case, the AME would basically give all StA to the terminal that exist for that type of device, regardless of the current geographic location of the currently reporting terminal. The ESA will then decide for itself whether the StA is intended for its location or not - in the case of a geographically limited measurement mission (measurement program).
• 4. Geographically limited StA receive a minimum size (eg in square kilometers), which can not be undershot, so that the examination of the presumed stay of an individual is made even more difficult. The same applies to the time limitation, so that the commissioned measuring period comprises a minimum duration. Another measure is the minimum number of measurement points to record before the ESA logs in to the DEE to deliver the measurement results. If the measurement period has expired or the time has come to upload the interim results from the ESA, the ESA will additionally check if this minimum number has been reached. If this is not the case, for whatever reason, the ESA ignores the instruction for uploading the intermediate result and continues measuring until the next time, or if the measurement period is over, discards the data. These measures are implemented in such a way that either only fixed time grids are available for selection as a measurement pattern or that an editor for the StA carries out this check against a corresponding set of rules. Only such audited StA reach the AME and ultimately the ESA. Another process element for anonymisation is the minimum number of terminals that must contact the AME to obtain the instructions for a measurement program (StA) so that the statistical basis for the measurement results or the results of the assessment becomes sufficiently large to allow the Pursuit and identification of individual participants (or terminals) sufficiently difficult.
• 5. The DEE accepts the uploaded datasets from the ESA. If she receives a Trouble Shooting record (delivered individually) she will pass it on to the Trouble Ticketing System. Other data sets assign the DEE according to the measurement times (at which the measurements or the detection of events took place). If necessary, it carries out a standardization of measured values, which are eg. B. device-typical differences in measurements have and / or makes formatting on the data sets, which are defined for subsequent processing. It searches the data sets for those that do not have sufficient GPS accuracy or to which the terminal (ESA) has not received a GPS signal (marked by ESA markings or by the format of the GPS data). Optionally, the ESA may include an evaluation of substitute values or the DEE may do so or override the ones provided by the ESA according to its own algorithmic process (see below) or discard these records. The data records which are not discarded but are associated with evaluated location coordinates are marked accordingly in order to take this into account in later processing, in particular in network monitoring or planning tools, or to weight them statistically less or to make them distinguishable in map representations with corresponding symbols. The data sets present according to the previous method steps have all been currently uploaded and processed by a single terminal. The identity of the end device's terminal or device is never delivered (the trouble ticket records are never uploaded to the DEE together with the network monitoring data, they pass through the DEE for only a short time and are passed on to the trouble ticketing system where they anonymise according to other rules and edited, they are deleted in the DEE). Optionally, the trouble tickets are transferred to a separate link to a trouble ticket registration unit (TTE). The DEE (and the TTE) is not interactive and does not require human intervention. Access to the corresponding server must still be protected with the usual logical access controls. Only personnel with special authorization and only in particularly justifiable (incident) cases may access this server. Further protection is provided by the introduction of the server in additional mechanically / physically protected spaces z. B. reached with other servers with particularly sensitive data. After this preprocessing, the records are transferred to a database. It transfers all data sets from all devices that have participated in a particular action (the name of the measurement name also called measurement program or measurement project is communicated to the participating devices in each case with the StA, and the devices in turn inform the DEE of the upload) , This database is called Measurement Program Specific Database (MPSDB). If all current data records have been transferred from an individual terminal device into the MPSDB, they are deleted from the intermediate database (ImDB) of the DEE. In the MPSDB, all records are classified after their arrival at the DEE and after measurement times. Only when all data sets of all participating devices (how many are in a certain measuring program, is known and queried in the AME), the access to the data of the MPSDB for the next process step is released. To prevent a blockade of the MPSDB by late or never arriving terminals a timer is set. All data records for this measurement program reported to the DEE later are discarded by the DEE. Also for privacy reasons, there is a minimum number of device reports that must be reached in order to release the MPSDB for access. If this minimum number is not reached, the MPSDB is deleted. Also, the MPSDB is not sufficiently scrambled yet, so the data must remain protected from access by personnel (see above). If the MPSDB is completely populated with the data sets of the necessary number of measuring participants, the data is transferred to the measuring program-specific state database (MPSZ). Each measuring program is assigned to a geographical rectangle. This rectangle is virtual in squares of z. B. 50 × 50 meters subdivided (the AME and the StA editor contain procedural settings, so that an integer subdivision without much smaller remnants is always possible). The data records of the MPSDB are systematically entered into the MPSZ after this (virtual) subdivision (eg from northwest to southeast or from "left" to "right" and from "top" to "bottom"). The more precise GPS coordinates disappear and are replaced by corresponding grid numbers, from which the areas of the respective dimension can be calculated again. The records also receive a time grid of z. 30 minutes and a weekday assignment or day category (eg weekday, weekend). Within a geographical square, the different measuring points (or event data sets) are sorted according to this time grid. The geographical and the temporal screening are designed such that they are the other Anonymization and dilution in the sense of data protection serve, without missing the actual goal of the statistical net condition detection. Each grid cube of the MPSZ (whether realized real or virtual on the basis of the MPSDB) now contains measured values (eg field strength and / or speeds and / or reception quality quantities) and / or events ("data connection used" or "voice connection established") and / or device types (eg, iPhone 4, androit version xy) used to capture measurements or events. The different data are used differently by different users (eg radio planning, marketing). Therefore, different queries are made with different data and information content, which are displayed differently, such. On geographic maps (eg Google Earth). According to the method, the access methods are designed such that no whereabouts or movement patterns of individuals can be evaluated. The grid cubes can be filled with different numbers of records. The MPSZ does not have to physically correspond to this structure. Usual available technologies are used to save space. Also a dynamic realization of the MPSZ from the MPSDB is a procedural option, ie the access methods are designed in such a way that neither the more accurate measurement times nor the more precise location coordinates can be experienced, and in particular not the related measurement sequences, that of an individual terminal were uploaded. When querying frequencies of customers or events or measurement distributions within a grid cube, various checks are performed by the (MPSZ) access procedures and, if necessary, the grid is modified (typically increased) if the sample sizes are too small in the context of a procedural uncertainty relation. The uncertainty relation is applied in such a way that for a given grid cube size (may also have more than 3 dimensions) there must be a minimum number of requested events (or metrics). If this is not the case, the grid cube is successively increased until this is true - although with larger grid cube and higher values must be achieved, but grow less than in proportion to the grid cube. If z. For example, if the number of records with iPhone4 in a particular grid cube is requested (location raster and a particular day and time), the access procedure will access the rules of the procedure, which in this case say at least n must exist Records are available (also in the time frame of in this case 30 minutes) to give this information. In this case, the number n would be greater than the number of measurements made by a single device (ESA) within the measurement program (the MPSZ) and within the time frame (of 30 minutes in the example). If the number is not reached, the grid cube is increased according to the method in a certain sequence (eg doubling the time grid, ie the next 30 minutes are added) and an enlargement of the location grid (in the example: the next 50 m side length of the grid square to "right "And after" below "are added). The test is now performed against a new "n2" which may be less than 8 times n (8 times the grid cube size). If the sufficiently large number of data records is not present in this enlarged grid, the procedure is repeated until the criterion is met or until the repetitive set value causes the cancellation to occur. Procedural variants for the incremental grid cube enlargements are also the enlargement of only one dimension in each case (eg only the enlargement of the spatial grid). The access procedure learns this from the specific settings of the respective installation of the method.
• 6. The data of several measuring programs or acquisition measures (eg determination that voice or data service at Ortraster xy is active or desired by customers) can be classified in accordance with the method into another database with a larger geographical area, if this is the case with the measuring programs introduced previously (from the point of view of frequency of measurement and the number of terminals involved, appropriate standardization may be necessary, for example to prevent bias or misinterpretation of traffic priorities). In this case, one obtains, if necessary, a network-wide representation of radio coverage or of traffic values or statements about the geographical distribution of voice or data services. Hereby the statistical basis grows, which makes the identification of individual customers even more difficult. The accessor methods must nevertheless use the uncertainty principle (see point 4 above). This is particularly true since such a comprehensive database is also accessible to a wider range of users (it may also include temporary external forces for planning and marketing projects to the circle of users).

Improvement of the location

• 1. Die ESA wählt die zuletzt gemessene GPS-Position und markiert diesen Datensatz derart, dass dieser Sachverhalt bei der späteren Auswertung in der DEE erkannt wird. Selbst wenn der Messauftrag nicht die Messung der Funkfeldstärke des Mobilnetzes war, wird die Feldstärke und die Funkzellenidentität (CellId) gemessen bzw. erfasst und soweit vorhanden auch die entsprechenden Werte von Nachbarzellen. Als weitere Option wird eine Größe gemessen, aus der der Abstand von der Basisstation (BTS) errechnet wird (entweder von der ESA oder von der DEE). Diese Größe ist systemabhängig und ist im Falle von GSM z. B. das TimeAdvance. Um diese Größe zu erfassen muss eine Verbindung sowohl möglich sein (Funkversorgung) als auch bestehen bzw. aufgebaut werden. Besteht keine Verbindung baut die ESA eine solche auf oder schickt eine SMS zu diesem Zweck z. B. an eine hierfür eingerichtete Netznummer. Die ESA nimmt optional auch die nachfolgende Messung des Messprogramms (StA) zur weiteren Eingrenzung und/oder Interpolation hinzu, derart dass der zeitliche Abstand und/oder die Muster der CellIds (auch der Nachbarzellen) bei der Entscheidung der Nutzbarkeit für eine Interpolation verwendet werden. Ein zu großer zeitlicher Abstand und/oder ein Satz von völlig anderen CellIds würde zum Verwerfen solcher GPS-Positionen (die vorherige und/oder die nachfolgende) führen. Diese Evaluierung nach der hier skizzierten Fuzzy-Logic wird optional von der ESA oder von der DEE durchgeführt.
• 2. Wenn die in der StA vorgegebenen zeitlichen Abstände der Messungen oder Ereignis-Erfassungen zu groß sind für eine hinreichende Ortsbestimmung oder Ortseingrenzung, generiert die ESA optional weitere Messpunkte zumindest für das GPS-Signal, derart dass die ESA in kurzen Zeitabständen (z. B. alle 2 Minuten) eine GPS-Messung vornimmt bis ein verwertbares Ergebnis erzielt wird oder bis eine optional gesetzte maximale Anzahl von Zusatzmessungen dieser Art erreicht ist (Letzteres um z. B. die übermäßige Belastung des Akkus zu vermeiden). Optional ermittelt die ESA die Geschwindigkeiten und die Richtung der Geschwindigkeiten des Endgerätes (auf dem sich die ESA befindet), derart dass die Fuzzy-Logic weitere Anhaltspunkte für die Eingrenzung der Ortbestimmung der Messungen hat die ohne hinreichendes GPS-Signal durchgeführt wurden. Diese zusätzlichen Bewegungsgrößen werden optional bei den regulären (StA) Messungen und Erfassungen ermittelt und/oder bei den zusätzlichen Messungen zur Ortbestimmung. Sie werden für aktuelle oder spätere Evaluationen gespeichert und verwendet Diese zusätzlichen Datensätze werden je nach Auftrag der StA entweder mit den beauftragten Datensätzen an die DEE übertragen oder ausschließlich für die Fuzzy-Logic zur Ortsbestimmung durch die ESA verwendet und danach wieder verworfen (gelöscht). Wenn die zusätzlichen Datensätze an die DEE gesendet werden, werden sie als „zusätzlich” markiert für eigene Evaluierungen und Entscheidungen in der DEE, die optional die Ortbestimmung mithilfe dieser Daten durchführt. Der Vergleich der jeweils gemessenen Muster der CellIds (die der Umgebung) ist eine wichtiger Hinweis, wie weit z. B. eine Feldstärkemessung ohne hinreichendes GPS-Signal von einem Ort entfernt sein kann an dem zuvor oder später eine Feldstärkemessung durchgeführt wurde. Hierbei wird oft nur das Ziel verfolgt hinreichend genau zu ermitteln ob die Messung innerhalb eines Gebäudes oder außerhalb eines Gebäudes in einem Gebiet stattgefunden hat. Unter Zuhilfenahme von topologischen und morphologischen Datenbanken lässt sich diese Entscheidung mit Hilfe der Fuzzy-Logic weiter verfeinern. Diese Option ist grundsätzlich auch von der ESA wahrnehmbar, ist jedoch für die Evaluation in der DEE vorgesehen.
• 3. Wenn die ESA im Falle unzureichendem GPS-Signals verfahrensgemäß entscheidet, die Zeitintervalle der Messungen zu verkürzen, dann erhöht sich die Wahrscheinlichkeit, dass immer häufiger Messpunkte mit GPS-Positionsbestimmung knapp außerhalb der Abschattungskante (z. B. Gebäude oder Tunnel) aufgezeichnet werden. Da die Serie zusätzlicher Messpunkte gestoppt wird, sobald ein brauchbares GPS-Signal erfasst wird, wird verfahrensgemäß bei hinreichender Anzahl statistischer Proben immer deutlicher eine solche Kante erkennbar oder ermittelt. Mit Hilfe der morphologischen Datenbank lässt sich die Art des abgeschatteten Bereichs bestimmen. Oft genügt auch sicher zu wissen, wie hoch die Feldstärke außerhalb eines Abschattungsbereiches ist, z. B. vor einem Gebäude, um die Funkversorgung, in diesem Beispiel, der In-House-Versorgung zu ermittlen. Mit Hilfe der verfahrensgemäßen Fuzzy-Logic wird jedoch noch sicherer eine Zuordnung der GPS-losen In-House-Messung mit der wahrscheinlichen Position hergestellt. Wenn die ESA optional verfahrensgemäß Geschwindigkeit und Richtung (nur bei GSP-Signal) ermittelt, kann die Zuordnung von In-House-Messung und Lokation der Messung im abgeschatteten Bereich noch präziser erfolgen. Bei vorliegenden mehrerer CellIds und Feldstärken wird die Zuordnung weiter durch eine zusätzliche verfahrensgemäße Plausibilitätsprüfung im Rahmen der Fuzzy-Logic erhärtet (Prüfung der Mobilfunkfeld-Umgebung).
• 4. Die ESA prüft optional, ob sie sich im Umfeld des Heimatnetzes oder im (z. B. im StA) spezifizierten Netzes befindet. Wenn dies nicht der Fall ist, wird sie optional den Aufbau einer Verbindung oder das Senden einer SMS zum Zweck der Laufzeitermittlung (siehe oben) unterlassen.
• 5. Wenn trotz fehlender GPS-Positionierung eine hohe Genauigkeit gefordert ist, ermittelt die ESA die Position mit Hilfe von bekannten Methoden, die eine Mitwirkung des Netzes erfordern (z. B. die, die bei so genannten Homezone-Anwendungen verwendet werden).
• 6. Die Evaluierung der örtlichen Position von (Feldstärke-)Messungen oder Ereignissen wird zunächst auf der Basis der Datensätze erfolgen, die von der ESA gemäß StA erhoben wurden. Die Entscheidung ob zusätzliche Werte ausschließlich zur Bestimmung oder besseren Bestimmung der Position erfasst werden müssen, wird verfahrensgemäß in der ESA getroffen. Die Evaluierung nach der oben erwähnten Fuzzy-Logic findet optional in der ESA oder in der DEE statt, wobei auch eine Aufgabenteilung als weitere Ausprägung des Verfahrens implementiert sein kann. Eine Kennzeichnung der Datensätze zu den Umständen ihrer Entstehung ist für einige Anwendungen essentiell, insbesondere wenn die Häufigkeit von Messungen in der DEE dazu verwendet wird, auf den Verkehr oder auf Kundenkonzentrationen zu schließen. Ohne Kennzeichnung besteht die Gefahr von falschen Wichtungen.

To improve the location coordinates in the case of a missing or insufficient GSP signal, there are the following procedural options:

• 1. The ESA selects the most recently measured GPS position and marks this data record in such a way that this situation is recognized in the later evaluation in the DEE. Even if the measurement task was not the measurement of the wireless field strength of the mobile network, the field strength and the cell identity (CellId) is measured or detected and, if present, the corresponding values of neighboring cells. As another option, a variable is measured from which the distance from the base station (BTS) is calculated (either from the ESA or from the DEE). This size is system dependent and is in the case of GSM z. Eg the TimeAdvance. To capture this size, a connection must be possible (radio coverage) as well as exist or be established. If there is no connection, ESA will set it up or send a text message for this purpose. B. to a dedicated network number. The ESA optionally also includes the subsequent measurement of the measurement program (StA) for further confinement and / or interpolation, such that the temporal distance and / or the patterns of the cells (also of the neighboring cells) are used for deciding usability for interpolation. Too long a time interval and / or a set of completely different CellIds would result in discarding such GPS positions (the previous and / or the following). This evaluation according to the fuzzy logic outlined here is optionally performed by the ESA or by the DEE.
• 2. If the time intervals of the measurements or event detections given in the StA are too large for a sufficient localization or localization, the ESA optionally generates further measurement points at least for the GPS signal, such that the ESA can be used at short intervals (eg every 2 minutes) performs a GPS measurement until a usable result is obtained or until an optionally set maximum number of additional measurements of this type has been reached (the latter, for example, to avoid the excessive load on the battery). Optionally, the ESA determines the speeds and direction of the terminal's speeds (on which the ESA is located), such that the fuzzy logic has further clues to constrain the location of the measurements made without adequate GPS signal. These additional movement quantities are optionally determined during the regular (StA) measurements and acquisitions and / or during the additional measurements for location determination. They are stored and used for current or future evaluations. These additional data records are either transferred to the DEE with the assigned data records or used exclusively for the fuzzy logic for location determination by the ESA and then discarded (deleted). When the additional records are sent to the DEE, they are marked as "additional" for their own evaluations and decisions in the DEE, which optionally locates using these data. The comparison of the respective measured patterns of the CellIds (that of the environment) is an important indication of how far z. B. a field strength measurement can be removed without sufficient GPS signal from a place on the previously or later a field strength measurement was performed. Here often only the goal is pursued to determine with sufficient precision whether the measurement took place within a building or outside of a building in an area. With the help of topological and morphological databases, this decision can be further refined with the help of fuzzy logic. This option is basically also perceptible by the ESA, but is intended for evaluation in the DEE.
• 3. If, in the event of an insufficient GPS signal, the ESA decides to shorten the time intervals of the measurements, the likelihood increases that more and more frequently measuring points with GPS positioning will be recorded just outside the shading edge (eg buildings or tunnels) , Since the series of additional measuring points is stopped as soon as a usable GPS signal is detected, according to the method, with sufficient number of statistical samples, such an edge is increasingly recognizable or ascertained. The morphological database can be used to determine the nature of the shaded area. Often it is also safe to know how high the field strength is outside a shading area, eg. In front of a building to detect the radio coverage, in this example, the in-house supply. However, with the aid of the method-specific fuzzy logic, it is even safer to assign the GPS-less in-house measurement to the probable position. If the ESA optionally determines the speed and direction (only for GSP signal) according to the procedure, the assignment of in-house measurement and location of the measurement in the shaded area can be made even more precisely. If multiple cellIds and field strengths are present, the assignment is further corroborated by an additional plausibility check in the context of the fuzzy logic (testing of the mobile radio field environment).
• 4. The ESA optionally checks whether it is located in the vicinity of the home network or in the network specified (eg in the StA). If this is not the case, it will optionally refrain from establishing a connection or sending an SMS for the purpose of determining the term (see above).
• 5. If high accuracy is required despite the lack of GPS positioning, ESA will determine the location using known methods that require network involvement (eg those used in so-called homezone applications).
• 6. The evaluation of the local position of (field strength) measurements or events will first be based on the data sets collected by the ESA in accordance with StA. The decision as to whether additional values need only be collected to determine or better determine the position will be made in accordance with the procedure in the ESA. The evaluation according to the fuzzy logic mentioned above optionally takes place in the ESA or in the DEE, whereby a division of tasks can also be implemented as a further embodiment of the method. Labeling the records of the circumstances of their formation is essential for some applications, particularly when the frequency of measurements in the DEE is used to infer traffic or customer concentrations. Without labeling there is a risk of wrong weights.

Application extensions that use the aforementioned possibilities in various ways.

Roaming applications:

• 1. The ESA can optionally become active if it has changed with the terminal through a new SIM to another network operator (subscriber has changed network operator). ESA will check whether it is located in the same country (eg by examining the CellId or Location Area), such as the network of the original network operator (who installed the ESA on the terminal), and if so even though it is not in the network of the original network operator, it is in a competitor network. Optionally, ESA refrains from contacting the AME to request measurement programs or, alternatively, to continue such that the EAS records the quality of the new network (competitor network). Optionally, the EAS notifies this fact to the AME, which in turn can decide according to the procedure whether to involve this terminal (ESA) in one of the current measurement or acquisition programs and, if necessary, to hand over a StA.
• 2. To record network qualities from the point of view of guests (eg tourists) from other countries, the following process characteristics are possible: a. The network operator offers these guests a SIM from their network (eg prepaid SIM). This SIM contains an application that checks the type of terminal in the guest's terminal so that if it matches a suitable operating system and hardware type, that application either installs a suitable ESA variant on the terminal, such that it either loads the ESA loadfile from the SIM or establishes a connection to the AME or a similar device to load the appropriate ESA variant on the terminal and finally initiate the installation, or that the appropriate ESA variant is already installed directly on the SIM and after appropriate configuration or Self-configuration performs the work in accordance with the procedure (eg when the AME StA asks for instructions, performs measurements, uploads the data to the DEE according to instructions and given conditions). b. For roamers who want to stay with the SIM of their home network operator (ie they keep their SIM while using the host network, "inbound roaming"), one can make special offers to use a portal of the host network and check for the ability to the terminal is suitable for a variant of the application (ESA) and if so download and install it. Special information offers or tariffs for mobile services could be used for motivation. This ESA variant checks whether it is in the host network from which it received the ESA application and otherwise sends no data to the DEE and terminates its activity if it has not come into the host network for more than a set number of days. Changing the setting of the preferred network is an option of this ESA variant.

Telecommunication services for end customers

Based on the inventive method set forth herein, various telecommunications value-added services can be realized that can be used by the customers of the mobile network operators. It enables monitoring services where the mobile subscribers are the observers. Here, very different things can be observed or persons supervised for their protection. In one embodiment of these applications systems or vehicles are observed, the z. B. experience a particular acceleration or temperature change or the like events. In another form are ordered to protect such. B. supervised children - with the largest possible space. So z. For example, parents are notified automatically when their children cross a geographical area. Sick people immediately receive help at the scene as soon as certain events occur, such as: B. Heart rate changes. In this case, the application-specific terminal application (aESA) determines the location coordinates (see above), if necessary application-specific, the speed and / or other variables such as temperature or heart rate. The latter data and others are optionally detected in one embodiment by a configuration of sensors (eg temperature sensors, humidity meters, radiation measuring devices, gas analyzer, acceleration sensors, break detectors, etc.) and a control unit (KE), such that the KE with the application-specific logic for reading, Evaluation, monitoring and interface-compatible transmission of the signals and / or the evaluated events to the aESA according to the method. The aESA and the KE recognize in the co-operation according to whether and which message is to be written and with which data and / or evaluated information the message is to be equipped. The message is optionally transmitted to one or more devices or devices. The transfer takes place to an individually created list of addresses, numbers or links for each individual terminal to be monitored. The transmission is optionally via SMS z. B. to the terminal of a supervisor, such. To the parents or to the doctor. As a further option, the message is transmitted according to the aforementioned link via the application-specific network-side and server-based data acquisition device (aDEE). The aDEE also receives the identity (this is different from the network monitoring application) of the currently reporting terminal (aESA) with the message and, according to the procedure, arranges the data into an account-specific database for subsequent confidential access, which can be accessed using standard, appropriate methods application-specific time is controlled in a narrow circle of authorized persons registered in a database according to the method and / or terminals. The aDEE prepares the data in such a way that it can be viewed confidentially by the individual users (customers of the mobile network operators) using commonly available tools (eg Google Earth), eg. For example, when which event occurred at which location. Finally, an observed person or object (car, train wagon) or an animal can be found here as well, whereby a mobile terminal equipped with the aESA and having GPS capability and / or other locating techniques such as eg. B. via a mobile network-based, that is, for the simple location requires no complex arrangement of terminal and sensors.

An embodiment of the method additionally uses a radio signal or an acoustic signal that is initiated by the aESA and sent out by the terminal for better detection, for example, of the aESA. B. via Beilung, so that this signal can be used for finding even if the event occurred in an unprovoked area of the mobile network, from which no current position data and no call for help could be placed, however. In this case, however, the supervising persons are informed by timeout of the aDEE and, if necessary, informed about the last reported whereabouts or about the last movement trends, which are optionally displayed geographically. Optionally, the aESA sends a text to the display of the terminal or gives an acoustic message z. As text-to-speech, so that, if necessary, passers-by aware of the event and learn what can be done.

The aDEE is located on a network-side central server, which is physically and logically protected against unauthorized access. The aDEE optionally performs further evaluations of the individually associated terminal (s) so as to relieve the aESA of costly processes and, when using large databases, the storage capacity of the associated terminal (s) that carries the aESA ) exceed. The aDEE transmits optional (possibly also in addition to the aESA) messages or alarms to a procedural deposited list of numbers, addresses and / or links via SMS, push email, or to other portals, such that on arrived events and data or on a time-out z. B. since a last message the observed person or object is alerted. After an application-specific and user-specific time, the entries are deleted from the account database of a single user.

The aDEE accepts application data (eg which geographical area should be monitored and if it is exceeded trigger an alarm) via a web user interface. An application-specific graphical user interface is used for this purpose so that input errors and thus also monitoring errors are avoided by additional semantic checks and / or well-defined alternatives (eg in drop-down lists). By way of example, a map can be mentioned here (eg based on Google Maps) in which the geographical boundaries can be clearly seen with simple means and can also be entered easily and reliably by the inexperienced user. If necessary, warnings are given if z. B. range limits are unusually large, such. B. 100 km for the monitoring of a dementia patient.

The aDEE stores the entered data for later control of the input status or for reuse of monitoring patterns (eg location and / or time). It formats them into application-specific control and monitoring instructions (aStA) and transmits them in procedural format to a terminal (aESA) or to several associated with this specific account.

In one version, the aESA contains the logic for a very specific application, such as: B. Monitoring the whereabouts of the terminal (which is worn by a person). In this case, only a small amount of data is needed to define the surveillance area. For complex monitoring tasks, the aESA is optionally replaced, or supplied with updates or with plug-ins, to execute new procedural logic such that the terminal or SIM contains a process-specific loader and installer addressed by the aDEE and locally for a secure installation or reinstalling aESA or updates or plug-ins, despite insecure (mobile) transmission path, so that there is always a fallback solution and the loader and installer locally even in the absence of a connection can be brought about, and neither the terminal in its other functions and Malfunctioning or blocking applications, or preventing the re-establishment of a functioning aESA, even during a previously failed installation. Here, the aDEE is the master of the process-specific loader and installer, which can be made sufficiently stable with moderate implementation and testing effort because of its manageable range of functions.

Claims (19)

A method for protecting movement patterns and locations contained in data acquired by mobile terminal terminals for the purpose of detecting the mobile network status and corresponding network quality characteristics associated with location and time coordinates, such that, on the one hand, the mobile network state according to its purpose is represented statistically, on the other hand, however, the recalculation to individual movement patterns and assignment of these movement patterns to specific persons, the holders of participating in the network condition detection terminals, sufficiently difficult or even impossible, so that the data collected by the terminals without terminal identities and is transmitted without identities of the holder of the respective terminal by the terminal application (ESA) to the data acquisition device (DEE) and in a physically and logically protected against human access server or data processing device dera After that, only statistical statistical statements about the detected mobile network quality characteristics and the associated location and time coordinates are available, so that even in the case of a non-confidential user group of the database, with the mobile quality features processed in accordance with the method, the mobile radio subscribers participating in the corresponding measurement program for creating these Database and whose motion patterns can not be identified. A method according to claim 1, characterized in that the ESA of the respective individual terminal announces itself anonymously at the DEE for the purpose of uploading the data records with the measurement and event data and is not addressed, so that the DEE learns no identity, but to avoid Multiple measurements of individual terminals are informed by the DEE as to when the ESA will report back to the Application Management Entity (AME) for the adoption of new control instructions (StA) for a new measurement program at the earliest, such that the DEE designates the date of none StA are assigned more to the still ongoing measurement program of the AME, so that weighting errors in the evaluation of the measurement and event data are avoided in the DEE, such. For example, in determining customer traffic or traffic or events at particular locations. A method according to claim 2, characterized in that the ESA reports after a random time at the AME for the purpose of requesting StA, so that a specified by the DEE earliest time is not exceeded, and the possibility is prevented, based on the reporting time or the order of reporting times to evaluate the identity of one or more terminals. A method according to claim 1, 2 or 3, characterized in that the ESA at the earliest after a minimum time interval to the last measurement at the DEE for the purpose of uploading measurement data sets, such that a review and tracking of the presence of persons at the location coordinates of the near-actual Measurement is prohibited. Method according to claim 1, 2, 3 or 4, characterized in that the AME is an entity physically separate from the DEE, such that the two functional units have an interface for the exchange of data according to the method, but not simultaneous insight into the contacts with the ESA of the respective terminals, so that in case of occurrence of unauthorized overcoming the access protection (physical and / or logical) in one of the two units, the insight into the contacts of the other unit remains difficult. A method according to claim 5, characterized in that the AME transmits the StA to each reporting ESA of the relevant device type, such that the AME does not get transmitted to where the terminal is located, such that the ESA itself checks to see if it is in the geographical area Area to which terminals for the measuring program are selected. A method according to claim 6, characterized in that the ESA in the context of the measurement program defined by StA also reports to the DEE, if it is not in the geographical area specified by the StA, such that the ESA transmits to the DEE in that it does not participate in the measurement program, so that the DEE makes a better estimate of the expected total number of participating terminals, such that it may notify the AME that further measurement instructions StA will be handed over to self-reporting ESAs. Method according to claim 1, 2, 3, 4, 5, 6, or 7, characterized in that the StA, when geographically selecting an area to be measured, has a minimum size, such that the verification of the presence of individuals in one is sufficient large area is difficult. The method of claim 1, 2, 3, 4, 5, 6, 7 or 8, characterized in that the StA identifies a minimum duration of time limit of the measurement program, so that the examination of the presence of individuals is sufficiently difficult. The method of claim 1, 2, 3, 4, 5, 6, 7, 8 or 9, characterized in that the AME assigns a minimum number of signaling terminals with StA for each measurement program, such that the size of the statistical basis of the Identification of individual terminals or their holders sufficiently difficult. The method of claim 1, 2, 3, 4, 5, 6, 7, 8, 9 or 10, characterized in that the StA each comprises a minimum number of measurement points such that the size of the statistical basis identifies individual terminals or their holder sufficiently difficult. The method of claim 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 or 11, characterized in that the ESA checks before reporting the measurement results to the DEE whether a defined minimum number of actual performed Measurements is reached, so that the ESA possibly suspends the message of an intermediate result and transmits the already recorded data records at the next reporting time, and in case that the measurement program is already completed without the minimum number of actually detected measurement points is reached rejects the ESA the records. The method of claim 8, 9, 10, 11, or 12, characterized in that the StA are created with an editor that ensures compliance with the rules and conditions that are placed on a measurement program before it is in the form of StA via the AME passed to the terminals (ESA), ensures that the editor a) offers a selection of fixed measurement patterns and / or event captures for use, such that temporal patterns and / or geographical patterns for the current measurement program are concretized, such as by entering start time and / or geographical center coordinates of geographically predetermined range frame, such that some of the pending information is pre-determined and correctly copied and / or other pending information is calculated from predetermined relative values and the current input values, so that compliance with the rules for establishing a regular STA is enforced; and or b) first allows a free input of the instructions for defining a measurement program, and either during the input or at the end of the input, a review takes place, so that the rules are reminded and / or accepted by the editor, so that successively a regular StA arises , Method according to one or more of claims 1-13, such that the data sets uploaded by the terminals / ESA are arranged in a database rasterized in such a way that the raster areas correspond to particular location and time coordinates such that the raster areas are sufficiently accurate however, for the purpose of the statistical network state representation and / or the network quality statement, lose the original accuracy of the corresponding coordinates such that the association of, in particular, the presence at one location at a time has become sufficiently blurred as compared to the data obtained from the ESA. A method according to claim 14, characterized in that the database does not have the physical structure mentioned in claim 14, but is dynamically logically guaranteed by the access methods and procedures, such that the procedural blurring is always given every possible query of measurement and event data , A method according to claim 14 or 15, characterized in that the screening real or virtual changes, so that when falling below a minimum number of measurement or event values, initially adjacent grid elements are included for the statistical statement, so that a statement with a possibly Higher statistical value or over a larger number of events over a larger grid cube with less precise coordinate ranges arises. Method according to one of claims 1-16, characterized in that the ESA in the absence or insufficient GPS signal changes the method of location determination to the measurement or event values, such that the ESA a) uses the location coordinates of the previously performed measurement or event detection if the time is not too long ago and / or the network environment in the form of CellId, Location Area, and / or neighborhood cells indicate a sufficient proximity, such that the ESA the lower reliability of the thus determined location coordinates for later processing according to the method in the DEE marked accordingly; or b) generate additional measurement points at shorter time intervals so that it either receives a sufficiently precise GPS position and optionally considers the network environment as under a) in deciding whether this position is sufficiently close to the measurement or event specified by the StA or, in the event that the ESA has reached a set maximum number of additional measurement points, stops the series of auxiliary measurements so as not to unduly affect the terminal's battery life, or c) energizes network functions such that the location determination may be network-based without GPS signal Methods, such as determining the time advance when sending an SMS or a location update in GSM, such that the distance to one or more base stations is determined. d) increases the GPS position measurement duration up to a maximum time such that the GPS positioning becomes more precise without unduly stressing the battery life. A method according to claim 17, characterized in that the ESA supplies only the appropriately marked raw data of the additional measurements to the DEE and the evaluation is performed by the DEE so that the ESA is relieved and the possibilities of the DEE are better utilized to provide more comprehensive data on Determine the radio network structure with field strengths and geographical positions of the base stations for the more precise localization of measurements and events, if necessary with fuzzy logic. An arrangement of one or more terminals and one or more servers for detecting the state and the quality data of a mobile network, such that the one or more terminals each contain an application ESA and the server or servers contain at least one application DEE and at least one application AME that the application interact with each other according to any one of methods 1-18.