An Inter-Disciplinary Resource Website to Effects on Human Electrodynamic Physiology
www.uncg.edu/~t_hunter/sound.html |
Site Map |
Patent No. 7129840 Document security system (Hull, et al., Oct 31, 2006)
ASSIGNEE:
Ricoh Company, Ltd. ( JP )
Abstract
Document monitoring provides a measure of document security. Documents incorporating radio frequency identification (RFID) tags can be monitored by appropriate interrogation components for movement activity. A surface suitable for placement of documents is configured for monitoring RFID tagged documents. Such documents can be monitored in a document processing device to control access to the document processing functions.
Notes:
BACKGROUND
OF THE INVENTION
The present invention relates generally to security systems and more particularly
to document monitoring systems and methods to effect document security.
In any project involving a group of people, cooperative and coordinated interaction
typically is key to the success or failure of the undertaking. The project begins
with a series of meetings to identify the desired goals, and to begin understanding
the tasks needed to achieve the goal. In a marketing situation, for example,
product managers and sales persons convene frequently to define the product
line or services, to identify potential markets and target customers, to develop
advertising strategies and product roll-out scenarios, and so on. In an engineering
setting, basic design goals and basic implementation strategies are discussed
and identified.
An important though somewhat tedious outcome of this effort is the production
of many documents. Most documents are freely distributed among individuals.
Invariably, however, a number of documents will be produce that contain sensitive
information. Engineering plans and designs might have to be documented, but
kept secret or otherwise secured. Marketing plans and forecasts, and customer
lists are typically sensitive subject matter that require controlled access.
These sensitive documents, nonetheless, need to be copied, distributed, and
otherwise disseminated among many individuals in the organization in order for
progress to occur. A need therefore exists for a method and system to provide
document security support.
SUMMARY OF THE INVENTION
Document monitoring includes sensing documents placed on a suitable surface
and monitoring the documents for changes in position on the surface. Sensors
collect first information indicative of a first position, and second information
indicative of a second position. The sensor data is compared to determine that
a change in position occurred. In one embodiment, a recording action can be
initiated in response to detection that a change in position has occurred. In
another embodiment of the invention, document processing functions can be enabled
or disabled, based on the information collected by the sensors. In one aspect
of the invention, the sensor component comprises a radio frequency identification
(RFID) tag and associated interrogation device(s).
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a simplified block diagram of a sensor arrangement for monitoring
documents in accordance with an embodiment of the present invention;
FIGS. 2A 2C illustrate typical examples of incorporating sensors in a surface;
FIGS. 3A and 3B show a typical radio frequency identification system;
FIGS. 4 and 4A illustrate document monitoring in accordance with an illustrative
embodiment of the present invention;
FIGS. 5A 5C illustrate in block diagram form a sensor arrangement according
to another embodiment of the invention;
FIGS. 6A and 6B show the transmission range characteristics of an RFID system;
FIG. 7 shows a block diagram of a document processing system incorporating various
aspects of the present invention;
FIG. 8 is a flowchart highlighting the steps for writing to a re-writable RFID
tag; and
FIG. 9 is a flowchart highlighting the steps for an algorithm for writing to
a re-writable RFID tag which includes image capture.
DESCRIPTION OF THE SPECIFIC EMBODIMENTS
FIG. 1 is a schematized representation illustrating by way of example an embodiment
of a document monitoring device according to the present invention. The document
monitoring device 100 includes a structure 104 that is suitable for placement
of one or more documents. The structure can be a desktop, for example, or other
similar worksurface. The structure can be a shelf in a bookcase, or perhaps
a document bin of a document processing apparatus such as a copier or printer,
and so on.
The document monitoring device further includes an arrangement of sensors 112
disposed about an area of the structure 104. As can be seen in the figure, the
sensors are arrayed in a regular pattern. It will be appreciated that the sensors
can be arranged in any regular pattern other than the rectangular pattern shown.
Moreover, it will be appreciated that the sensors can be arranged in an irregular
or otherwise random pattern.
A detection module 106 receives an output signal 114 that represents a collection
of the signals produced by the sensors 112. The detection module produces a
detection signal 116 based on the output signal. The detection module can be
an appropriately configured computer processor or an analog device, depending
on the nature of the output signal 114. As will be seen below, in a particular
implementation of an embodiment of the invention, the output signal is digital,
and so the detection module can be a digital processing device.
A control signal 118A is coupled to the sensors 112 to control their action.
In one embodiment of the invention, the control signal is produced by the detection
module 106. This configuration might be appropriate for providing synchronous
operation between the sensors 112 and the detection module. Alternatively, as
can be seen in FIG. 1, a control signal 118B can be provided from a source other
than the detection module.
FIGS. 2A 2C show alternative embodiments of the incorporation of sensors 112
in the structure 104, as seen from the cross-sectional view taken along view
line 2--2 shown in FIG. 1. The embodiment shown in FIG. 2A illustrates the structure
104 having one or more laminations 104a, 104b, showing the sensor 112 disposed
within the material of the lamination 104b. An example of this construction
can be a desktop having a protective layer of glass 104a, where the sensors
might be embedded in the material (e.g., wood) of the desktop 104b. FIG. 2B
shows an embodiment in which the sensors are simply embedded in the structure,
flush with the surface 102 of the structure. FIG. 2C shows yet another embodiment
in which the sensors are embedded below the surface 102 of the structure. It
can be appreciated from these example embodiments that the sensors can be incorporated
with the structure 104 in a variety of ways.
The components of a radio frequency identification system (RFID) are used in
a particular implementation of this embodiment of the invention. RFID is a versatile
wireless solution for identification. It has a wide range of applications, from
tracking books in a library to monitoring the movement of cattle on a ranch.
FIGS. 3A and 3B show that a basic RFID system comprises three components: an
antenna component (coil) 313, a transceiver component 312, and a transponder
(commonly called an RFID tag) 316.
The antenna component 313 emits radio signals to activate the tag 316. Antennas
are available in a variety of shapes and sizes. Thus, it can be appreciated
that antennas can constitute the sensors 112 shown in FIGS. 1 and 2A 2C, in
this particular implementation of the invention.
Often, the antenna component 313 is packaged with a transceiver component 312
which typically includes a decoder module. This combination is referred to variously
as a reader, an interrogator, and so on. In operation, the reader can emit radio
waves 322 (interrogation signal) in ranges of anywhere from one inch to several
feet or more, depending upon its power output and the radio frequency used.
The transceiver component produces the interrogation signal which is then propagated
by the antenna component.
When an RFID tag passes through the electromagnetic zone of the interrogation
signal, it responds to that signal and produces a response signal 316 which
is picked up by the antenna component 313 and fed to the transceiver component
312. The decoder module in the transceiver decodes the response signal to extract
the data encoded in the tag and the data is passed to a host computer for subsequent
processing.
RFID tags come in a wide variety of shapes and sizes. Some tags can only be
read, while other tags can be read and written. For example, a product called
the MU-chip by Hitachi, Ltd., is a 0.4 mm.sup.2 chip that is thin enough (about
60 .mu.m) to be embedded in paper, and contains a read-only memory (ROM) of
128 bits.
RFID tags are categorized as either active or passive. Active RFID tags are
powered by an internal battery and are typically read/write, i.e., tag data
can be rewritten and/or modified. The battery-supplied power of an active tag
generally gives it a longer read range. The trade off of course is greater size,
greater cost, and a limited operational life due to the limited life of the
battery. Nonetheless, it can be appreciated that active tags can be useful in
the present invention under appropriate operational requirements.
Passive RFID tags operate without a separate external power source and obtain
operating power generated from the interrogation signal transmitted from the
reader. Passive tags are consequently much lighter than active tags, less expensive,
and offer a virtually unlimited operational lifetime. The trade off is that
they have shorter read ranges than active tags and require a higher-powered
reader. Read-only tags are typically passive and are programmed with a unique
set of data (usually 32 to 128 bits) that cannot be modified. For example, the
Hitachi MU-chip comes preprogrammed with a 128 bit data word.
In accordance with the present invention, physical documents have one or more
RFID tags physically associated with them. A plethora of attachment processes
are possible. An RFID tag can be attached by the use of adhesives. A clip which
gathers together a multi-page document can be provided with an RFID tag. For
example, a paper clip may incorporate a tag, or a staple can be incorporated
with a tag.
The attachment can be manual, or by automation. For example, a copying machine
can be outfitted with RFID tagged staples or a dispenser of adhesive tags, so
that stapled copies can be tagged by way of the staple, or single-page copies
can be tagged with an adhesive tag. RFID tags (e.g., Hitachi MU-chip) can be
embedded in the paper medium itself ("tagged paper").
In accordance with this particular implementation of an embodiment of the invention,
each RFID tag is associated with a unique identification, referred to herein
as a "tag identifier." Furthermore, when a tag is physically associated with
a physical document, there is an association between the tag identifier and
"document information" relating to the physical document. The document information
might comprise an electronic copy of the physical document, an image of the
document, a reference which identifies the physical or an electronic form of
document, a reference identifying where an electronic copy of the physical document
can be found, references to other documents, and so on. The document information
might include information indicative of permissions, for example, whether a
document can be copied or not. The document information might include ownership
information, document modification history information. In general, one can
appreciate that any kind of information may constitute "document information."
The document information can be collected at the time of creation of the document;
e.g., when the document is printed, copied, faxed, or otherwise processed. The
document information can be an accumulation of information collected during
the lifetime of the document such as when modifications are made, or when copies
are made, for example. A database system (not shown) can be provided to store
such information, or other suitable information management system. The database
or information management system can be used to provide the mapping between
tag identifier and document information.
FIG. 4 illustrates how document monitoring in accordance with an embodiment
of the present invention can be provided. On the surface 102 of the structure
104 is a document having associated therewith an RFID tag 416. As can be seen
in the figure, the document has a first position 402 on the surface, and a second
position 402' shown in phantom.
In the particular embodiment shown in FIG. 4, the sensors 112 are interrogation
circuits comprising a transceiver circuit 312 (FIG. 3A) to produce an interrogation
signal 322. The response signal picked up by the antenna component 313 of each
sensor is detected by the transceiver circuit. However, not all of the sensors
will detect the response signal. Since the response signal is typically weak,
especially in the case of a passive RFID tag, only those sensors within the
transmission range of the response signal generated by the tag 416 will be able
to detect the signal.
The limited transmission range of an RFID tag is illustrated in FIGS. 6A and
6B. In FIG. 6A, all of the interrogators 612 transmit an interrogation signal
622 (though, for clarity, only the signals 622a and 622b for two interrogators
612a and 612b, respectively, are shown). A document 602 having an associated
RFID tag 616 is exposed to the electromagnetic radiation. FIG. 6B shows the
response signal 624 produced by the tag 616. However, since the signal strength
of the response signal is low, its range is limited and is therefore not detected
by all of the interrogators. Rather, (in this case) the response signal is detected
only by the interrogator 612a.
FIG. 4A shows a high level flowchart for the processing which occurs for the
arrangement shown in FIG. 4. Consider that each sensor 112 transmits an interrogation
signal, at a time t.sub.0, in a step 402. As discussed above, the response signal
of the tag 416 will be detected (step 404) only by those sensors that are within
the transmission range of the tag. Those sensors which detect the response signal
each will produce a sensor output signal, which typically comprises some information
that is stored in the tag 416; e.g., an identification code. The collection
of sensor output signals is collectively represented by the output signal 114
(FIG. 1). The detection module 106 receives a first set of sensor output signals
and stores them (step 406) as first information indicative of the first position
402 of the document.
Now, consider a time t.sub.1 (>t.sub.0) when the document has been moved.
This is indicated by the document (in phantom) shown in position 402'. At a
time t.sub.2 (>t.sub.1), a second interrogation signal is transmitted by
the transceiver circuits of the sensors 112 (step 402), another set of sensors
will detect the response signal produced by the tag 416 (step 404). A second
set of sensor output signals is produced as output signal 114 and stored in
the detection module 106 (step 406) as second information indicative of the
second position 402' of the document. Movement of the document can then be determined
(step 412) based on the first sensor output signals and the second sensor output
signals.
In one particular implementation of an embodiment of the invention, the detection
module 106 can process the sensor output signals by associating each signal
with information indicating the location of the sensor. For example, the sensor
output signal received from the sensor 450 might be associated with a location
identified by the coordinate (A,1). Thus, movement of the document is determined
from the point of view of comparing the locations of those sensors which detected
the tag's 416 response signal at time to with the location of those sensors
which detected the response signal at time t.sub.2.
Alternatively, the detection module 106 can process the sensor output signals
by associating the sensor output signals with the sensors 112 themselves. For
example, the sensor output signal can contain information indicative of a tag
identifier, thus identifying the tag. Document movement can be detected by comparing
the tag identifiers obtained from the first set of sensor output signals against
the tag identifiers obtained from the second set of sensor output signals.
FIGS. 5A 5C show a document monitoring apparatus in accordance with another
embodiment of the present invention. The apparatus 500 includes a structure
504 suitable for placement of documents. A plurality of receiver components
512b are disposed about an area of the structure. FIGS. 2A 2C illustrate examples
of how the receiver components can be incorporated with the structure 504. Outputs
of the receiver components are collected and provided as output signal 114.
In this particular embodiment of the present invention, a single transmitter
circuit 512a is provided for transmitting an interrogation signal 522 in response
to a control signal 518. An RFID tag 516 is shown disposed on the surface of
the structure 504.
The receiver component 512b comprises an antenna component (e.g. 313 in FIG.
3A) for sensing the a response signal from the tag 516. The receiver component
further includes circuitry (not shown) for detecting a response signal picked
up by the antenna. The receiver component constitutes a portion of the conventional
interrogator device such as the one shown in FIGS. 3A and 3B. In this particular
embodiment of the invention, the transceiver component of a conventional interrogator
is separated into a transmitter circuit component 512a and plural receiver circuit
components 512b. The plural receiver components are disposed about the structure
504.
FIGS. 5B and 5C show the propagation of a response signal 524 from the tag 516
after irradiation by the interrogation signal 522. FIG. 5C is a top view taken
along view line C--C in FIG. 5B. The figures illustrate the limited range of
the response signal, and the consequent detection of the signal by less than
all of the receiver components 512b; in this case, receiver components A D are
shown having sensed the response signal. The tag 516 is shown physically associated
with a document 502 illustrated in phantom.
FIG. 7 is a block diagram illustrating document monitoring in accordance with
yet another embodiment of the present invention. The figure shows a document
processing apparatus 700. For example, this might be a copier machine, or a
facsimile transmission device, or a printer, and so on. The document processing
apparatus comprises a document source 701, abstractly represented by a stack
of documents. An input component 732 processes the document source. For example,
in the case of a copier or facsimile transmission device (fax), the document
source might be the physical documents being copied and the input component
is an imaging device. The document source could even be a data connection to
a data processing device, where the document is electronically provided to the
copier or fax. In the case of a printer, the document source 701 is likely to
be a network connection to a document server or some data processing device,
and the input component might be a network interface component to receive the
electronic data constituting the document.
The input component 732 is coupled to a document production component 730 to
produce copies or printout. A paper source 703 feeds paper stock to the document
production component. In this embodiment of the invention, the RFID tags can
be physically associated with the produced document by the document production
component. For example, a feeder mechanism for adhesive tags can be incorporated
into the document production component that attaches tags to the paper stock
as it passes during a copying operation or a printing operation. As another
example, a stapling mechanism having a magazine of staples comprising RFID tags
can bind and tag multi-page documents. Alternatively, the paper stock itself
may be "tagged paper", having RFID tags incorporated directly in the paper.
In the case of a facsimile transmission device, the document production component
730 might comprise data communication circuitry for connecting to a remote facsimile
transmission device and communicating an electronic copy (FAX) of the document
to the remote device.
The document processing device 700 includes a suitable output tray 734, provided
for receiving the copy; e.g., copied document, printed document, or the originals.
A detection module 706 includes a signal connection 714a, 714b to either or
both the input component 732 and the output tray 734. As will be discussed below,
the signal connection provides information about the document(s) present in
the input component and/or the output tray. The detection module feeds a signal
707 to a recording component 708 and to an appropriate server system 710.
A recording component 708 is provided to record information that identifies
an individual. The recording component can include an input device for users
to key in or otherwise provide information indicating their identity, which
can then be use to activate the document processing device 700. The recording
component can include a video recording device which produce an image 709 of
the individual. The image can then be fed to the server 710 which can perform
appropriate image analysis to determine the individual's identity.
In one embodiment, the input component 732 may include an RFID interrogation
device 732a for sensing source documents 701 which contain RFID tags. A control
signal 718 is coupled to the input component to control the interrogation device;
e.g. to produce the interrogation signal. In the case of a copier, the recording
component 708 can obtain information indicating of the user. The information
can be an identification code or an image of the user. When source documents
701 are fed to the copier, the input component 732 can sense tags in the source
documents and send appropriate signals 714a to the detection module 706. The
signals fed to the detection module might include tag identifiers. The identification
information supplied by the recording component and the tag information supplied
by the detection module can be processed by the server 710. The server can then
enable (by way of suitable control signals, 718 for example) the copying function
based on the information received.
For example, the tag information can be mapped to some information that identifies
the document. As discussed above, this information can be anything, such as
a document identifier, an image of the document, and so on. The tag information,
also can be mapped to corresponding permission information dictating what actions
(copy, fax to a specific destination, etc.) are permitted for the particular
user for the particular document. In general, a requested action of the document
processing device 700 can be enabled or disabled based on information collected
by the recording component and on the information received by an RFID interrogation
device 732a contained in the input component 732.
In yet another embodiment according to the present invention is the incorporation
of a hash code in a re-writable RFID chip (tag). The hash code (see, for example,
the web site at "http://userpages.umbc.edu/.about.mabzug1/cs/md5/md5.htm1" for
a discussion of the md5 hash algorithm) can be applied to a digital representation
of the document (e.g., post-script (ps), or scanned image) before it is printed.
The md5 hash is supposed to produce a unique 128 bit output for every unique
document. The hash code can be stored in the RFID chip. Later, a user needing
to verify that two physical documents have exactly the same content can merely
scan the RFID chip and compare the hash codes. Note that a visual side-by-side
comparison of two document can be difficult, especially if there are only small
differences between the two versions of the document (e.g., just a few words
are different). However, the comparison is extremely easy if the hash codes
are used. Also, note that the two documents being compared might have been printed
at different times by different people in different locations, according to
different formatting rules (e.g., single column format or double column format).
The use of hash codes to compare two such documents would be extremely accurate.
Also, note that the comparison could be made at different locations by different
people, but sharing a common communication channel. This could be part of a
contract signing process in which the same contract is printed at different
locations by different people. The md5 hash code could be read from the chip
and printed (i.e., handwritten) on the contract near the signature line. Images
of the signed contract could be exchanged between the signatories. Each would
be guaranteed that the content of the contract was exactly the same.
In accordance with still another embodiment of the invention, the output tray
734 may be provided with one or more interrogation devices 734a disposed as
illustrated, for example, in FIG. 1. In this embodiment, any documents having
physically associated RFID tags can be monitored for movement in the output
tray. This can include monitoring for a change in position of the document,
or its removal. When sensitive material is left in the output tray, it might
be desirable to detect a change in position which can indicate that someone
moved some documents to have a look at the sensitive information.
When movement is detected, an appropriate signal from the interrogation device(s)
is produced as discussed above. The interrogation output signals 714b can be
sent to the detection module 706. The detection module can then signal the recording
device 708 to capture audio and/or visual information of the vicinity to record
the event and the individual who caused the event. This information can then
be sent to the server 710 along with information obtained by the detection module
from the output tray to record what document was moved (or removed), when the
event occurred, and the individual who caused the event.
The server 710 can act as a central database to store the document history mentioned
above. Document history can be accumulated in numerous ways. For example, "unconscious
capture" of documents is a technique whereby automatic document capture occurs
without being initiated by the user. Such techniques are disclosed in commonly
owned U.S. Pat. No. 5,978,477 and U.S. patent application Ser. No. 09/347,953,
filed Jul. 6, 1999, the entire contents of which are herein incorporated by
reference for all purposes. Other document capture schemes, of course, can be
used to create the document history database. The history that is accumulated
can then be searched based on content to retrieve documents and to view their
security histories.
A desirable characteristic of the document security system of the present invention
would be for the documents to carry their security histories in the RFID chips.
This can be accomplished by using re-writable RFID chips. Thus, in accordance
with another embodiment of the present invention, a re-writable RFID tag can
be used to store portions of the document history. Referring back to FIG. 7,
the RFID interrogation devices 732a and/or 734a can be configured to produce
signals suitable to effect storage of information on re-writable RFID tags disposed
in the documents.
Re-writable RFIDs allow users to easily determine information like when the
document was printed, when it was removed from the output tray, who removed
it, when it was moved on a desktop, etc. Storing the security history on the
chip simplifies later access to that information since a network connection
or retrieval from a central database are not required. It is can be appreciated
that similar history information could be computed for documents that do not
have re-writable chips (i.e., simple read-only chips). Such information would
be stored in a central database (e.g., component 710 in FIG. 7) for storage
and retrieval of that information.
In an implementation of this embodiment of the invention, the security history
of a document includes information representative of the locations where a document
was present, when it was present at those locations, when it was moved while
at those locations, and when it was removed from those locations. An example
of an entry in such a history might be: "15 page document 215624" printed Printer.sub.--8780
"Aug. 12, 1998" 15:47
This identifies the document generically as a 15 page document and associates
that with a unique identification number that can be used to retrieve the contents
of the document from a central database. It also identifies the device it was
printed on (Printer.sub.--8780) and the date and time when it was printed. Of
course, this information could be compressed with generally well known techniques
such as zip to reduce the storage space required on the chip.
The next entry in the history list would show the date and time when the document
was removed from the output tray of the printer: "15 page document 215624" removed
Printer.sub.--8780 "Aug. 12, 1998" 16:08
This could be performed by the interrogation devices 732a and/or 734a that monitor
the motion of the RFID chip attached to this document. The device(s) could include
circuitry that writes the memory of the chip at the instant when the document
is removed from the output tray.
However, it is possible that the speed of the physical removal from the tray
may exceed the speed of operation of that circuitry. In an alternative embodiment,
the device(s) could include rewriting circuitry that constantly rewrites the
last history entry (the "removed" record) in a chip. This can be done while
the document is present in the output tray but before it is moved. In this way,
no matter how fast the document is removed, the time of that removal can be
recorded.
FIG. 8 is a flowchart highlighting the steps for the rewriting process of the
rewriting circuitry. When a document comes into contact with the document security
system, it reads the entry in the RFID tag in a step 802. If it is determined
in a step 801 that the tag does not contain a "removed" record, then it is added
in a step 806. If there is a "removed" record in the tag, then the history rewriting
circuitry, in a step 803, will determine whether the amount of time since the
last history update exceeds a threshold, t2. If any of these conditions are
satisfied, a new "removed" record is added to the history list (step 806) and
the updating process begins again (step 810). If the threshold t2 is not exceeded
in step 803, then the stored recorded time record is simply replaced in a step
804 by a record with the current time. It can be appreciated that this same
updating algorithm could be used for an output tray monitoring application,
a desktop security implementation, or other similar document tracking system.
However, the time threshold value might be different.
A modified version of this algorithm (shown in FIG. 9) could also store an image
in the "removed" record captured by a camera attached to the security system,
step 902. Even though many irrelevant images might be captured, the algorithm
would guarantee that the image finally stored in the "removed" record would
be of the person who removed the document from the device.