ANONYMOUS SCREENING WITH CHAIN OF CUSTODY SENSOR INFORMATION

Information

  • Patent Application
  • 20230186216
  • Publication Number
    20230186216
  • Date Filed
    February 07, 2023
    a year ago
  • Date Published
    June 15, 2023
    a year ago
Abstract
A method includes receiving distributed sensing information on one or more characteristics associated with a subject from distributed sensors distributed between a starting location spaced from a resolution location and the resolution location. If the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”), the method does not adjust a reliability of the distributed sensing information caused by any break in COC. If there are one or more time gaps in the COC, the method determines one or more COC factors based on the time gaps and adjusts the reliability of the distributed sensing information based on the one or more COC factors. The method determines a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability thereof, and resolves the security concern based on the trust score.
Description
FIELD OF THE DISCLOSURE

This application generally relates to methods and apparatus for anonymous screening of people and items without utilizing personal identification information.


BACKGROUND

Checkpoint environments, such as border and mass transit security checkpoints are complex due to a variety of factors including human and security concerns. For example, large numbers of people and their accompanying belongings present themselves for physical screening at various times that are not controlled by the entity performing the screening. As a result, the deployed resources may be unable to accommodate the demand within an acceptable time period. Furthermore, a one-size-fits-all approach to security screening may not be efficient, optimal, or even adequate.


SUMMARY

Customization of screening procedures based on aggregate sensor observations is described in this disclosure. In embodiments, by using N number (N is > 1) anonymous sensor observations, an individual may be intelligently routed to appropriate security screening based on, for example, categorization and risk thresholds determined using the aggregate N observations without personal identification of the individual or utilizing personal information of the specific individual. As described in this disclosure, a subject’s attributes may be screened using sensors. The subject may be safely screened without personal identification. Accordingly, the novel chain of custody (“COC”) screening embodiments disclosed allow a subject’s identity and personal information to remain private and protected while providing improved screening procedures. A targeted screening means screening that is targeted at a subject (individual or item/article), which may be a personal screening or a physical screening on the subject. This process is referred to as wayfinding for targeted screening of individuals and associated items. The systems, devices, techniques, and approaches described herein can be used in a variety of screening situations including, but not limited to, mass transit, border security, correctional facilities, department of motor vehicles, sporting events, testing centers, and so on as understood by one of skill in the art.


In embodiments, computer-readable storage media embodying computer-readable instructions that are executable by a computing system is described. In an example, the instructions are operative to respond to receipt of information such as aggregate observations information and determine based on the information which category of a plurality of categories an item is to be associated. This can be done for a physical screening process to be performed in which respective categories correspond to different thresholds. The threshold can be applied in the physical screening process that is part of a transaction such as a security screening. The information for the category can be electronically communicated to an electronic device configured to direct the item responsive to receipt of the information to an area that corresponds to the category so the item is screened in the physical screening process to the threshold associated with the category.


In accordance with an aspect, a method comprises: receiving distributed sensing information on one or more characteristics associated with a subject from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location, the distributed sensing information on the one or more characteristics being obtained from the one or more sensors observing a plurality of candidate subjects including the subject; if the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”) as the subject moves from the starting location to the resolution location, not adjusting a reliability of the distributed sensing information caused by any break in COC; if there are one or more time gaps in the COC as the subject moves from the starting location to the resolution location, determining one or more COC factors based on the one or more time gaps in the COC and adjusting the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors; determining a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; and resolving the security concern of the subject based on the trust score of the subject.


In accordance with another aspect, a screening system comprising a memory and a processor which is programmed to: receive distributed sensing information on one or more characteristics associated with a subject from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location, the distributed sensing information on the one or more characteristics being obtained from the one or more sensors observing a plurality of candidate subjects including the subject; if the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”) as the subject moves from the starting location to the resolution location, not adjust a reliability of the distributed sensing information caused by any break in COC; if there are one or more time gaps in the COC as the subject moves from the starting location to the resolution location, determine one or more COC factors based on the one or more time gaps in the COC and adjust the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors; determine a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; and resolve the security concern of the subject based on the trust score of the subject.


Another aspect is directed to a tangible computer-readable storage medium configured to store processor-executable instructions that when executed by a processor cause the processor to: receive distributed sensing information using one or more sensors on one or more characteristics associated with a subject, without personal identification of the subject, from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location, the distributed sensing information on the one or more characteristics being obtained from the one or more sensors observing a plurality of candidate subjects including the subject; if the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”) as the subject moves from the starting location to the resolution location, not adjust a reliability of the distributed sensing information caused by any break in COC; if there are one or more time gaps in the COC as the subject moves from the starting location to the resolution location, determine one or more COC factors based on the one or more time gaps in the COC and adjust the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors; determine a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; and resolve the security concern of the subject based on the trust score of the subject.


In other embodiments, an alternative approach may characterize a break in COC as a type of sensor discrepancy. In accordance with another aspect, a method comprises: sensing one or more anonymous characteristics of a subject with a plurality of distributed sensors; assessing risk information using information on one or more anonymous characteristics associated with the subject from one or more sensors of the distributed sensors between a starting sensor location spaced from a final sensor resolution location; establishing a chain of custody (COC) risk factor based on sensor data corresponding to the anonymous characteristics of the subject; adjusting the COC risk factor based on discrepancies in the COC using data collected in the distributed sensors corresponding to the anonymous characteristics of the subject; maintaining the COC risk factor in accordance with risk thresholds set for discrepancies in the COC; if there are one or more discrepancies in the COC, determining one or more COC factors based on the one or more discrepancies in the COC and adjusting the reliability of the distributed sensing information caused by the one or more discrepancies in the COC based on the one or more COC factors; determining a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; and adjusting a security response of the subject based on the trust score of the subject using anonymous characteristics of the subject.


This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.





BRIEF DESCRIPTION OF THE DRAWINGS

The like numbers are used throughout the drawings to reference like features.



FIG. 1A illustrates an example of a process of causal relationship security screening according to an embodiment.



FIG. 1B illustrates an operating environment for distributed sensors aggregate observations in which the inventive principles can be employed in accordance with one or more embodiments.



FIGS. 2A, 2B, and 2C illustrate operating environments for targeted screening in which the inventive principles can be employed in accordance with one or more embodiments.



FIG. 3A illustrates one example embodiment of a traveler being processed through a security checkpoint according to the present invention.



FIG. 3B illustrates a security checkpoint utilizing dynamic thresholding for items based upon geolocation wayfinding of items in accordance with one or more embodiments.



FIG. 4 schematically illustrates an example of the tracking of a subject using a plurality of distributed sensors without personal identification of the subject and any break in chain of custody (“COC”).



FIG. 5 schematically illustrates an example of the tracking of a subject using a plurality of distributed sensors without personal identification of the subject and with one or more breaks in COC in the form of time gaps in tracking the subject.



FIG. 6 schematically illustrates an example of adjusting the distributed sensing information based on COC factors for the tracking of the subject using a plurality of distributed sensors as shown in FIG. 5.



FIG. 7 is an example of a flow diagram illustrating a method for determining a trust score of a subject based on distributed sensing of the subject.



FIG. 8 is an example of a flow diagram that describes steps for dynamic thresholding that can be used in conjunction with geolocation wayfinding disclosed in this document in accordance with one or more embodiments.



FIG. 9 illustrates an example configuration of resources including third-party resources that can be implemented in conjunction with the devices, systems, methods, approaches, and techniques disclosed in this document.





DETAILED DESCRIPTION
Overview

Inefficiency in physical screening processes arise for a variety of reasons. These inefficiencies can result in delay, user dissatisfaction, and inefficient use of deployed resources including physical and human resources. Delay and inefficiency can be caused by more intensive screening beyond that indicated based on available information. For example, a checkpoint that implements a single intrusiveness threshold is more time consuming and resource intensive for a group of individuals even though available information based on aggregate observations for individuals in the group indicates a lower threshold or application of different physical resources or screening procedures is warranted. Time and resources applied to screening individuals and items to which a lower threshold could be applied is an inefficient use of resources.


Another reason for system inefficiency is the failure to factor outcome information from one screening to another or subsequent screening that is related by, for example, a predetermined common information. Multistep screening processes often are siloed with no use of information generated from one screening process into the configuration of resources and procedures used in a subsequent screening process. For example, information garnered from examining luggage is not factored into physical screening of the individual or other individuals associated or related to that individual or luggage.


A further drawback is that multistep physical screening and resources used for this screening cannot be reconfigured or the process of reconfiguration is inefficient. This drawback, as with the other identified issues, is made more complex by limited resources including human and physical resources. For example, over the course of a day the composition of the items being screened can vary among categories indicated by the available information for individuals based on aggregate observations and other items included in the group. As a result, some individuals and their items may be screening at a higher threshold of intrusiveness than is indicated by their respective information or associated with a category to which the item belongs. This may delay the individual and waste resources.


Reconfiguring resources is challenging as the composition of the items to be physically screened may yet again change, such that the reconfigured resources (e.g., a second configuration) is inefficient relative to the composition by category of the then existing group (e.g., a second group). In some instances, it is preferable to implement an existing configuration (e.g., a first configuration) even though by category the composition of the then existing or second group indicates the second configuration would result in greater efficiency. This may be done because, for example, an anticipated third group having a particular composition by category is associated with another resource configuration. This is made more challenging as the presentation of items in a cohort may be fluid rather than being segregated into distinct boluses of items and individuals. Instead of changing from a first resource configuration to the second and then to a third, the resources can be reconfigured from the first to the third with individuals and items from the second group being handled on an ad hoc basis to make use of the resources in one or more of the first or third configurations to achieve a dampening effect.


Before discussing an example operating environment, it may be useful to understand the operation and resources associated with physical screening process used for individuals and other items for security and compliance with guidelines such as laws, rules, regulations, and so forth.



FIG. 1A illustrates an example of a process of causal relationship security screening according to an embodiment. Upon arriving at a site such as an airport, the individuals are exposed to initial sensor measurements by a plurality of distributed sensors prior to reaching the security screening area. The distributed sensors may be of different modalities and provide aggregate observations of the individuals and their associated items. Each individual (or item) may be assigned a unique identifier (ID) by the distributed sensing system which controls the distributed sensors. As the individual moves from the arrival point to the security screening area, a chain of custody of the individual and associated items is preserved by keeping track of their movement using, for instance, terminal-wide video surveillance and video analytics, the individual’s mobile device or phone, or the like. In some embodiments, the unique ID assigned by the distributed sensing system may be merged with or otherwise correlated with the individual’s identifier associated with his/her mobile device which may be a smartphone. The individual then checks in for the flight, for example.


The tracking of the subject can be done anonymously without knowing the identity of the subject individual or of the individual in possession of the subject article. The system may be configured expressly to avoid identifying the individuals using facial recognition or personal mobile devices or phones or the like. The capability of the system to perform threat or risk assessment and resolve security concerns anonymously without using personal identity information associated with the subject is a unique feature of embodiments of the invention. Unless specifically stated otherwise, the tracking as described in this disclosure may be anonymous tracking of an individual (i.e., unknown specific identity -- not using personal information of the individual) or known tracking (i.e., known specific identity of the individual using personal information).


While tracking may be anonymous with respect to personal identification, in order to establish a chain of custody, observations of the individual i.e., tracking information collected by sensors, must be definitely linked to an individual in order to track the individual through a venue. This could be accomplished in a number of ways, some of which may include the use of traditional identifying technologies (e.g., facial recognition and biometrics), but the information would be used, in the case of unknown identity tracking, to match observations, but not tie back to a specific identity of the individual, e.g., the name of the individual, or the like.


In one example, an individual may elect or acquiesce to have biometric markers (e.g., video/photo for face identification) collected at a station. The information can be linked to the individual but without revealing specific personal information, e.g., name, address, or the like. The individual may then be video tracked, for example, throughout the venue by distributed sensors. Those biometric markers may be measured or captured at other stations or via other scanners. The collected information may be used to validate that it is the same individual, before all the distributed sensor data is aggregated and associated with that individual. This is an example of using biometrics as criteria for re-identification, without linking the data to a specific individual’s identity such as a name or biographical information or other personal information.


Before the individual reaches the security screening checkpoint area, an initial threat assessment of the subject (individual or associated item or article) may be made based on the aggregate observation information. The subject may be assigned to a category based on the risk or threat assessment. The information for the category can be electronically communicated to an electronic device configured to direct the item responsive to receipt of the information to an area that corresponds to the category so the item may be screened in the physical screening process to the threshold associated with the category. Targeted checkpoint screening may be conducted to assess remaining thread possibilities in the checkpoint phase and to resolve them in the resolution phase. Next, the information from a previous targeted screening may be used as information or a factor for determining what category the item or individual is assigned for a subsequent targeted screening process. In the adjudication phase, the process may perform a final thread assessment and validate approval of the individual to proceed.


Targeted screening is one example of resolving security concerns from the threat assessment of the subject based on the aggregate observation information which may be collected by distributed sensors that track candidate subjects from a starting location to a resolution location such as a targeted screening area. Other ways to resolve security concerns include, for example, denying entry/passage of the subject (individual or article) which would be a more cautious or risk-averse approach, or detaining the subject in a holding area while collecting additional information on the subject to determine the appropriate course of action, or granting the subject entry/passage while closely monitoring and tracking the subject manually and/or electronically and taking appropriate action to neutralize the subject if necessary.


The distributed sensors aggregate observations information and any prior targeted screening results are used to tune subsequent targeted screening process. It produces a causal relationship security screening procedure. The use of the distributed sensor aggregate observations information may help minimize the amount of targeted screenings to reach the adjudication phase.


In FIG. 1B, an individual 102 arrives at an airport in a vehicle at the curb or a train at a train station. From the arrival point as the starting location until he reaches the security screening area, The passenger may be exposed to a plurality of sensors 116A-116N including surveillance cameras, Advanced Inspection Technology (AIT) devices that use centimeter wave technology such as centimeter wave scanners, and the like. The sensors 116A-116N may be operated by sensing systems 118A-118N which include processors for controlling the sensors 116A-116N, memories for storing data, and communications subsystems for communicating with other devices and systems (e.g., wirelessly). These distributed sensors can be located at airport entrances, adjacent to doors, behind walls or billboards, and at different elevations and angles to capture different parts of individuals and items rolling on the floor or carried near the waist level or shoulder level. They do not target any one individual 102 but observe a plurality of candidate subjects including the passenger 102 to collect information on the characteristics of the candidate subjects.


The characteristics being collected by the distributed sensors may include physical characteristics (e.g., based on shape, size, chemistry, biotechnology, biometric, electronics, acoustics, smell, or the like) and other characteristics or attributes (e.g., based on artificial intelligence (“AI”) patterns such as AI powered predictive analytics, identifying patterns and anomalies with AI, recognition pattern using machine learning and other cognitive approaches to identify and determine object or other desired things to be identified with image, video, audio, text, or other primarily unstructured data, or the like).


The sensing systems 118A-118N may be third party resources that are communicatively coupled to the computing resource 140. Example third-party resources include computing systems owned, operated, and/or maintained by entities that provide or exchange information with systems in accordance with the present disclosure. Example third-party resources include resources operated by other government agencies or entities, private businesses, and even private individuals, and so forth. The sensing systems 118A-118N form a distributed sensing system.


In some embodiments, electronic communications (whether wired or wireless) between the electronic devices and the third-party resources 118A-118N occur with the computing resource 140 or are routed through the computing resource 140 to minimize the risk of unauthorized access or activity. In additional embodiments, the computing resource 140 is configured to obtain predetermined types of information. While this may be accomplished in a variety of ways, in embodiments the computing resource is programed to communicate a request to third party resources for information that corresponds to items/individuals that are anticipated (e.g., registered) to appear for screening.


In examples, the computing resource or a central resource (computing) electronically places such a request to the third-party computing system with which it has a preexisting relationship (e.g., username, password, authentication protocol, data protection scheme (such as common encryption methodology)). This request may include a unique identifier that is used by the computing resource when the third-party computing system provides responsive information. In examples, this unique identifier is not used by the third-party system, e.g., is not meaningful or not used as basis for identifying responsive information maintained in a data structure maintained in conjunction with the third-party computing system. For example, the computing resource provides an automatically generated unique identifier with a request for information to the third-party system even though the third-party system is “unaware” or does not make meaningful use of the unique identifier. In instances, this is done so when the third-party resource provides the requested data, it returns the unique identifier, so the computing resource can match the returned data to the corresponding data record or electronic request for information.


The computing resource 140 may be prohibited from obtaining/ receiving/ implementing predetermined types of information, sources, and so forth for a variety of reasons, including but not limited to cyber security. For example, the computing resource 140 includes software that inspects received information for malicious executable code, information types (e.g., image files) or other predetermined types of information corresponding to potential threats. In another example, the computing resource 140 can screen/vet received information, such as to determine if it is well formed or complies with predetermined rules maintained in for instance a registry of rules that the computing resource uses for compliance purposes.


In specific embodiments, the passenger 102 can be located and/or identified (both based on device settings) via his smartphone 106. He may check in or make a system of the present disclosure aware of his presence through use of his smartphone 106 or a touchpoint (illustrated as a kiosk 208 in FIG. 2A), such as one operated by an airline, an airport authority, or a government entity, such as the U.S. Transportation Security Administration (TSA). Electronic communication of this information can be done automatically by the passenger’s smartphone performing a handshake procedure with the cloud service 122 via a wireless beacon (hereinafter “beacon”) 124, e.g., a wireless router with beacon capability.


Depending on design/user preference, the smartphone 106 can provide location information generated within applications on the smartphone to other devices (e.g., the sensing systems 118A-118N controlling the distributed sensors 116A-116N in FIG. 1B) and computing resource 140. Depending upon the operation of these applications during the handshake, the smartphone 106 may provide biometric information regarding the traveler. For example, the smartphone 106 obtains fingerprint information from the traveler, face identification information, and similar information to confirm the traveler is a known party in possession of the smartphone 106 while the above communication occurs.


In another example, the sensing systems 118A-118N keep track of the individual and/or associated items without involving a smartphone 106. Instead, the sensing systems 118A-118N rely on certain characteristics of the individual and/or associated items captured by the distributed sensors 116A-116N (e.g., video images or scanner images). The distributed sensing system 120 may assign a unique ID to the individual or associated item being tracked and communicate the sensor data and location information of the tracked individual or associated item to the computing resource 140 until the tracked individual or associated item reaches the security screening area. The distributed sensors aggregate observations data can be used by the computing resources to dynamically set a threshold associated with a level of inspection or screening that is to be applied to the individual or associated item during the targeted screening. For example, the computing resources may determine, based on the information on the characteristics, which category of a plurality of categories is to be associated with the subject for a targeted screening process to be performed in which respective categories correspond to different thresholds applied in the targeted screening process, and electronically communicate information for the category associated with the subject to an electronic device, to direct the subject to a location of the targeted screening area which corresponds to the category, for performing the targeted screening process of the subject corresponding to a threshold associated with the category. The computing resources may merge or other correlate the unique ID assigned by the distributed sensing system 120 performing the aggregate observations with the individual’s identifier associated with his/her smartphone when both are available.


Take for example a screening checkpoint at an airport 200A, an example of which may be see in FIG. 2A. Upon arriving at the airport, an individual (e.g., a passenger) 202 may exit a vehicle at the curb or a train by the airport, enter the terminal building, and walk through the lobby before reaching a security screening area. The individual and associated items (e.g., luggage) may be exposed to observations by a number of devices such as surveillance cameras and various types of sensors. The distributed sensors aggregate observations of the individual and associated items will generate information (including, e.g., a risk category or level) that can be used to determine the appropriate level of targeted checkpoint screening for the individual and associated items at the security screening area.


For example, the passenger arrives at Reagan National Airport (DCA) with a checked bag (a bag which he intends the airline to handle throughout his journey) and an eponymously named “carry-on” bag 230. In this instance, the passenger, his checked bag, and carry-on 230 are screened by the TSA to promote security. Prior to or at the airport, the passenger may “check-in” with the airline on which he is traveling to confirm his intent to travel, such as by selecting a seat. The passenger may do this on his mobile device (e.g., smartphone) 206 or at airline or airport touchpoints 208 (e.g., kiosks) to effectuate this check-in. He may also print a boarding pass 210 which functions as a token that the individual is entitled to board a plane. Although check-in may be a separate process, in some examples it is tied to or effectuated by another process such as depositing a checked bag.


In examples, a bag drop station (which may include a touchpoint 208 and a mechanism to receive items that are to be handled by personnel, e.g., an automated bin or conveyor system) functions as a check-in. As in some examples, this may be the first interaction between the individual (via a device typically including a graphical user interface (GUI)) and a system such as that disclosed herein.


In instances in which a smartphone 206 is used, the boarding pass 210 may be associated with an electronic receipt that can be output on a display included in the phone 206. Oftentimes the electronic receipt is manifest as two-dimensional barcode or Quick Response code (QR CODE, Denso Wave Inc.) although other technologies are available. Instead of using an optical medium, for instance, a wireless technology can be used to communicate the information. An example is the use of near field communication (NFC) wireless technology and/or Wi-Fi to communicate information such as a unique identifier or information associated with the individual, his/her travel arrangements, or related items, which in some instances may interrelate people, e.g., the passenger to his mother and father. If the passenger is traveling with other individuals, as can be indicated in the reservation information described above, related data corresponding to these individuals can also be present and utilized in the processing as described herein.


For example, upon depositing a bag for a flight via a system, such as a computerized airline management system, the passenger checks in for his flight and requests a seat according to his window preference, in this example a business class preferred status contained in his preexisting airline profile. As will be appreciated, the passenger’s checked luggage (bag) may undergo screening to determine whether it contains any prohibited items as shown in FIG. 2C. An X-ray scanner or a computer tomography (CT) device 212 may be used to screen the bag. This device in the case of a category “X” or “1” airport may be located remotely from the check-in and connected by an automatic baggage handling system that directs the bag using conveyors, moving bins, and baggage sorters (electro-mechanical devices that direct luggage) to the appropriate device for screening. A variety of other electro-mechanical devices can be used for a variety of purposes in conjunction with routing items, these include sensors, sorters, conveyors, beam breaks, RFID readers, carts, electro-optical readers including, but not limited to, laser readers, scales, loaders, and so forth as understood by one of ordinary skill in the art.


As a note, luggage 229 such as the passenger’s bag, and other items may be associated or have attached a machine-readable tag that is optically readable or can communicate wirelessly using radio frequency identification (RFID), in part so it can be readily identified or located. For example, an adhesive tag with a passive RFID “chip” is attached to the handle of checked luggage bag, so it can be identified/tracked as it passes through the system and, in the case of an airport, on to an awaiting plane. The RFID tag may include information about the item with which it is associated and/or it may reference a record or records maintained in a computer-enabled data structure such as a computer database, e.g., an ORACLE (Oracle, Inc., Redwood Shores, CA) relational database. In embodiments, the database can be structured to interrelate.


In the case of smaller (by passenger volume) airports, the passenger may be directed to drop his checked bag off at a location that is near the X-ray or CT device that is adjacent to a check-in touchpoint or counter. The output of such devices like those at category “X” or “1” may be read via computer-implemented recognition system based on one or more of density recognition, shape detection, or other detection mechanism based on physical/chemical properties. This may be done automatically such as by operation of computer-implemented hardware and software that implement an algorithm to screen the item, and may culminate in or have as a penultimate result operation of an electromechanical device, such as a luggage sorter (e.g., a pneumatically or mechanically actuated pusher) that directs the offending item (e.g., luggage, bag) for rejection or additional screening although other physical results are contemplated.


In instances without the benefit of the distributed sensors aggregate observations information, the passenger and his items may be subjected to targeted screening at a predetermined threshold of intrusiveness designated not based on his profile or those of a category to which he belongs, but that of the traveling public at large. A similar situation may apply to a portion (and perhaps a large portion) of the traveling public. When distributed sensors aggregate observations information is available, however, the level of targeted screening can be determined based on the distributed sensors aggregate observations information. Individuals and their associated items are subjected to targeted screening to a higher level of security/scrutiny when the aggregate observations information indicates a relatively higher level of security concern. Thus, more invasive, time-consuming screening procedures may be used to ensure a predetermined uniform level of security than is applicable to the particular item or category of items. This results in increased time, cost, and more invasive inspection in instances in which the individual and any items, such as articles associated with the individual, are screened to a relatively greater degree. A relatively lower level of targeted screening is used when the aggregate observations information indicates a relatively lower level of security concern.


While a TSA checkpoint is described, the foregoing is generally applicable to other types of physical screening processes at, for example, border crossings (e.g., U.S. Customs and Border Protection Ports-of-Entry), concerts (perhaps looking for alcohol or a weapon), cruise ship boarding (perhaps looking alcohol), testing centers (perhaps looking for “cribbed” notes or a smartphone), and so forth. For example, if the passenger were returning to the United States of America from a trip abroad, he would have to pass through U.S. Customs. These customs inspections may include authentication of his identity, identification of prohibited items (e.g., undeclared foreign fruit, salted cured meats, raw milk cheese products), cash (at present in excess of $10,000), and so forth.


Continuing on with the passenger’s holiday trip as shown in FIG. 2B, he proceeds to the targeted screening environment 200B after dropping his checked bag 229 that may accomplish a variety of physical screening functions. For example, a checkpoint is established to screen any carry-on items, such as small bags like briefcases, purses, overnight bags, articles carried on the individual’s person, and so forth. The checkpoint may also be constructed to screen the individual himself/herself. This scanning may include any personal items carried on the individual or not deposited for check in inspection. These physical screenings (carry-on articles and individuals) can be conducted co-extensively, substantially co-extensively, or on a serial basis based on a variety of considerations as contemplated by a person of ordinary skill in the art. It is to be appreciated that this check may be the first targeted physical screening interaction if, for example, the passenger did not have a checked bag.


Implementing the system, method, devices, techniques, approaches, disclosed herein, information (e.g., information related to the outcome or the result of one screening process) can be used to inform another screening and the system, devices, etc. implemented to effectuate a subsequent screening. For example, in a first physical screening information related to an individual or other item to be screened can be used to determine how to route the item based on a category of the item. Thus, the person can be directed to, for example, an Advanced Inspection Technology (AIT) device that uses millimeter wave (MMW) technology, for physical screening to determine if any prohibited items are present or the absence thereof. In the previous example, the category assigned to the item is associated with a threshold of the device (machine) used to conduct the screening. This can be done on a per item basis or on a categorical basis in which items in the category are associated with or poses particular one or more characteristics that are common to individual items in the category, but not shared at large among items in a group. It is to be apparent that the group may include multiple categories defined by the characteristic or predetermined categorization, e.g., high, medium, low (relative to one another). For example, an item corresponding to “low” is directed to an area, such as a luggage queuing area, or the device itself to be scanned by a CT machine operating at a predetermined threshold corresponding to low. In contrast, a “high” item is directed to an area corresponding to a CT machine operating to a higher degree of specificity relative to the “low” machine. It is to be appreciated that the devices themselves (e.g., the high and low device) may operate in the same or substantially the same manner or degree while a computer-implemented algorithm analyzing the output of the CT applies a more rigorous standard to an item scanned to a “high” or higher degree than that of a “low” or comparatively lower degree relative to the higher degree. As will be appreciated, the various device outputs and/or information derived from the various screenings can be included in or otherwise associated with a record with the individual or item in a database or other data structure for implementation in subsequent physical evaluation.


Having provided a brief narrative of a physical screening process, the details, structures, operations, and configurations of various embodiments in accordance with the present disclosure are provided. It will be appreciated that the narrative and following details are explanatory only and are provided to aid the reader in understanding the principles of this disclosure in accordance with the understanding of one of ordinary skill in the art.


Operating Environment


FIG. 1B illustrates an operating environment for distributed sensors aggregate observations in which the inventive principles can be employed in accordance with one or more embodiments. An individual, such as a passenger arriving at an airport, can be located and/or identified (both based on device settings) via his smartphone 106. This can be done using a variety of technologies and approaches, such as by geolocation using a GPS functionality included in his smartphone (e.g., a GPS transceiver), beacon technology (e.g., BLUETOOTH, Wi-Fi), RFID, NFC technology, Wi-Fi beacon technology that in some instances in addition to locating the passenger via his phone can be used to provide information such as location aware information and so forth as understood by one of ordinary skill in the art. An example of the latter is the system providing the passenger with wayfinding and other information about his travel status, checkpoint information, or advertisements on his phone. This may be done using a variety of approaches such as text messaging, providing visual cues (a map or step-by-step instructions) in an application.


In embodiments, the passenger checks in or makes a system of the present disclosure aware of his presence through use of his smartphone 106 or a touchpoint (illustrated as a kiosk 208 in FIG. 2A), such as one operated by an airline, an airport authority, or a government entity, such as the TSA. Meanwhile, the distributed sensing system 120 may communicate the sensor data and location information of the passenger or his associated item to the computing resource 140 until the passenger or his associated item reaches the security screening area. The computing resource 140 may assign a unique ID to track the passenger or his associated item of interest, or it may do so using his smartphone.


In the current example, the passenger could do this (presuming he has previously or currently configured his smartphone to do so) to make the system aware of the location of his phone/him and permitted it to provide information, such as biographic information, e.g., name, date of birth, unique identifier (e.g., driver’s license number, concatenated name date of birth), passport number, airline frequently flier number, redress number, known traveler number, boarding pass number or machine readable information (e.g., 2D barcode), redress number, address, or the like. In embodiments, this information includes information associated with his contemporaneous travel plans (his upcoming flight) and/or historical information such as previous travel information.


Electronic communication of this information can be done automatically by the passenger’s smartphone performing a handshake procedure with the cloud service 122 via a wireless beacon (hereinafter “beacon”) 124, e.g., a wireless router with beacon capability. In other examples, based on design preference and device settings a user may have to manually authorize communication/establishing of a communication link. This can be done through use of biometric identification (fingerprint, voice print, facial image, iris image, vein pattern); use of a personal identification number or password; challenge/knowledge questions; or simply constructing a graphical user interface (GUI) output on a display included on the smartphone to display a button that is useable to cause the smartphone to submit or communicate the information via one or more of a wireless (Wi-Fi) communication, limited range wireless communication, BLUETOOTH (Bluetooth SIG, Kirkland, WA) communication, cellular communication, or the like as understood by one of ordinary skill in the art for electronically communicating information.


Upon arriving at an airport, a passenger may have in his/her possession a mobile computing device, e.g., a smartphone 106. Upon arriving at a predetermined location such as within Wi-Fi beacon range (presuming the smartphone is enabled and has suitable hardware/software (e.g., an “app”) the smartphone 106 communicates with the beacon 124 to establish its presence, e.g., identify itself to the beacon 124. This may be done in a variety of ways such as the smartphone signaling the beacon 124 upon it identifying the existence of wireless radio signal from the beacon. In another example, the beacon 124 polls (e.g., “calls out”) to mobile-enabled devices to signal the beacon’s availability for communication. For instance, the beacon 124 may poll a mobile device to report its current location. The electronically communicated information may include a customizable map and instructions that cause the mobile device to ascertain its current location and plot a representation of the current location and area on the map. The wireless beacon 124 may be usable by the mobile device to ascertain its location and provide a response to the computing system. The response may include information contained in a signal that is usable to verify the mobile device’s presence in a predetermined area.


In some instances, the devices perform an electronic handshake to establish a communication channel that permits bi-directional communication. Depending on design/user preference, the smartphone 106 can provide location information generated within applications on the smartphone to other devices (e.g., the sensing systems 118A-118N in FIG. 1B) and computing resource 140. Depending upon the operation of these applications during the handshake, the smartphone 106 may provide biometric information regarding the traveler. For example, the smartphone 106 obtains fingerprint information from the traveler, face identification information, and similar information to confirm the traveler is a known party in possession of the smartphone 106 while the above communication occurs. In another example, a computing resource within the system matches traveler identity information with other identifying information, which may be used in conjunction with the distributed sensors aggregate observations information to dynamically set a threshold associated with a level of targeted screening that is to be applied.


As discussed above, the distributed sensors may track movement of the passenger anonymously to establish the chain of custody, but the individual observations will need to be definitely linked to an individual. This may be achieved in a number of ways. One way involves the use of traditional identifying technologies (e.g., biometrics including face identification and fingerprints). These are used to match observations, and not tie back to a specific identity. At some point, the biometrics or other identity information may be used to identify a specific identity. For example, the specific identity of the passenger may be used to set the level of targeted screening that is to be applied.


Referring now to FIGS. 2B and 2C, example environments 200B and 200C for targeted screening that can make use of the devices, systems, computer readable instructions, processes, approaches, and methods of the present disclosure are described. The principles of this disclosure are described in conjunction with sample environments to aid the reader understanding the technologies. The environments are not necessarily restrictive of the embodiments disclosed therewith. As illustrated, individual devices in the environment can be varied based on design preference, environmental, operational, and similar factors as contemplated by one of ordinary skill in the art.


As illustrated in FIG. 2A, the environment 200A includes one or more systems that support a variety of physical screening processes that implement devices such as electromechanical devices to perform targeted physical screening related functions. For example, the environment is or includes a TSA checkpoint, a concert security point, a test center check-in, a prison intake area, the security checkpoints for a facility (e.g., all or substantially all the security checkpoints for an airport), a Customs and Border Protection Port of Entry or so forth as understood by one of ordinary skill in the art.


As illustrated a system, such as one operating at a check-in location, includes one or more of the above physical screening devices, for example, a CT scanner 212, and an MMW scanner 218. The physical screening devices can include devices to direct or control individuals or items (e.g., access control devices, devices to move inanimate objects), and computing resources. In embodiments, targeted physical screening includes identification of an individual, e.g., confirming the individual matches an asserted identity or identifying the individual using biometric characteristics. The various components forming the system (e.g., hardware supported by tangibly embodied software) can be communicatively coupled in a variety of ways (by arrangement or technology employed) by one or more communication networks (e.g., network 220) that comprise physical and/or wireless communication connections.


The supporting devices 212, 216, 218 as illustrated include an advanced inspection technology (AIT) also referred to as MMW technology, an electronic gate (e-gate) 216 which in embodiments includes biometric matching technology to identify an individual, and a CT scanner 212 for carry-on luggage 230. While these devices are mentioned, those of skill in the art will appreciate that other screening machines and technologies (e.g., a metal detector, trace chemical detector, magnetometer, identity verification devices, e-gates, mantrap, X-ray machine) can be included and operate to a variety of thresholds based at least in part on design preference and resources such as to perform the described functions.


Those of skill in the art will recognize that these and other functionally similar screening devices can be associated with devices that direct or otherwise control individuals and other items directed through a system and this may be done on available information maintained by the system or obtained from outside sources or output from, for example, a physical screening device or distributed sensors. Example control or access devices include access control devices; “man-traps;” electronic gates or e-gates 216; electromechanical or pneumatically operated pushers or diverters; conveyors; bin machines; and so forth that are operable to direct/control movement of individuals and items. In some instances, these devices are used to route items and/or individuals through one or more processes and corresponding devices used in targeted screening.


For example, an e-gate 216 is communicatively coupled or integrated in an AIT to control, direct, permit, stop or prevent the egress of an individual based on an outcome of the AIT scan as determined by computer-implemented automatic threat detection (ATD) software/hardware implementing a predetermined algorithm. This in some instances is done automatically, e.g., without human involvement in the device outcome determination, routing, or preventing of egress. Similar technologies and capabilities are available for handling inanimate items such as luggage, packages, and so forth. For example, a conveyor or bin system is constructed to move, direct, control, inhibit, prevent, permit movement of items through one or more screening processes supported by various devices including computer-controlled devices.


In other embodiments, an e-gate 216 directs an individual such as by moving or positioning a physical barrier, partitions, or arm(s) based on distributed sensor aggregate observations or an outcome of a prior targeted screening process or to direct, for example, an individual to a particular screening device based on a category to which the individual or item belongs. (This is illustrated via the e-gate in FIGS. 2A and 2B.) In an example of the former, upon determining further inspection is warranted, an e-gate directs, such as by physically blocking one or more egress paths, an individual to secondary or subsequent inspection as the AIT detected an object with a predetermined shape or particular density. The e-gate may physically permit the individual to proceed or direct him/her if the AIT scan results in a positive outcome, e.g., no anomalies exist to a predetermined threshold. Conversely, an access control device can prevent a person from leaving or direct him/her if an anomaly exists, e.g., the AIT scan results in a “fail” to a predefined threshold, such as calculated by a computing resource implementing an algorithm. Although binary outcomes (e.g., “yes”/“no”) are referenced, those of skill in the art will appreciate that a spectrum or range of outcomes is possible, such as being judged by a computer-implemented algorithm that detects based on one or more criteria with outcomes corresponding to from two to up to “N” outcomes. Such an algorithm can be supported by the cloud service in embodiments.


In another example, an e-gate 216 or some other access control device under computer control routes an item based on available information maintained in a data structure by, for example, a computer system implemented for this purpose or from a third-party data resource, e.g., a distributed sensing system 120. In an example, a user’s smartphone 206 identifies, by outputting a digital representation, an area for screening queue to which the individual is directed based on his/her aggregate observations information and associated risk category and/or availability of resources. For instance, the cloud service 222 wirelessly sends the user’s phone 206 a text message, provides directions or a visual representation (e.g., a map) that directs the person to a checkpoint calculated to result in a lower screening time, make use of otherwise unused resources, or for security reasons. For instance, the electronically communicated information comprises a map that indicates a current location of the mobile device and the area. The map may include a representation of a path between the current location and the area. The electronically communicated information may include step-by-step instructions from a current location of the mobile device to the area. Other wayfinding mechanisms are available as well and the system can include position location devices (e.g., wireless beacons) or native positioning technologies (e.g., GPS).


As should be appreciated from the examples, the system may include devices owned/operated by individuals that use the system and these devices may communicate using (typically) different cellular or wireless communication technologies supported by appropriate hardware/software. These devices may join, drop, and participate in the system based on various use cases and can be included or excluded from the system in a transitory manner.


In some embodiments, an e-gate 216 includes or is associated with technology (such as by communicatively coupling one or more devices either directly or indirectly) used to capture biographic/biometric information, such as may be included in an identification portion of a screening process. For example, an access control device includes a biometric/biographic information collection device supported by hardware/software. Although use of biometric collection devices, such as a kiosk having this capability is discussed throughout this document, in embodiments, a mobile device (e.g., a BYOD (bring your own device) smartphone) includes biometric information collection capability with appropriate security to ensure the integrity of the information. In this example, the access control device includes one or more image capture devices, readers (e.g., a barcode reader, an RFID reader, a BLUETOOTH transceiver), (one or more of still image or video image) to capture user biometric and/or biographic information (such as if a token like a passport, identification document, or driver’s license is used). Thus, an e-gate 216 can be configured to electronically read a user’s driver’s license by using a RFID receiver to obtain information (e.g., biographic/biometric/security information such as a digital signature). This information can come from memory included in a chip in the driver’s license or a smartphone including digital identity information (e.g., a mobile driver’s license) and/or accessed from a data structure such as through use of a machine-readable barcode or other technology such as wireless communication. In other instances, an image capture device (e.g., an optical image capture device) may obtain the information from that printed or otherwise embedded in an identification document. As is to be apparent the optical image capture device may use different frequencies of energy to capture the physically presented information in addition to indicia that indicates the authenticity or validity of the card or document, e.g., capture a holograph, ultraviolet printing, micro printing, and the like as recognized by one of skill in the art for physically securing the card or document.


In the case of the biometric information, an image capture device included in or associated with the e-gate 216 may obtain an image for use in 1:1 algorithm matching with the individual asserting the identity represented by the driver’s license. Example image capture devices are operational to capture one or more images of an individual’s fingerprint, facial features, iris, or the like that are usable to uniquely identify the individual from which the information was contained. This is an example of using biometrics or the like to identify an individual such as a passenger specifically at some point but not for tracking the passenger which the distributed sensors may do anonymously to establish the chain of custody. In this example, the identity of the passenger may be established at the e-gate 216 for security screening.


In a tokenless identity scenario, an e-gate 216 may function by, for example, comparing captured biometric information or information derived from captured information to a gallery of corresponding reference information, e.g., 1:N identification. For example, an e-gate is configured to compare one or more of a captured facial, iris, or fingerprint, or a hash thereof, to a gallery of anticipated travelers, such as based on a passenger manifest. This matching process, like other biometric matching/identification discussed in this document, can be done on a single or multi-modal basis through use of, for example, a computing resource with an algorithm that calculates whether in-question data (e.g., an image) matches reference data (e.g., an image in a reference gallery).


Similar technologies to that of the e-gate 216 or the physical screening scanners 218A-218D (including but not limited to bring-your-own-device (BYOD) scanners, e.g., smartphone) may be used based on the particular situation and operation parameters and so forth as understood by one of ordinary skill in the art. The foregoing considerations include, but are not limited to, the availability and use of, for example, a virtual private network (e.g., Internet “tunneling”), encryption, or the like. The screening processes and supporting devices may be associated on an individual basis with a predetermined threshold of intrusiveness related to a category of individuals and/or other items to be screened. In this way, a device, a combination of devices, or system of devices performing targeted physical screening processes can implement a customized or semi-customized threshold across a group.


Computing resource 240 is representative of a combination of hardware and/or software to generally manage/coordinate operation of the various devices under its control, e.g., devices forming a checkpoint. Some of the computing functionality as illustrated is provided as a cloud service 222 (e.g., a localized cloud service to a checkpoint or facility) which is virtualized from, for example, the computing resource. In the illustration, for ease of understanding, the cloud service 222 is supported by one or more computing resources, such as servers that are constructed/configured to support the described functionality. Those of skill in the art will appreciate that the illustration is representative of example embodiments; other components and arrangements are possible as understood by one of skill in the art and the capabilities of the components that form the system. In embodiments, the physical resources (hardware, software) or the functions described as performed by the cloud resource are provided in a distributed manner, such as making use of computing resources associated with or in the devices themselves to manage operation of the collective group of devices, such as those forming a checkpoint.


The capability of the cloud service 222 in this and other embodiments is supported by computing resources, such as a server or cloud service that implements one or more computer-enabled algorithms to route individuals and other items through one or more physical screening processes. The cloud service 222 (in this case) manages the system/its components to optimize or substantially optimize the available resources, for example, to minimize average user time while meeting applicable security thresholds. The server or cloud service is localized (e.g., support multiple checkpoints in an airport or geographic region) in embodiments to promote efficiency, minimize communication delay, and so forth as recognized by one of ordinary skill in the art and based on the relevant resources.


Such algorithms can implement a variety of approaches as part of determining routing, resource usage based on a variety of constraints such as security threshold, time and so forth impacting physical screening process efficiency, timing, resource allocation, and the like as recognized by a person of ordinary skill in the art. Example algorithms may use a variety and combinations of approaches/techniques for optimizing resource efficiency including, but not limited to, first-come-first-served, round-robin, heuristic approaches, best-trade-off, weighted average, swarm intelligence, and so forth, for example, to load balance individuals/items to be screened with available resources based on a variety of constraints, language capability, gender, age, physical parameters, risk category, and so on. In embodiments, a computing resource such as a server or cloud service implement information from a variety of data sources as part of its calculation that forms the basis of its routing decision. For example, initially a system calculates and routes a passenger to a particular bag drop (and corresponding threshold) based on the aggregate observations information and associated risk category of the user.


The routing may be based at least in part on an indication of a load on the targeted screening process and the indication of the load may indicate a queue status. A dynamic screening process may be configured at least in part to minimize queuing delays, and/or to minimize cost of the targeted screening process, and/or to minimize the risk associated with the subject to be screened, and/or to take into consideration a weighing of the cost and the risk.


Those of skill in the art will appreciate that in addition to information related to the individual/item, a computing resource making such a determination can be programed to account for factors such as resource availability, workload including, but not limited to, anticipated workload, and so forth impacting the various processes, and computing resource allocation.


In embodiments, a computing resource 240 (e.g., a cloud service 222) can dynamically change a threshold implemented by the system or one or more individual devices in the system. Dynamic thresholding can be done on an individual basis or on other information such as operational criteria associated with one or more of the checkpoints; a group of devices configured to operate together (e.g., a security “lane”); based on a facility (e.g., a port of entry); or on regional or national criterion. Such a dynamic thresholding for individuals and items permits efficient processing of items in a least intrusive manner utilizing only appropriate resources based on the criteria while maintaining at least a minimally acceptable level of security associated with a determined category for each individual and item. As is to be apparent due to time constraints, complexity, screening volume, and so forth, dynamic thresholding is performed by implementing an appropriately configured computer resource that, based on the output of the various components included in the system, makes a calculation (perhaps iteratively so) as to a threshold that is to be applied by the various devices, e.g., screening devices, computer resources in the system, so it applies the applicable threshold.


The particular physical screening device and corresponding threshold is implemented under computer control for a particular targeted screening based on available information, such as the aggregate observations information of one or more individuals or items associated with the individuals. As will be explained further, while a first or initial screening process in some instances is solely based on the aggregate observations information such as that determined based on data from distributed sensors at the airport from the curb to the security screening area, in embodiments information output from one targeted screening process is used as a basis (or at least a partial basis) for determining a category for a subsequent screening process to tailor a device’s threshold to avoid one or more of an overly burdensome threshold, an unduly low threshold, or misapplication of a threshold relative to relevant information. In some examples, this is done in a manner that obfuscates what is occurring (e.g., variation in device threshold level) to promote security. For example, instead of statically assigning devices a high, medium, low threshold, a system under computer control directs individuals to various devices so it is not apparent or readily apparent what level of scrutiny is implemented by a particular device. This can be accomplished in a variety of ways including, but not limited to, text messaging, in app map routing, outputting a signal to an access control device, outputting information via a GUI on a display to personnel working with the system and so forth.


In an example, a first AIT (AITs are illustrated as scanners 218A-218C) is associated with a threshold that is higher than a second AIT that operates at another (lower) threshold. This may apply through “N” number of the same or functionally similar devices, although those of skill in the art will appreciate that some of the devices belonging to the class (e.g., AIT) may implement the same or substantially similar thresholds (customized or semi-customized thresholds). These thresholds can change under computer control based on a variety of factors as defined by a variety of parameters associated with hardware/software implemented in conjunction with the system.


For example, as illustrated in FIG. 2B, the illustrated system routes the passenger to area “N” associated with a magnetometer 218D based on his low-risk aggregate observations status as determined by the cloud service 222 and/or the availability of resource, e.g., the magnetometer 218D has a short line or is not being used. As illustrated, a physical access control, such as an e-gate 216A opens based on a determination by the cloud service that the passenger indeed is associated with an admirable “low risk” security status. In some examples, the e-gate opens automatically based on the presence of the passenger’s phone 206 approaching or adjacent to the e-gate. For example, having previously established through 1:1 biometric matching that the passenger 202 is associated with a particular smartphone 206 during an identification screening process or aggregate observations, the smartphone 206 and the e-gate 216A communicate (either directly or via cloud service) so the e-gate opens responsive to the location of the passenger or his phone. Those of skill in the art will appreciate that the order and combination of screening process may vary based on a variety of criteria and may do so on an individual basis.


For example, the aggregate observations information of an individual and/or associated item(s) is used to directed him/her to one or a plurality of different types of targeted screening devices. The first targeted screening interaction may be with a personal screening device (e.g., AIT) or with a screening device for an item associated with the individual, e.g., a CT scanner for checked luggage. In embodiments, an overall system, such as one for a collection of screening related devices is configured to account for variation in process, so in the former case, the aggregate observations information is used as the sole basis for determining what category and correspondingly what threshold to which the individual belongs. In the latter case (presuming the individual proceeds to personal screening after the CT), the algorithm implemented by the cloud service 222 factors the outcome of the CT screening as part of determining to which area or AIT (implementing a particular threshold) the individual is to be directed. Thus, the output of the CT may be used as a factor (such as a weighted factor) in cloud service/algorithm calculation to determine what AIT is to be applied by an optimization algorithm routing individuals/items through the various devices. Other algorithms can use different approaches for this determination, e.g., heuristics, artificial intelligence, deep-learning artificial intelligence.


In other examples, a particular outcome (e.g., fail, anomaly detected) dictates a particular threshold as calculated by the algorithm for a subsequent screening process, e.g., an “if then” decision is calculated based on the occurrence of or responsive to an event or set of conditions. In situations such as this, the algorithm routes an individual to a personal screening device for targeted screening based at least in part, if not solely, on the output of a previous screening process. As should be apparent, a computer resource doing this by implementing a routing algorithm that calculates a route based on a variety of factors that then is electronically communicated to, for example, the individual’s smartphone that may render the routing in a display as a map, a set of logical instructions, and so forth. Computing tasks can be allocated between the computing resources in the system and/or the individual’s smartphone in embodiments.


The respective devices can be reconfigured on a dynamic basis to implement other thresholds based on factors including analytically predicted factors based on historical or artificial intelligence (AI) determined predictive analytics. In contrast, another person, “Owen,” in a similar circumstance may be routed to an AIT operating at a “medium” threshold based at least partially on his aggregate observations information or lack thereof (e.g., distributed sensors do not produce any observation data for Owen who is assigned to medium risk screening).


For example, while three CT scanners 218A-218C operate at comparatively “high,” “medium,” and “low” the CT scanners may be constructed to function and/or capable of functioning within the entire range of available thresholds or a subset thereof. In this way, as the demand based on categories changes, a system implementing the devices or combinations of devices can dynamically reconfigure to accommodate demand to maintain a predetermined throughput, such as average screening time. This can be done automatically based on the individuals/items that are to undergo the screening process. Although high, medium, and low thresholds (relative to one another) are discussed, it is to be apparent that the devices, systems, and methods can implement any number of different thresholds (e.g., through “N” levels) in conjunction with this disclosure and the threshold can change based on design preference and so forth as recognized by one of ordinary skill in the art. While substantially similar devices (CT scanners) are mentioned, those of skill in the art will appreciate that functionally similar technologies can be implemented X-ray backscatter, magnetic detection, and so forth.


For example, a magnetometer is implemented to scan individuals for objects that generate magnetic anomalies, such as weapons for someone associated with a low category or threshold, while an individual associated with a higher level is directed, such as by an automatic e-gate to an area associated AIT that operates to a higher level of scrutiny relative to the magnetometer.


The computing resource 140 can determine, by application of a computer-implemented algorithm, and assign one of a plurality of areas 232-238 (illustrated as areas AN). These areas can correspond to screening and other devices, such as luggage sorting system, included in the system. In embodiments, the computing resource/cloud service communicates information about the area to which the item or individual is to go. The computing resource 240 is communicatively coupled to the system components within the predetermined location by a communication network 220. In the illustrated example, the smartphone 206 is communicating with the network 220 via local Wi-Fi, although in alternate examples the smartphone 206 can establish communication with the network 220 via a cellular connection to a telecommunications provider. A cloud-based service such as that of cloud service 222 can provide the functionality of the various systems and resources.


Referring again to FIG. 2B, the plurality of areas 226A-226D may be associated with, for example, a geographic location such as an airport, a testing location, department of motor vehicles, or border checkpoint where one or more individuals and/or items such as travelers and luggage are presented for a targeted physical screening process in which distributed sensors aggregate observations information is implemented to determine which category and corresponding dynamic threshold is to be applied during the targeted physical screening process. Multiple areas 226A-226D (areas 1 to N) are illustrated, and a given area can involve a different threshold of screening process to be applied. In some embodiments, an area (e.g., Area “1” 226A) is referred to as a predetermined geographic location corresponding to an area designated in an electronic manner, such as through electronic “fencing” that uses global positioning system (GPS) and/or electronic beacon technology (e.g., wireless beacons), which are used to define whether a given location of the mobile device 206, e.g., smartphone, falls within the predetermined geographic location corresponding to the given area. In some embodiments, a predetermined location corresponds to a building, a space (e.g., a room or area) within a building, an outdoor area bounded by a fence, and the like. While the above example in FIG. 2B illustrates a targeted screening process applied to an individual, an identical process, illustrated in FIG. 2C, can utilize the same dynamic threshold level (Low, Medium, High) above used for travelers applied to the traveler’s checked and carry-on luggage. Devices in or associated with different areas can scan the traveler’s items differently depending upon the level of threat determined appropriate for the traveler. For instance, the system may assign a threat classification to the subject (traveler or associated item), based at least in part on the distributed sensors aggregate observations information and/or result of a prior targeted screening, and perform subsequent targeted screening based at least in part on the threat classification.


Referring again to FIG. 2C, in the illustrated embodiment the smartphones are used to direct the item, e.g., an individual in possession of his/her smartphone, to a given area A-N 232-238 to undergo a targeted physical screening process to a threshold corresponding to that given area.


The environment can include one or more beacons 224 (such as those compatible with 802.11 wireless local area network or BLUETOOTH standards for identifying that a device (a smartphone, tablet, etc.) within the local environment 200A-200C. The beacons 224 in embodiments are constructed to provide additional functions, e.g., function as wireless (Wi-Fi) routers for general or dedicated uses to provide information for screening, alerts, routing instructions, etc. It is to be understood that various components within the system can be varied, structures substituted in place of or in addition to those described. While geolocation via radio type signals is discussed, the system can employ GPS technology to provide substantially the same functionality, such as through use of included GPS positioning hardware/software in the smartphone and/or the mobile communication service provider. Example commercial providers of geo-location technologies/beacon systems include, but are not limited to, Beacon Micro, LLC (St. Louis, MO); Bluvision, Inc. (Fort Lauderdale, FL); and Cisco Systems, Inc. (San Jose, CA).


Other technologies can be used in conjunction with a system and devices of the present disclosure to locate a mobile device 206 within the local environment and relative to the various areas, e.g., triangulation of the device’s location. In an example, a traveler uses an RFID reader (such as by placing his/her electronic passport containing an RFID chip) to identify that he/she is present within the local environment and/or to supply information to the system 300. In the previous example, the passport functions as a token of the individual.


In some instances, the individual’s location is authoritatively or at least partially authoritatively established by obtaining information (such as a PIN or other information likely known only to a particular individual, e.g., challenge questions) via the device that is affirmatively identified through geo-location to be at the environment. For example, a smartphone is used to ask a traveler to input a PIN or provide responses to knowledge questions to establish and/or confirm that the traveler is accessing the portable device that is determined to be within the local environment. In the previous example, the system, e.g., the computing resource 240, can establish that the smartphone 206 is present in the environment, and that an individual that is aware of an associated PIN is likewise present.


Referring again to FIG. 2B, in examples, the targeted inspection or screening environment 200B may comprise multiple predetermined areas 226A-226D supported by a computing resource 240 that is geographically co-located or arranged/configured to promote efficient operation of the system/devices within the local environment relative to other resources in the system based on operational parameters. For instance, a server and corresponding communication resources and so on are established at an airport to facilitate efficient communication, information access, and so forth. Embodiments are also contemplated in which the system implements multiple computing resources, e.g., servers dedicated to portions of a predetermined environment such as a particular terminal in an airport. In some embodiments, the functionality associated with the computing resource 240 is provided in a distributed manner, such as in a cloud or virtual type configuration.


In embodiments, systems, devices, methods, and approaches associated with the plurality of areas are constructed to be part of one or more physical screening processes. Example physical screening processes include border control screening, transportation screening, testing, licensing, and so on. The local environment including the plurality of areas 226A-226D can be an airport, a port of entry (which may be at an airport, a sea port, or land) operated by U.S. Customs and Border Protection (CBP), a checkpoint such as a TSA checkpoint, a test facility, a department of motor vehicles location, or the like. In such instances, the hardware, software, processes, and methods may be configured to accommodate requirements of such physical screening processes. The methods, procedures, and techniques implemented by the systems, devices, and/or components can be based on or at least partially based on a category and/or threshold corresponding to the item and associated with a level of scrutiny the item will undergo in the physical screening process.


The use of areas 1 to N 226A-226D and areas A-N 232-238 permits respective areas to contain different personnel and electronic devices as needed to implement an assigned level of inspection or screening (to a particular level of intrusiveness) applied as individuals and items are processed. These different resources include the scanning devices themselves, thus allowing a mix of devices that matches the individual’s and items’ required level of inspection and allowing for a more efficient utilization of difference resources relative to applying a ubiquitous level. These different resources may include operators and staff possessing different skills and training as needed.


As illustrated in FIG. 2C, the local environment 200C includes a baggage sorting system 244 communicatively coupled by a network 220 to cloud service 222 and computing resource 240, which can be located at a predetermined area, e.g., port of entry, a TSA checkpoint, checkpoints for a particular terminal, an airport, and so on. The baggage sorting system 244 can utilize CT scanner 212 that is configured to implement dynamic thresholding discussed above to the traveler’s luggage 204.



FIG. 3A illustrates an embodiment of a traveler being processed through a security checkpoint according to the present disclosure. In this example, a traveler 302, arrives at an airport to begin a trip. As discussed above, he can check in for his flight using a smartphone 306 which performs an identification of the traveler using biometric information received by the smartphone. The smartphone 306 obtains its geolocation as discussed above and communicates with the computing resource 340 while performing the electronic handshake of FIG. 2B. The traveler 302 as illustrated arrive with a piece of checked luggage 329 as well as a carry-on bag 330 that accompanies him onto the aircraft in the passenger compartment. Meanwhile, the distributed sensing system 120 may communicate the sensor data and location information of the traveler 302 or associated item to the computing resources 340 until the traveler 302 or associated item reaches the security screening area. The computing resources 340 may track the traveler using an assigned unique ID or his smartphone 306. Again, while tracking may be anonymous, to establish the chain of custody, the individual observations need to be definitely linked to the traveler. Traditional identifying technologies (e.g., facial recognition and biometrics) may be used to match observations but not to tie back to a specific identity. Biometrics may be used as criteria for re-identification, without linking the data to a specific individual identity such as a name or biographical information.


As illustrated, upon completion of the location identification handshake with the smartphone 306, the cloud service 322 transmits a welcome message 346A to the traveler’s smartphone 306 indicating the completion of the electronic handshake. Computing resource 340, such as the one illustrated as supporting a localized cloud service, can also retrieve aggregate observations information 348 (and optionally historical information) associated with the traveler 302 previously obtained and stored for use. The historical information can also identify associated individuals, e.g., those in his traveling party. The computing resource or cloud service can access similar information traveling companion from, for example, a data structure associated with one or more of the computing resource 340, a central computing resource, cloud service or third-party computing resources 328A.


The cloud service 322, for example, determines to which category the traveler and his associated items belong by calculating a risk score corresponding to a category that indicates an extent to which a targeted physical screening processes will be applied. For example, the cloud service implements an algorithm to weighted score whether the traveler belongs to one of a low, medium, or high category based at least in part on the aggregate observations information, especially if a previous targeted physical screening has not occurred for this occasion. For example, a computer algorithm assigns a risk score based on various factors indicated in the available data and then weighs the individual item scores based on the extent to which each item is indicative of the category to which the individual or item belongs. For instance, a traveler with an aggregate observations information without any derogatory indications may receive a score that places him/her or associated items in a low category while an individual with moderate risk associated with the aggregate observations information is assigned a medium category. While the computer-implemented algorithm may use other factors in calculating the score, solely for the sake of example only, the aggregate observations information is used to determine which category the computing resource should assign. It is to be apparent that other computing resources within the system may be constructed to have this capability, e.g., cloud service, a central resource, computing resources included within devices such as e-gates. As discussed above, an example set of category values correspond to a Low, Medium, and High. Of course, the computing resources in such a system could implement any number of categories to distinguish various levels of intrusiveness that are applied by devices as part of physical screening or as part of procedures implemented to conduct screening (albeit perhaps with the same, substantially the same, or similar goals).


As also illustrated, cloud service 322 may transmit a second message 346B to smartphone 306 directing its user to location (Area “A” 354) for checked luggage 329 if he has checked luggage. The second message 346B may contain directions to the drop off location or area 354 displayed in a map output on a display included in the smartphone. The drop off location or area 354 corresponds in this instance to a scanning device (e.g., CT scanner) corresponding to a category with the determined threshold for his luggage 329 based on the algorithm’s calculation. Although the category for the luggage likely will be the same or similar to that the cloud service assigns to traveler himself, it should be recognized that it may differ based on available information. For example, the cloud service 322 assign four pieces of checked luggage a “high” category because the corresponding individual is making a one-day trip, while another similarly situated individual making a two-week trip with four pieces of luggage may rate a “medium” category and receive less invasive screening.


In embodiments, the computing resource 340 transmits to the applicable device (in this case a CT scanner for luggage) an applicable threshold to be applied, e.g., instructions to set physical or software limits, such as a detection level of automatic threat detections software. This may be done for each targeted physical screening that is to occur, substantially all targeted physical screenings that are to occur, when a device is to change operating parameters (e.g., when a threshold is to change for a device) and the like. The foregoing communication may occur at various times which include, but are not limited to, in response to a determination, communication of information indicating the individual or item is ready to be screened (e.g., an e-gate scanning the traveler’s driver’s license). For example, due to an influx of low category items to be scanned, the cloud resource communicates instructions that are used to change an operating parameter of a screening device. Examples of the foregoing include increasing the device’s sensitivity or other setting, implementing an algorithm that increases security, or the like as understood by one of skill in the art. In another example, a cloud service, or the device itself under control of the cloud service, sets a device threshold in response to geolocation of a mobile device within a predetermined area adjacent the device. The device which is to change its operating parameter can be configured to do so responsive to the communication; at a later time (e.g., after two minutes); or upon occurrence of an event, e.g., scanning a mobile driver’s license on smartphone 306 or an RFID included in a tag or label associated with an item like luggage or a package.


Alternatively, instead of communicating with the traveler’s smartphone 306, wayfinding can be performed by a security officer or an access control device (e.g., in the form of an automated GUI device such as a kiosk) to direct the traveler 302 to the appropriate level of targeted screening. The security officer or access control device relies on the information such as the distributed sensors aggregate observations information to direct the traveler 302 to the appropriate targeted screening.


In an embodiment, responsive to the traveler 302 dropping off his checked luggage at Area A 354, the system recognizes that it is associated with him. For example, a luggage drop device associates the traveler (individual) with a luggage tag including a barcode or a radio frequency identification tag responsive to, for example, a reader scanning the traveler’s driver’s license. This relationship (item to a related individual) may be stored in a data structure, such as a database, associated with the cloud service/computing resource, the central resource, or third-party resource, and done so through use of a unique identifier that is maintained in, for example, a record in a relational database. This process can include an individual interacting with a touchpoint, electronic devices at the drop off location capable of obtaining biometric information from the individual. In embodiments, a reader, such as an optical document reader or RFID reader included in the system, obtains this information from a boarding pass when the traveler checks in, from government-issued documents such as a driver’s license or passport, or from similar items. In other instances, information from the document is used to identify a source of information. For example, information from a machine-readable zone (MRZ) is used to locate the underlying information in a database included in or made available to the system. These approaches may be expanded to the use of the mobile device itself, e.g., a mobile driver’s license.


Once the traveler’s identity is determined and matched with corresponding information accessible by the cloud service 322, the system accepts the luggage. The individual 302 via his/her smartphone may be directed to a second area (Area B 358) for targeted personal security scanning and/or and physical screening of items closely associated with the individual (e.g., carry-on items) based on an assigned category which may be in part based on the aggregate observations information and/or an outcome of a risk determination calculated from targeted physical screening of the checked luggage 329. In some instances, a display device or speaker associated with one or more of the electronic device (e.g., CT device 212), a touchpoint, or a smartphone is used to provide a prompt as to a next area to which the item or individual is to progress, e.g., Area B 358.


The output information 350 generated by the scanning of checked luggage 329 may be used within the scanning area if further inspection of the luggage is appropriate. The output information 350 can also be transmitted to the cloud service 322 for analysis including comparison with the aggregate observations information 348 (and optionally historical information) and the first traveler category and/or as data used for determining through computer calculation performance of or a setting of a device for a later screening process. The cloud service 322 can adjust a category used on subsequent scanning processes if additional screening is determined to be appropriate by the cloud service. For example, the scanning of checked luggage 329 may indicate a more intrusive inspections is to be applied, such as if the first screening process yielded a fail or an anomaly as determined by the cloud service based on the inclusion of anomalies or items/areas of concern as determined by automatic threat recognition software implemented in conjunction with the scanner, e.g., an X-ray, CT scanner.


The cloud resource 322 can update the category for targeted personal screening using one or more of the aggregate observations data 348 (& optionally historical information) and the output information 350, as illustrated in 352. The cloud service 322 in this scenario transmits (electronically) the resulting category to a device use in conjunction with the later or second targeted screening. In the illustrated example, this is a computing system controlling the AIT 318. The cloud service 322 can communicate this information in response to completion of the first targeted screening process or in response to occurrence of an event, such as an individual arriving at an area associated with the subsequent targeted screening (e.g., geolocation of the traveler’s phone in the area (area “B”)), scanning a token (such as a boarding pass, identification document (whether physical or electronic)) or the like.


In examples, the system may generate an adjustment instruction operable to change a setting of a device implemented in the physical screening process, responsive to a calculation by the computing system that an amount of time for the physical screening process exceeds a predetermined time. The setting may include a setting of at least one of an iris scanner, fingerprint scanner, palm print scanner, slap scanner, facial scanner, x-ray scanner, full-body scanner, voice print scanner, gait scanner, millimeter wave scanner, backscatter scanner, or infrared scanner.


In additional examples, the system may calculate an anticipated amount of time for the item to pass through the physical screening process, and responsive to a determination that the time exceeds a predetermined amount of time, generate an alternative configuration of physical resources implemented in the physical screening process and iterate the calculation to determine if the alternative configuration yields an anticipated amount of time that is within the predetermined time. If the time for the alternative configuration is within the predetermined time, then the system may electronically communicate to a physical resource included in the physical resources at least some information associated with the alternative configuration. Then, the system (i) may electronically communicate information that indicates a different area to the electronic device, the different area corresponding to the category based on the alternative configuration; or (ii) responsive to a determination that the area is associated with a higher threshold in the alternative configuration in comparison to the threshold for the category and that the item is in the area, may permit the item to be screened in accordance with the higher threshold in the alternative configuration.


Coextensive with completion of a previous targeted screening process, an individual may receive a message, via a GUI output on a display included on his smartphone 306, with directions to an area or device for a next targeted screening process. In some embodiments, a message is an inquiry that in reply to user response provides directions. For example, responsive to receipt of one or more pieces of checked luggage, the cloud service messages the passenger’s phone asking whether he has carry on luggage. The cloud service’s directions in embodiments is at least partially based on the received response. For example, the cloud resource returns directions to an area corresponding to a passenger screening queue (Area B) if the reply indicates he has no carryon, while the message includes directions to a CT scanner if the response indicates he does possess a carryon. Again, the functions of the smartphone may be performed instead by a security officer or an access control device.


As illustrated, for targeted screening, an individual is routed to a personal screening device, e.g., MMW scanner 218. Responsive to location detection indicating the individual and/or his/her smartphone’s arrival, or for example a check-in procedure, indicating presence in area B, a personal screening device such as an MMW scanner is used to scan him/her for unauthorized items carried on his/her person. For example, a magnetometer (a suitable personal screening device) is implemented to screen for metallic items. The personal screening device in some instances implements a threshold that corresponds to a category to which the individual belongs. In an example, the individual is routed to the particular device or area as it is already associated with the particular category or threshold to which the individual belongs, e.g., the cloud resource routes a medium category individual to an AIT machine already (preexisting) operating a medium level by electronically communicating directions and/or a map to the traveler’s smartphone. In other examples, the system instructs a screening device to implement a particular threshold corresponding to the traveler’s category in response to a determination (such as based at least in part on the output of a previous screening). The system (cloud service) can communicate instructions to the device to alter its threshold in response to output from the previous process (e.g., process 1); when the system issues a communication to the individual’s smartphone, or in response to the presence of the smartphone in an area associated with the subsequent process or device (geolocation), in this case area B; in response to a check-in procedure corresponding to the area or device, e.g., scanning a barcode, issuing a communication (clicking a button), or the like as understood by one of skill in the art.


One of ordinary skill in the art will recognize that the order in which screening processes are performed (e.g., checked luggage, carryon, individual screening) can be varied or conducted in any order (including co-extensively or substantially co-extensively) based on the aggregate observations information and/or information output from a previous targeted screening. The type of electronic devices used in each of these scanning processes may be changed to provide the level of inspection needed to obtain a desired level of security considering the information known about the traveler and his or her items. Categories and thresholds may be customized or semi-customized based on one or more of aggregate observations information, historical data, output, device parameters, device configuration, or security level. The screening procedures and devices used can vary based on operational scenarios as understood by one of skill in the art.


Turning to FIG. 3B, a computing resource 340 in addition to other aspects of this disclosure are illustrated in additional detail. The computing resource 340 is shown as a physical computing system (e.g., a server that supports one or more mobile devices (smartphones 306A-N)), devices included in the system (electronic devices such as AIT machines, CT devices, magnetometers, cameras including cameras enabled with biometric capability, electronic gates, access control devices, beacons 324), or the like as contemplated by one of skill in the art. Although illustrated as a server type computing system, multiple servers or the computing resources within devices may be used to provide the described hardware/software as a cloud type service, such as that illustrated as cloud service 322. This may be done for a predefined location (e.g., an airport terminal, port of entry, security lane, department of motor vehicle station, a physical location). While the computing resource 340 is described in physical proximity to other system components, it should be appreciated that this may be done to ensure the computing/electromechanical devices forming the system include resources that meet predefined functional criteria such as computing capability, memory capacity, communication throughput, response times, and so forth based on pre-established performance criterion.


As illustrated, the computing resource 340 includes one or more communication units 360, processors 362, and memory, illustrated as “local memory” 364. The communication unit 360 is representative of one or more devices able to electronically communicate information to/from other devices and components including in instances those included in or external to the system. Example communication units include but are not limited to wireless modems (such as an 802.11 compliant unit), wired (e.g., Ethernet-ready) or other such communication interfaces, near field communication (NFC) transceivers, and/or a cellular communication transceiver. Example 802.11 compliant modems/cards include but are not limited to those compliant with 802.11n, 802.11ac, 802.11ad, 802.11ah, 802.11aj, 802.11ax, and the like wireless local area network standards promulgated by the Institute of Electrical and Electronics Engineers (IEEE), New York, New York. As will be appreciated, the communication units can be used in a variety of combinations and arrangements based on operation parameters and design preference, to communicate with system components and resources (e.g., third party computing resources) external to the system. In embodiments, communications unit 360 includes a combination of hardware and software, while the processor 362 can support the communication unit; in other instances, a dedicated processor is included in or with the hardware that forms the communication unit 360.


Although a single processor and memory are illustrated, the computing resource 340 can be constructed with multiple processors and memory based on design preference. The processor 362 is representative of hardware configured to process computer executable instructions, such as a central processing unit that executes a program of instructions. In embodiments, the processor 362 implements an operating system which is a set of computer executable instructions that allows the processor to perform specialized instructions according to a program running on the operating system/processor platform as described consistent with this disclosure.


Local memory 364 is representative of a wide variety and types and combinations of memory suitable for storing information in an electronic format. Example memory includes, but is not limited to, random access memory (RAM), hard disk memory, removable medium memory, flash storage memory, and other types of computer-readable media including non-transitory data storage. For example, local memory 364 stores a variety of information obtained from the central resource, mobile devices, devices used for physical or identity screening, touchpoints, and so forth. Although local memory 364 is illustrated as within the computing resource 340, in some instances, local memory 364 includes an array of memory devices, such as in a RAID configuration.


In embodiments, local memory 364 is constructed to hold information, such as historical/planned trip information, aggregate observations information, category determination, device threshold information, device output information, information obtained from third parties including “pulled” or “pushed” information, for a predefined period of time, e.g., for 24 hours prior to an anticipated transaction, 24 hours after a transaction. In some instances, under control of the processor (e.g., the management module 368) the local memory holds a summary of information for a transaction or series of transactions. For example, after a predetermined amount of time or on occurrence of an event, the processor generates a summary of a transaction which is retained in memory while physical memory related to comparatively more detained information is deleted or released for reuse (writing over with other information). Local memory 364 may release information from memory after a predetermined time, occurrence of an event (e.g., the central resource confirming it has information for a transaction), or the like. In an example, the processor 362 is configured to control the memory contents (e.g., wipe or overwrite the memory) based on various such predefined or triggering events. Local memory can be configured in a variety of ways based on design preference, performance considerations, and so forth. For example, the computing resource 340 holds information in a registry that is refreshed upon the occurrence of a predetermined event or expiration of a time period.



FIG. 3B illustrates the computing resource 340 including various modules that are representative of hardware/software that are constructed to provide the described capabilities such as through execution of a program of instructions that when implemented by hardware function in the described manner. In embodiments, modules are logical combinations of hardware and software designed to electronically perform the described functions and support objects (instances) such as through operation of instructions that cause the hardware to provide the described function. In embodiments, the individual modules interact through one or more application program interfaces (APIs) that permit interaction and passing of information between the hardware/software forming a particular module with that of other modules and data structures, e.g., databases. In some instances, the modules or subgroups of modules are integrated into a unitary program of instructions based on design preference. The software can be embodied as a program of instructions stored in memory (e.g., non-transitory memory) that is accessible to the processor at runtime, or execution. In instances, hardware supporting the modules includes an operating system, which can be stored in memory, on which the described modules function.


As illustrated, the computing resource 340, supported by the processor 362, includes geolocation module 370, identity module 366, observations module 367, and management module 368. While shown and described as individual modules, the supporting hardware/software can be configured as an integrated program of instructions to provide the described functionality, such as through the use of application program interfaces (APIs) that permit individual programs to interact such as by passing information to one or more other programs and provide one or more graphical user interfaces (GUIs) output on a display to a user to access information or exercise control over the front end system including touchpoints, beacons, biometric capture devices, and other resources, e.g., electromechanical devices used for physical screening, identification of individuals, access control. It is to be appreciated that the described modules can provide this service as part of, for example, a localized cloud service used to support one or more physical screening devices (e.g., communicatively interconnect connected by network 320) or procedures as described throughout this document and as understood by one of ordinary skill in the art.


The illustrated geolocation module 370 represents hardware/software constructed to provide location services. For example, the geolocation module 370 includes software, implemented by hardware, configured to geolocate a smartphone by calculating a device location (or receiving a calculated location from, for example, a beacon) and electronically comparing a reported or determined location to, for example, a lookup table registry of geolocations that are predefined to geographically identify whether the smartphone is within a predefined area, such as an airport, a checkpoint, a port of entry, a queue line, a baggage drop, a room, an area associated with a device such as a physical screening device, a testing station, an area defined by electronic “fencing,” (such as defined by coordinates) and the like as understood by one of skill in the art. Although Wi-Fi based geolocation and systems are referenced, those of skill in the art will appreciate that various positioning systems can be used; these include, but are not limited to, GPS, cellular positioning, Galileo global navigation satellite system (GNSS), magnetic based positioning system, inertia based positioning systems, near field communication (NFC) positioning systems, and combinations thereof.


In other examples, the geolocation module 370 performs this location identification based on whether or not the mobile device is in electronic communication with one or more wireless type communication transceivers, such as Wi-Fi router with a predefined “limited” distance communication capability. They include but are not limited to BLUETOOTH or NFC with a one-hundred-foot operable range, or a low power cellular transceiver with an effective range that corresponds to the area to be “fenced.” In this way, the computer resource associated with the wireless communication devices does not calculate an actual location (e.g., a precise or semi-precise location based on operating parameters), such as through triangulation, of the mobile device, but it is “presumed” due to the device’s effective range, e.g., received signal strength indication (RSSI) and the mobile device being in communicative contact with one or more transceivers. For example, the computing resource 340 determines that a mobile device is within ten meters or thirty-two feet of a BLUETOOTH transceiver as this is the pre-established effective range of the transceiver and it is in communication with the mobile device. In embodiments, the geolocation functionality described in relation to the computing resource is provided in a distributed fashion (e.g., round robin, localized hand-off, first in first out) with, for example, a computing resource for a checkpoint lane (under control of the cloud resource/computing resource) making the location determination using a geolocation module as described to make a decision based on wireless sensor/beacons/etc. for that lane, area, or physical screening device such as a MMW scanner.


In some instances, a reported location is a location reported by a mobile device, such as a smartphone, a smartwatch, or the like, e.g., “self-reported.” In this instance, the mobile device calculates its position and reports it to, for instance, the cloud service 322. In other instances, the system obtains location information from a device other than the device being located. For example, one or more Wi-Fi beacons report a location associated with a smartphone in communication with one or more of the beacons, e.g., three beacons to triangulate the device’s position. This communication may be for establishing the smartphone’s location or may be an ancillary to, for example, communicating information with the system. In another embodiment consistent with this disclosure, computing resources associated with the beacon or a location subsystem of the system determines that a mobile device is within an area (e.g., a predetermined area) and electronically communicates the status of the mobile device to the computing resource 340, e.g., present or not present.


The foregoing Wi-Fi (WPS) triangulation can be done in place of or in addition to permitting the smart (mobile) device to self-report its position with, in some instances, the geolocation module 370 electronically determining the mobile device’s position. For example, the geolocation module 370 is configured to permit the smartphone to initially self-report its location (e.g., arrival in a general location), while system components and the geolocation module 370 make a location determination whether or not the smartphone in predetermined other instances, e.g., an electronic determination as to what threshold the computing resource 340 instructs a magnetometer to use. The foregoing can be done when, for instance, increased accuracy or security is a factor. An example of the latter is when an individual or an item is directed to a particular location for physical screening or identification. In an instance such as this, the system uses Wi-Fi beacons or routers as the basis of location information to promote security (e.g., avoid location spoofing), increase accuracy (e.g., in comparison to GPS geolocation), assist an individual (wayfinding), due to technological limitations (e.g., a cellular dead zone), or the like. For example, the system includes an RFID reader constructed to determine the presence or absence of a tag (and therefore an object to which the tag is connected) in an effective area for the reader. Those of skill in the art will appreciate that computing resources associated with the Wi-Fi beacon or router can preprocess or handle some of the processing tasks described in conjunction with the geolocation module 370 in some embodiments in accordance with this disclosure.


Moreover, the geolocation module 370 can provide location information on a periodic basis (e.g., every minute), in response to a request (e.g., a request by the management module 368 for location information), or upon occurrence of an event, e.g., a person/smartphone leaving a test center check-in area, a mobile device moving more than ten feet from a currently calculated position, the mobile device or a beacon reporting a velocity change greater than a pre-established threshold. An example is a beacon updating a table or registry in response to a mobile device moving more than five feet from a previously calculated position within a minute.


With continued reference to FIG. 3B, the illustrated identity module 366 is optional and represents hardware/software configured to provide identity services for a variety of purposes in accordance with the present disclosure. For example, the identity module 366 provides identity information that the management module 368 interrelates with geolocation information, so the location, direction of movement, and so forth for a mobile device are connected to its identity (device or individual), such as in a relational type database. The observations module 367 represents hardware/software configured to provide observations services. For example, the observations module 367 receives and processes the distributed sensors aggregate observations information from the distributed sensing system 120.


In the foregoing and other implementations, the identity module 366 and observations module 367 each act as a service or under control of the management module 368. The identity module 366 and observations module 367 can forward information using a variety of approaches, such as but not limited to, communicating identity/observations information to the management module 368 on a periodic basis, responsive to a request from the management module 368 or geolocation module 370, on occurrence of a predetermined event (e.g., upon the geolocation module 370 indicating the mobile device moved a predetermined distance).


For example, the management module 368 intermittently or upon occurrence of an event combines identity information and/or observations information supplied by the identity module 366 and/or observations module 367 with its category determination and forwards the information to a resource associated with a checkpoint (e.g., an identity management computing system, or screening device with identity capability). The management module 368 can do this so that (i) the identity management system can compare identity information supplied by the mobile device as part of an electronic handshake procedure with that from the management module 368 to confirm that the device and individual associated with the device are to use particular resources/be screened to a corresponding invasiveness level and/or (ii) the management module 368 uses the distribution sensors aggregate observations information as the sole basis or partial basis for determining the threat or risk level of targeted screening to which the individual and/or associated items will be subjected. In this scenario, the identity module 366 and observations module 367 each supply the identity information (e.g., SIM card number) and aggregate observations information in response to a request from the management module 368. In other scenarios, the identity module 366 and observations module 367 each periodically “push” identity/observations information. The identity module 366 and observations module 367 can push information at a predetermined time or they can do so responsive to an event other than a management module 368 request. For example, in response to an individual’s clearing customs (e.g., exiting a port of entry inspection area), the geolocation module 370 can update a table configured to hold last known position and identity/observations information for the mobile devices interacting with the system. In this instance, the geolocation module 370, identity module 366, and observations module 367 update a temporary registry with location and/or identity/observations information.


Other scenarios are also contemplated within the understanding of one of skill in the art. For example, individual screening devices may include integrated identity management functionality to control which individuals are permitted to use a particular screening device, e.g., an MMW scanner. In other instances, the system includes resources such as electronic gates include hardware/software to control access or direct individuals and items through various screening processes, e.g., to a device used in a screening process.


In embodiments, the computing resource holds this information in, for example, a lookup table in random access memory (RAM) for a predetermined period of time or until occurrence of an event, e.g., the memory is released for reuse and is reused to hold other data. The services of the identity module 366 can be based on the identity of a device (e.g., SIM card number, telephone number, unique identifier, email address), an individual that is interconnected or associated with a device, and combinations thereof. The latter case encompasses users, individuals that possess the particular device, an owner, someone that is associated with the device (e.g., a child being affiliated with a parent’s device) due to a legal relationship (e.g., having a legal relationship with the phone owner, possessor, or user) or a technical relationship (e.g., having a “user profile” on the device), and so forth as understood by one of skill in the art. The computing resource, for instance, directs a particular mobile device and by extension associated individuals to a particular location or device based on identity, whether device or individual identity. In the preceding scenario, the system can implement access control devices (e.g., man-traps, electronic gates) to direct, control, or prevent individuals from taking actions or permit them to take predefined actions, e.g., egress an area/location in response to opening of an electronic gate. In other instances, the management module 368 issues instructions that cause the mobile device to output guidance, such as an audible warning, a map, “turn-by-turn” instructions and so forth.


For instance, the identity module 366 enters a unique identifier (e.g., a telephone number, SIM card number, driver’s license number, passport number, name, date of birth (DOB), or a combination thereof) in a registry as mobile devices present themselves to the system. It is to be apparent that the identity module 366 can assign its own unique identifier to the respective entries or records, it can implement a common type of identifier (e.g., telephone number, combination name + DOB), or implement an ad hoc approach, e.g., use SIM card in some instances while using name + DOB for other instances. In some scenarios, the identity module 366 is programmed to do this in response to the mobile device joining or entering into communicative contact with the system. In other embodiments, the identity module 366 compares provided identity information with corresponding historical information to confirm electronically that asserted identity information matches that held by or made available to the identity module 366 such as by a third party resource; the outcome of this comparison may be used for other purposes, such as setting or being used as information for setting an invasiveness threshold, e.g., use of a mobile device previously associated with a “known” identity as a factor in determining a trust or intrusiveness level.


In embodiments, the management module 368 or the identity module 366 is configured to expire, remove, or overwrite information in the registry, lookup table or data structure at a predetermined time (e.g., anticipated departure of a flight, after twenty-four hours) or responsive to an event, e.g., actual departure of a flight, after completion of final screening, responsive to a device failing to respond to a communication check/heartbeat communication. In some embodiments, the system retains or stores at least a portion of information in (comparatively) longer term storage such as for historical purposes; in other instances the system (e.g., the computing resource or cloud service) is configured to retain summary information or derived information (e.g., a score, anomaly yes/no); in other instances the storage of information is conditioned on user affirmatively indicating he/she wants the system to retain at least a portion of the information. Although variables may be calculated as a score, such as a scalar or vector value, in embodiments a computing resource converts the score into a binary value (e.g., yes/no). Those of skill in the art will appreciate that a data structure associated with a central resource may store historical information such as in memory for or otherwise related to the central resource. In embodiments, in response to user designation, a third-party resource retains at least a portion of the information. For example, a user electronically directs that an airline loyalty system (e.g., a trusted third party) receive at least a portion of the information or information derived from the information for future use as historical information. In situation such as this, the system may retain some information, such as rudimentary transaction information that is less than that retained by the system in other instances, such as a user selecting “opt-in” to participation in the system retaining additional data.


As also illustrated in FIG. 3B, the computing resource 340 includes the management module 368 that represents hardware/software usable by the computing resource to manage interactions of the system with mobile devices and individuals and items associated with mobile device. Example system devices that can interact with items and individual include, but are not limited to, physical screening, identification devices, and items/individuals such as part of an overall process, e.g., a physical screening or identification process. As the reader will appreciate, the functions or services of the management module 368 can be provided as part of a cloud service, such as an integrated cloud service that functions to provide the services supported by the identity module 366, the observations module 367, geolocation module 370, and management module 368. While illustrated in FIG. 3B as part of a computing resource, those of skill in the art will appreciate that the management module 368 function and the services can be supported in a distributed manner with some of the tasks assigned to computing resources affiliated with subsystems or devices integrated into the system. Naturally, the resources providing the function/service can include appropriate software to effectuate this capability. Having provided various scenarios and environments, operation and construction of the management module 368 will be discussed in further detail as will be more fully appreciated in light of the above disclosure and the remaining portion of this application as understood by one of ordinary skill in the art.


With continued reference to FIG. 3B, the management module 368 is constructed to manage routing of items and individuals as they interact with electronic devices, such as electromechanical devices implemented for screening or identification purposes in accordance with embodiments of this disclosure. In embodiments, the management module 368 manages functionalities of the geolocation module 370, identity module 366, and observations module 367 to tailor routing of items or individuals and the settings of devices included in the system. The management module 368 can do this by implementing an algorithm to, among other functions, route or direct items or individuals to areas/locations associated with different targeted physical screening processes (e.g., using electromechanical devices) at least partially based on aggregate observations information that associates the item or individual with a particular level of screening such as that associated with a category, e.g., low, medium, high (relative to one another).


The management module 368 can implement a variety of factors that correspond to or are derived from the aggregate observations information as part of its analysis. Example algorithms implement a variety of approaches for assigning an item or individual a category or a level of targeted physical screening. Example algorithms can make use of Monte Carlo simulation, probabilistic forecasting, predictive modelling, Bayesian probability modeling, event tree analysis, fault tree analysis, artificial intelligence approaches, or Markov modeling. While the foregoing can be done on a per item/individual basis, the management module 368 can implement system wide or resource factors as part of determination on how to direct the particular item or individual. For example, the management module 368 is programed to load balance physical screening devices in order to meet a predetermined time threshold or to achieve an average throughput or throughput time based on a variety of factors associated with the items and individuals to be screened and the available resources. In some embodiments, the algorithm applies the aggregate observations information and/or information from prior targeted physical screening processes as an indicium of potential risk. The foregoing can consider information in relation to capacity and safety along with magnitude and probability.


In embodiments, the management module 368 calls on or can control the identity module 366 and/or observations module 367 and/or geolocation module 370 for information/services as part of its assigned tasks. For example, the management module 368 queries the geolocation module 370 to identify the location of a mobile device associated with a comparatively low risk individual, so the management module 368 can direct him/her via the mobile device to a corresponding “low” invasive screening device that is physical near the location of the mobile device. In some embodiments, the management module 368, geolocation module 370, identity module 366, and observations module 367 are arranged in a client/server relationship with the management module 368 delegating computing tasks, while retaining overall control of one or more of the identity module 366 or observations module 367 or geolocation module 370. Although physical proximity is discussed, other factors can be considered; these include, but are not limited to, device utilization, anticipated or projected utilization, physical proximity of other item or individuals whether actual or anticipated (e.g., an individual is routed to an area/location to avoid an influx of other similarly situated individuals such as the anticipated arrival of a plane carrying a large number of passengers) and so forth.


In another example, while a management module 368 in a cloud service for an airport initially assigns a device, individual, or group of individuals to a particular checkpoint that is made up of multiple lanes potentially implementing different targeted screening procedures and security levels, the management module 368 may hand off or delegate management responsibility to a virtualized cloud service for the checkpoint supported by computing resources available to the checkpoint. Thus, in the preceding example, the computing resource for the checkpoint may route or reroute mobile devices and individuals (associated with mobile devices or unique IDs assigned by the distributed sensing system 120) under its control based on a variety of factors including overall factors relative to the checkpoint. It is to be appreciated that the management module 368 for the cloud service can take over or override control from that of the checkpoint, or the virtualized cloud service for the checkpoint can return control based on existence of a predetermined condition or event for the local environment (e.g., the checkpoint) or for that of the system, e.g., a test facility. For example, the computing resource using the identity module 366, observations module 367, and geolocation module 370 direct an individual 302 via his/her mobile device to a variety of locations (e.g., areas “1-4”) based on the identity of the mobile device (and/or an individual associated with the mobile device) and/or observations information. In the preceding example, upon arriving at a facility, a user can either directly (such as by clicking a “button”) or indirectly (such as by preconfiguring his/her mobile device to participate with the system 300) identify the device and/or himself/herself to the system. For instance, upon arriving at a testing center, a user clicks “participate,” which results in the device sending the system 300 information (e.g., device information such as SIM card number, telephone number, email address, or a unique identifier (e.g., a session or a transaction identifier)). Additionally, or in place of the foregoing, the mobile device (e.g., smartphone) sends the system information about individuals affiliated with the device, e.g., owner, user, individuals in the person’s traveling party and so on. Alternatively, the testing center receives the observations information and the unique ID of the individual/item to be screened from the distributed sensing system 120.


In other instances, the computing resource has (such as stored in memory) or can access information (e.g., from a third-party resource) related to or associated with information provided by the mobile device. This includes, but is not limited to, user entered information or information derived from information existing on or obtainable by the device, e.g., stored testing or travel plan information, profile information, output of a physical screening or identification device or combinations thereof. In some instances, the device itself and/or the system 300 determines the position of device (and as a result, the people associated with the device). With this information, the system 300 can direct the mobile device/individuals based in part on the provided information. This capability is discussed in further detail in conjunction with the management module 368 among other portions of this document.


For example, the system 300, in response to a smartphone presenting itself as being within the predetermined area or the system determining the device is present and the identity of the device, communicates instructions that cause the phone to output, such as on a display included in the smartphone, or offer for output (e.g., “click here for directions to screening area/location ‘1’”). In the foregoing situation, the computing resource 340 may in part do this based on the location of the mobile device (e.g., smartphone), individuals related to the device and the identity of the device itself or of related individuals. In the preceding example, the computing resource (e.g., management module 368) accounts for other information including, but not limited to, system performance, resource availability, capabilities (technical or personnel), information for other item or individuals. In an example, the computing resource 340 wirelessly communicates instructions to the mobile device via a wireless router/beacon such as illustrated as 324 that cause it to output a map on a display included in the mobile device with directions to area/location “1.” Area/location “1” is associated with a bilingual English/French officer because historical information, such as included in a user profile retrieved by the system in part in response to the identity and location of the device, indicates an individual speaks French. The computing resource’s routing determination (as implemented in part by a wayfinding or mapping algorithm) may take into account an actual or anticipated delay associated with, for example, a screening lane associated with area “1.” This is but one example of a computing routine electronically implemented by the computing resource to route individuals.


Those of skill in the art will appreciate that the computing resource 340 including the described modules may be programmed to account for a myriad of factors including competing factors or be capable of synthetically learning (such as through use of machine learning techniques including but not limited to Artificial Intelligence) and applying learned lessons to resolve complex computing scenarios consistent with the principles of this disclosure. For example, software comprising a program of instructions causes the computing resource 340 to implement an algorithm to analyze competing factors (while maintaining a physical screening to a calculated level of intrusiveness) to determine to which location or device the mobile device or person should be routed. While the system can do the foregoing, for example, to minimize wait time or, based on information associated with the individual, in some examples, the computing resource considers information associated with or otherwise related to overall operation, e.g., average wait time, resource availability, distance, economic impact, and so forth at contemplated by one of skill in the art.


Having described example environment, systems, devices, and modules constructed of (in some instances) hardware/software, example methods will be described in further detail. Those of skill in the art will appreciate that the described methods, steps, approaches, and techniques can be implemented by (but are not necessarily restricted to) the above systems, devices, and modules. In some embodiments, the methods, steps, approaches, and techniques can make use of the described hardware and/or software as contemplated by one of ordinary skill in the art. The sample methods are described in relation to particular tasks and corresponding environments. Examples include, but are not limited to, airline screening, driver’s license testing, educational testing, entertainment (sports, concert) safety screening or identification, border crossing.


Reliability of Distributed Sensing Information of Tracked Subject Adjusted Based on Anonymous Chain of Custody Factor

An embodiment is directed to a method which includes receiving distributed sensing information on one or more characteristics, e.g., physical, associated with a subject from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location. The information on the one or more characteristics is obtained from the one or more sensors of the plurality of distributed sensors observing a plurality of candidate subjects including the subject. The collected information can be used to assess and resolve security concerns of the subject without personal identification of the subject or utilizing confidential personal information of the subject. Examples of sensing information may include detected shapes of possible weapons, detected chemicals of possible explosives, suspicious scent detected, etc.


To assess and resolve security concerns meaningfully based on the distributed sensing information, the method takes into account the chain of custody of tracking the subject with the distributed sensors. A chain of custody (“COC”) exists if the distributed sensing information on the one or more characteristics are tracked sufficiently over time from initial detection to the time at which the subject reaches the resolution location (e.g., targeted screening area). A chain of custody factor of 1 (i.e., 100%) can be ascribed to continuous tracking of the subject with an uninterrupted chain of custody. Brief gaps in coverage may be acceptable, especially gaps that are evidently innocuous (e.g., when the characteristics being tracked does not change after a time gap).



FIG. 4 schematically illustrates an example of the tracking of a subject using a plurality of distributed sensors without any break in chain of custody (“COC”) and without personal identification of the subject or using confidential personal information of the subject. The sensing of the subject by sensor 2 starts before the sensing of the subject by sensor 1 ends. The sensing of the subject by sensor 3 starts before the sensing of the subject by sensor 2 ends. The sensing of the subject by sensor 4 starts before the sensing of the subject by sensor 3 ends. If the subject is sensed or tracked by the plurality of distributed sensors, in combination without any break in COC (as shown), the method may assign a COC factor of 1 (i.e., 100%) to the distributed sensing information so as not to adjust a reliability of the distributed sensing information caused by any break in COC.



FIG. 5 schematically illustrates an example of the tracking of a subject using a plurality of distributed sensors with breaks in COC in the form of time gaps in tracking and without personal identification of the subject or using confidential personal information of the subject. For the subject being tracked, a first time gap occurs after the first sensor 2 tracking and the first sensor 3 tracking. A second time gap occurs after the first sensor 3 tracking and the second sensor 2 tracking. A third time gap occurs between the first sensor 4 tracking and the first sensor 5 tracking. The second time gap is a brief time gap that may be acceptable and may have no effect on the reliability of the distributed sensing information, especially when the characteristics being tracked does not change after the brief second time gap.



FIG. 5 also shows overlapping tracking by multiple sensors at the same time. A first time overlap occurs between sensor 1 and the sensor 2. A second time overlap occurs between sensor 2 and sensor 4. A third time overlap occurs between sensor 4 and sensor 6. The overlaps during which multiple sensors collect sensing information from tracking the subject may be considered in determining the reliability of the collected sensing information, as discussed below.


If there are one or more time gaps in the COC (i.e., broken or interrupted COC), the method may determine one or more COC factors of less than 1 (i.e., < 100%) based on the one or more time gaps in the COC and adjust the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors. As discussed below, the change in the reliability of the distributed sensing information has an effect on the security concerns of the tracked subject in the form of a trust score of the subj ect.


The COC factors may each be determined based on one or more of: a length of any of the one or more time gaps in the COC, a change in the distributed sensing information after any one time gap of the one or more time gaps in the COC as compared to the distributed sensing information before that one time gap, an extent of the change, a total number of changes in the distributed sensing information from the starting location and the resolution location, a total length of the one or more time gaps in the COC, the total length of the one or more time gaps in the COC as a percentage of a total time from the starting location and the resolution location, and a total number of the one or more time gaps. In an example, a COC factor close to 1 means a negligible adjustment to the reliability of the distributed sensing information while a COC factor close to 0 means a significant or overwhelming adjustment to the reliability of the distributed sensing information.



FIG. 6 schematically illustrates an example of adjusting the distributed sensing information based on COC factors for the tracking of the subject using a plurality of distributed sensors as shown in FIG. 5. In one embodiment, a COC factor is determined for each corresponding time gap of the one or more time gaps and used to adjust the reliability of the distributed sensing information immediately before the corresponding time gap. The method determines a first COC factor 601 for the first time gap, a second COC factor 602 for the second time gap, and a third COC factor 603 for the third time gap.


In the example of FIG. 6, the first COC factor may be used to adjust the reliability of the first sensor 2 tracking information 621 immediately before the first time gap. The second COC factor may be used to adjust the reliability of the first sensor 3 tracking information 631 immediately before the second time gap. The third COC factor may be used to adjust the reliability of the first sensor 4 tracking information 641 immediately before the third time gap.


In another embodiment, a COC factor is determined for each corresponding time gap of the one or more time gaps and used to adjust the reliability of all the distributed sensing information before the corresponding time gap. In the example of FIG. 6, the first COC factor 601 may be used to adjust the reliability of the first sensor 1 tracking information 611 and the first sensor 2 tracking information 621. The second COC factor 602 may be used to adjust the reliability of the first sensor 1 tracking information 611, the first sensor 2 tracking information 621, and the first sensor 3 tracking information 631. The third COC factor 603 may be used to adjust the reliability of the first sensor 1 tracking information 611, the first sensor 2 tracking information 621, the first sensor 3 tracking information 631, the second sensor 2 tracking information 622, and the first sensor 4 tracking information 641.


Reliability of Distributed Sensing Information of Tracked Subject Adjusted Based on Sensing Factors

The reliability of the distributed sensing information may further be adjusted based on sensing factors that are directly related to the sensing equipment and technique. For example, for any given period of time between the starting location and the resolution location, the reliability may be adjusted based on one or more of: reliability of each sensor of the distributed sensors used to collect the distributed sensing information (e.g., resolution or degree of accuracy of sensor equipment or detection technique), quality of the distributed sensing information (e.g., clarity of images captured by the sensors or strength of collected data that indicates a threat), and whether the distributed sensing information is collected by one sensor or multiple sensors of the plurality of distributed sensors over the given period of time (e.g., data collected using multiple sensors, especially sensors of different types, may serve to reinforce analysis of the data; moreover, overlapping sensing by multiple sensors simultaneously may enhance the integrity of the distributed sensing information collected).


There will generally be discrepancies in sensing information among the distributed sensors due to the differences in sensing equipment and/or sensing technology. External interferences or factors may also contribute to such discrepancies. These discrepancies may be addressed by adjusting the reliability of the distributed sensing information based on sensing equipment, sensing technology, external interferences or factors, and the like.


The reliability of the distributed sensing information may be affected by external or environmental factors. The methodology is sufficiently flexible to allow the reliability to be adjusted based on such additional factors. For example, the additional factors may be used as weighted factors to adjust the reliability in a manner similar to the COC factors and the sensing factors, as discussed below.


Trust Score of Tracked Subject

Each sensor measurement, at the time of risk analysis, gets the sensing information and a sensing information reliability. As discussed above, the reliability factor can be adjusted based on one or more COC factors and/or other factors. This matrix of sensing information and sensing information reliability enables the user or operator to perform risk assessment more accurately to alleviate security concerns. One way is to determine a trust score of the tracked subject and use the trust score to assess risk and resolve any security concerns. The following discusses examples of resolving security concerns by applying different levels of targeted screening to the tracked subject based on the COC sensor/sensing information and sensing information reliability. The examples are illustrative and not limiting. Other ways of resolving security concerns are possible.



FIG. 7 is an example of a flow diagram 700 illustrating a method for determining a trust score of a subject based on distributed sensing of the subject. In block 710, the method involves receiving distributed sensing information from distributed sensors sensing a subject. In block 720, the method determines one or more COC factors for the distributed sensing information. In block 730, the method determines one or more sensing factors for the distributed sensing information. In block 740, the method adjusts the reliability of the distributed sensing information based on one or more COC factors. In block 750, the method adjusts the reliability of the distributed sensing information based on the one or more sensing factors (and any other factors such as external or environmental factors). In block 760, the method determines the trust score of the subject based on the distributed sensing information and the sensing information reliability of the distributed sensing information.


In general, a higher trust score results in a lower risk categorization of the subject within lower risk categorization thresholds requiring a lower level of targeted screening, while a lower trust score results in a higher risk categorization of the subject within higher risk categorization thresholds requiring a higher level of targeted screening. For example, discrete risk categories (e.g., low, medium, and high) can be assigned based on discrete risk categorization thresholds (e.g., low, medium, and high). The trust score of the subject (an individual or item or article) means how trustworthy the subject is in not posing a security risk.


An example of performing risk assessment based on the COC sensor/sensing information and sensing information reliability of the distributed sensors involves calculating a weighted sum or a weighted average using the sensing information reliability as a weight function and the sensing information as a component of the overall risk assessment result for each of the distributed sensors. A weighted component is calculated by multiplying the component value by its corresponding weight. The weighted components may be summed to calculate a weighted sum or may be summed and then divided by the sum of the weights to calculate a weighted average. Other ways of assessing risk based on the sensing information and reliability may be used instead.


Next, in the embodiment, the method involves resolving the security concern of the subject based on the trust score of the subject without personal identification of the subject. In specific embodiments, resolving the security concern of the subject based on the trust score of the subject includes performing targeted screening of the subject at the resolution location based on the trust score of the subject and not based on personal identification, e.g., name.


In one example, the method includes comparing the trust score of the subject to a plurality of targeted screening thresholds to determine which category of a plurality of categories is to be associated with the subject for a targeted screening process to be performed. It may further include electronically communicating information for the category associated with the subject to an electronic device, to direct the subject to a location of the resolution location which corresponds to the category, for performing the targeted screening process of the subject corresponding to the category.


A distributed sensors detection of zero to low risk with an uninterrupted chain of custody (COC factor of 1) and factors that support a high reliability of the sensing information will result in a high trust score requiring the lowest level of targeted screening of the subject. Targeted screening does not necessary require an individual or an item or article to be physically searched or electronically scanned or screened. It may mean simply checking the individual’s papers (e.g., ID, boarding pass, etc.) at a checkpoint. If the trust score is sufficiently high, no additional screening is required, for example.


The trust score can be reduced by the component value of the sensing information of each sensor that tracked the subject (a higher value for lower risk detection and a lower value for higher risk detection based on the sensing information). A reduction in the reliability of the sensing information of any of the sensors that tracked the subject may affect the trust score. The component value of the sensing information of a given sensor may be adjusted with the corresponding reliability factor or reliability value of the sensing information. The reliability may be reduced as a result of any break, or detected fault, in the COC (COC factor of less than 1) and sensing factors as well as any other relevant factors as described above.


Risk categorization thresholds can vary based on circumstances, e.g., in the context of travel security, location of the travel venue, time of year, time of day, volume of subjects, recent security threats, types of n number of sensors, n number of sensors, type of venue, layout of the venue, event, the detected information, sensor response. In one embodiment, the method includes setting the risk categorization thresholds in the form of targeted screening thresholds based on one or more of the starting location and the resolution location, physical layout of venue which includes the starting location and the resolution location, calendar date of year, time of day, volume of candidate subjects being observed by the distributed sensors, current events, and recent security threats. This is one way of accounting for external or environmental factors in the security risk assessment of subjects tracked by the distributed sensors.


A “subject” being tracked may have multiple parts. For example, the subject may include an individual and one or more items or articles which are in the individual’s possession of or otherwise associated with the individual or may include a plurality of items or articles that move together as a unit from the starting location and the resolution location. Each part may have a trust score. At the resolution location, the method may deal with the parts of the subject individually in resolving security concerns. As such, they may be separated and directed to different targeted screening locations or queues for processing. If the subject has three parts with trust scores of 0.9, 0.7., and 0.5, respectively, they may be directed to low risk, medium risk, and high risk screening, respectively. Alternatively, they may be kept together as a unit and directed to a screening location, for example, (i) based on an average trust score which is an average of the individual trust scores of the multiple parts in a risk-tolerant approach (e.g., (0.9 + 0.7 + 0.5)/3 = 0.7 resulting in medium risk screening), (ii) based on the lowest trust score of the parts in a moderately risk-averse approach (e.g., 0.5 resulting in a high risk screening), or (iii) based on a composite trust score of the multiple parts which is calculated by compounding the individual risks (e.g., 0.9 × 0.7 × 0.5 = 0.315 resulting in super high risk screening) in a highly risk-averse approach.


In sum, the trust score of a subject may be determined based on the distributed sensing information collected by tracking a subject and sensing information reliability and not based on the individual’s specific identity, i.e., anonymously. The trust score can be reduced by one or more nonnegligible interruptions to the chain of custody (COC) which raises the risk and erodes the trust score by one or more COC factors. The trust score can further be reduced by sensing factors which are directly related to the sensing equipment and technique. In the examples described above, these factors affect the trust score indirectly through an adjustment to the reliability of the distributed sensing information which is in turn used in the determination of the trust score of the subject. In other embodiments, it is possible to adopt different algorithms, including those in which the COC factors, sensing factors, and any other factors may enter into the determination of the trust score of the subject in different ways or in a more direct manner.


The anonymous chain of custody tracking has now been described. While the tracking may be anonymous, to establish the chain of custody, the individual observations need to be definitely linked to the individual. Traditional identifying technologies (e.g., facial recognition and biometrics) may be used to match observations but not to tie back to a specific identity. As such, biometrics may be used as criteria for re-identification, without linking the data to a specific individual identity such as a name or biographical information.


Example Methods

The following discussion describes procedures that may be implemented using the previously described systems, techniques, approaches, and devices, although the described procedures are not restricted to that previously described. Aspects of the procedures may be implemented in hardware, firmware, or software, or a combination thereof. The procedures are shown as a set of blocks that specify operations performed by one or more electronic devices and are not necessarily limited to the orders shown for performing the operations by the respective blocks. In portions of the following discussion, reference will be made to the environments, systems, devices, modules, applications, algorithms, approaches, and techniques described above. While some blocks/decisions may be captioned as “optional”, there is to be no negative inference with respect to blocks/decisions that are not denominated as “optional,” i.e., blocks/decisions are not “mandatory.” In accordance with some embodiments, information is stored in memory (at least temporarily) during performance of the methods for a variety of reasons. Example rationales include, but are not limited to, data processing convenience, communication convenience, permit batch validation/review, records maintenance, and so on, and combinations thereof.



FIG. 8 is an example of a flow diagram of a method 800 that illustrates application categories to, for example, targeted physical screening processes such as those implemented for physical security screening. The method 800 includes a determination that can be used to designate to what extent a physical screening device is configured/operates. This may be done for controlling operation of an electromechanical portion of the device (e.g., a sensor or detector), its software (e.g., software used to analyze data output in digital form from the detector), or combinations thereof.


In examples, the output of determination serves as a basis for routing an item or individual to an area/location. For example, a computing resource uses a value or score output from the determination in a device management algorithm configured to manage one or more devices used to perform a task such as physical screening. The computing resource, under control of device management software, implements the determination to electronically direct the item or individual to an area/location associated with a screening device that is or will be configured to operate at a level consistent with the determination output. For example, a system implementing the method provides instructions to baggage handling machines that move an item to an area/location associated with the screening device (e.g., a queue) that implements or will implement a sensitivity setting corresponding to that designated by the determination, e.g., a category. In the latter instance, the screening device is triggered to operate at the corresponding level in a variety of ways, including but not limited to RFID notification, electronically reading a token, or geolocation, e.g., use of a GPS or Wi-Fi enabled smartphone.


For instance, a CT conforms its operating parameters (physical or software) to that which corresponds to the determination output in response to a user’s optically scanning a token containing machine readable information. The CT can switch from a first operating configuration to a second configuration under computer control. The computing resource controlling the CT can store the determination score in, for instance, a temporary register or lookup table in association with an identifier of the item or individual and other related information, so that it is available for use in response to a triggering event.


Although individual or tailored categories are within the scope of this disclosure, in some instances a range of scores that result from the determination are assigned to a category or threshold and a device operating in conformance with the method operates at a level consistent with that category. For instance, items with a score of between 1-500 (one to five hundred) are assigned a “low” category and are subject to screening at a less intrusive level than items with a score of between 501-1,000 (five hundred one to one thousand), which are assigned a comparatively higher category in at least one respect relative to that of the “low.” For example, the method 800 implements the determination score as a basis for routing the item to an area/location affiliated with a device that corresponds to that score or a category to which that score belongs. This score could be the sensitivity level of a CT machine used to detect an object of interest, e.g., a weapon. A threshold can correspond to a degree of sensitivity in comparison to a device’s operating range. In other implementations, the score relates to a pre-established or predetermined operating parameter at which the system/device operates for an average or medium scenario or situation.


Those of skill in the art will appreciate that a threshold can be for an algorithm implemented in software used to analyze a detector’s output. Thus, the screening device’s physical configuration is fixed, but the threshold implemented by a computer algorithm is changed to be more sensitive or less sensitive depending on the outcome of the determination. For instance, a biometric iris scanner implements a common scanning protocol, but its biometric matching/identification software requires a higher match percentage (e.g., 99.7%) than that which the software typically (99.0%) implements for the majority of the individuals to be screened as a result of the determination.


A system or device implementing the method 800 in accordance with this disclosure can implement a variety of informational 802 factors as part of its electronic determination. This information may include aggregate observations information or historical information, such information obtained or derived from previous interactions or the output of devices that are coextensive in time or are part of a single transaction that is logically connected, e.g., physical screening for a sporting event. An example of the foregoing is use of the output from the distributed sensors aggregate observations and/or one physical screening device as a factor in a subsequent threshold determination for another device. If an anomaly is detected for check-in luggage screening, subsequent screening of a carry-on item for the individual can proceed in an example, but it would result in application elevated or more intrusive physical screening and/or a comparatively more stringent detection threshold relative to a threshold implemented had the anomaly not been present.


In embodiments, the method 800 includes a determination 804. For example, responsive to receipt of information related to an item to be physically screened, a computer-implemented algorithm makes an electronic determination 804 as to which of a plurality of categories an item corresponds. In embodiments, the determination 804 serves as an information source for various workflows. The determination 804 can serve as a basis for routing the item/individual or establishing a screening device threshold. The determination 804 in embodiments is expressed as a score that is usable by a computing resource for one or more of categorization, routing, or setting a threshold.


For example, responsive to a user’s making an airport screening system aware of his/her presence via the user’s smartphone and/or a distributed sensing system’s communicating aggregate observations information to the airport screening system, the system electronically determines to what category the individual and/or related items are related, e.g., pre-established categories such as low, medium, high (relative to one another). An outcome of the determination 804 can be communicated to the user’s smartphone or another device (e.g., an access control device) in response to an intervening event (e.g., a smartphone communication originating from a predetermined area or a Wi-Fi beacon indicating a person is in a predetermined location), computing resources’ becoming available to make the determination, or an individual’s communicating information via a mobile device (e.g., mobile driver’s license information). For instance, the system directs an individual to lane “A” as it corresponds to a category to which the individual is assigned and offers a shorter wait time than other available lanes.


In embodiments, the determination 804 includes obtaining information from one or more resources as received information 806. For example, a computing resource uses identifying information (e.g., telephone number, SIM card number, unique identifier) from a handshake to query a data structure for information that corresponds to the device or an individual associated with the device. For instance, in response to the passenger’s clicking “I am here” upon arriving at Reagan National Airport, the system uses a unique identifier from the smartphone to locate historical information and/or observations information for the passenger and those in his traveling party, e.g., associated historical information. The computing resource can do this by accessing a local data structure to locate relevant information. This may result from the passenger’s phone supplying a reservation code indicating that he, his wife, and two children have arrived at the airport for a scheduled trip. In this instance, the data structure (local) may have historical information the passenger and his family, e.g., a risk score, outcome of previous physical screenings, SIM card ID from a previous interaction with the system or a related system, e.g., a central resource that supports multiple generally equivalent systems. While the central resource can push historical information and/or observations information to the local data structure, in embodiments the method requests the information from the central resource or a third-party system. The smartphone/computing resource can automatically provide the information due to an individual having set his/her smartphone to automatically interact with the system.


In an example, a computing resource performing the method obtains the information by requesting it from a third-party source. The computing resource electronically requests a unique identifier (airline frequent flyer or known traveler number) from an airline reservation system, so it can uniquely identify a user. In other situations, an airline system pushes information (e.g., known traveler number) as a result of an interaction with, for instance, the user’s smartphone communicating with the airline system of the phone’s location at a departure airport. The foregoing can be done when an individual purchases a ticket after a predetermined point in time, e.g., 24 hours ahead of an event. Additional embodiments will be apparent to those of skill in the art based on implementation and design preference.


In embodiments, if a subsequent targeted screening process is logically connected to a previous targeted screening (e.g., part of a unified transaction), information from the previous screening is used as information or a factor for determining what category the item or individual is assigned for the subsequent process. The computing resource may determine a subsequent targeted screening process to be performed for the subject, based at least in part on a result of the targeted screening process and optionally the information on the one or more characteristics, and electronically direct the subject to the subsequent targeted screening process. For example, based on a CT scanner reporting no “anomalies” for a piece of luggage, a computing resource populates this information into an algorithm that implements the data (e.g., a risk score) to set a threshold/calculate a category to which the individual associated with the luggage is to be screened by a magnetometer. Eliminating other factors in the preceding example, the system sets the person’s category to a low level in comparison to a situation that includes an anomaly.


Block 808 is representative of electronically populating a computer-implemented algorithm, such as a multivariable physical screening risk assessment algorithm, with information usable to calculate a category for one or more of an item or individual. For example, a computer operating in conformance with the method 800 populates a multivariable category determination algorithm with numerical scores associated with multi variables (e.g., travel-related data) that the computer uses to calculate a score that defines what category is to be assigned to the item or individual. In embodiments, an algorithm implements a multivariable risk assessment methodology (RAM) or a Failure Modes, Effect, and Criticality Analysis (FMECA) approach. While in embodiments the algorithm implements the factors on a weighted basis, in other embodiments one or more factors are determinative of a particular category or threshold, e.g., are effectively category/threshold determinative (yes/no). Example factors include, but are not limited to, identification issue date, biometric match score, previous screening security score, age, frequency of travel, and the like as understood by one of skill in the art.


In some embodiments, the algorithm is constructed to accept a super-set of possible factors with a computer implementing the method being configured with instructions to populate one or more factors from the super-set, so it can perform the calculation that functions as the underpinning of the determination 804. An example of the foregoing is a computer’s selecting a subset of factors that it uses to calculate a category or threshold as part of the determination. In embodiments a computing resource is constructed to pre-process information (e.g., a numerical score or binary variable), so that it is available in memory to populate the information in the algorithm following a script of computer executable instructions.


Block 810 is representative of calculating a trust score for the item or individual. In an example, a computing resource uses the populated algorithm to calculate a value or score that corresponds to a category or a threshold for a screening device. An example of the algorithm of determining a trust score is shown in FIG. 7 and described above. In this way, a computing resource implements the algorithm to process one or more physical security related variables to obtain a numerical score that indicates the passenger should be accorded a “low” risk category. The computing resource communicates the outcome of the calculation 810 to the device, so that the device can set its threshold based on the score or value. In other embodiments, the computing resource electronically converts the score to a threshold level that it communicates to the device. In examples, the computing resource is configured to perform such calculations with a subset of variables, presuming that a preconfigured minimum set of data is available for use. A computer resource implementing the method may have predetermined data that is specified for inclusion (e.g., name, date of birth) while other factors are not directly specified (e.g., driver’s license number, issue date, previously assigned risk assessment score).


Optionally, the determination 804 includes identification of a category to which an item or individual belongs (Block 812). For example, rather than assigning an item a unique score or a semi-unique score, the score is categorized into a pre-established category, such as high, medium, low (relative to the other categories). Although high, medium, and low are referenced, those of skill in the art will appreciate that the number of groups into which scores are categorized can be greater (e.g., five groups) or less (e.g., two groups). In embodiments, the number of groups into which the scores are categorized is dynamically changed before categorization, or the number of groups may be predetermined prior to categorization of an item or individual into a particular group. An example of this is a checkpoint that dynamically changes from a “high/low” into a “high, medium, low” categorization. The change in this example can occur due to system demand among other rationales. The categorization can be expressed as a numerical or other value that is usable to discern between the categories that in some instances correspond to respectively different areas/locations or thresholds when implemented for these tasks by a computing resource or computer-enabled device.


Implementation of the determination (e.g., score, value) and/or the category if one is identified is illustrated as block 814. In an example, a computing resource for a physical screening system implements a category identified as part of routing (Block 816) a corresponding item or individual to an area/location associated with that category or that will be associated with the category. An example of the latter is a luggage screening device that switches from a first category to a second category that is affiliated with an item to be screened. A variety of mapping/routing algorithms can be used for this purpose and may be implemented in conjunction with computer-implemented software designed to manage resources, for example, to load balance items/individuals to be screened with available resources. An item associated with the second category may be directed to the area/location because the luggage screening device is or will become underutilized relative to other functionally similar devices under control of a computing resource implementing the method 800. In this example, a software-enabled resource management algorithm electronically determines a device is underutilized based on item throughput or other equipment management factors as reported by devices under its control or from standalone sensors used to collect information relevant to usage of the equipment. Thus, an individual holding a carry-on bag with a “high” designation is electronically directed to X-ray scanner currently operating at a “medium” designation in anticipation that the luggage scanner will switch to “high” after screening any remaining “medium” carry-on bags. Those of skill in the art will appreciate that the luggage scanner can switch from “high” to “medium” responsive to a trigger. Example triggers include but are not limited to an RFID reader on the luggage scanner reading an RFID tag on the carry-on or an affiliated process, e.g., an optical scanner scanning a boarding pass for the individual possessing the carry-on.


In other embodiments, the determination/categorization is used to set a threshold or a procedure (Block 818). For example, an individual routed to a security lane is permitted to keep his/her shoes on and is not required to remove electronics from a carry-on bag because the determination score indicates a less invasive screening is appropriate because the individual is associated with a low score that indicates the person is unlikely to have prohibited items.


The computing resource may set a prescreening confidence value for the subject, based at least in part on the information on one or more characteristics associated with the subject, prior to electronically directing the subject to the targeted screening process. The computing resource may then set a confidence value for the subject based at least in part on a result of the targeted screening process and the prescreening confidence value for the subject. The setting of the confidence value is based at least in part on an updating of an earlier determined confidence value for the subject. For example, the system may further set a subsequent confidence value for the subject, based at least in part on a result of the subsequent targeted screening process and an earlier determined confidence value for the subject determined based at least in part on the result of the targeted screening process. The determining of the subsequent targeted screening process may include a selecting, based at least in part on the confidence value, from among a plurality of different subsequent targeted screening process options. One of the plurality of different subsequent targeted screening process options may be an adjust-and-repeat of the targeted screening process associated with the result.


The goal of the security screening is to perform sufficient screening to permit the subject to pass (GO) when the confidence value reaches a preset threshold or cause the subject to stop (NO GO) when it becomes evident that the confidence value to pass cannot be reached. There may be a GO threshold above which the subject is a GO and a NO GO threshold below which the subject is a NO GO. The distributed sensors aggregate observations information and any prior targeted screening results are used to tune subsequent targeted screening process. It produces a causal relationship security screening procedure. In general, the causal relationship security screening procedures produces a decision tree from the distributed sensors aggregate observations to the last targeted screening process. The use of the distributed sensor aggregate observations information may help minimize the amount of targeted screenings to reach the GO-NO GO decision.


In embodiments, the determining of the subsequent targeted screening process may include a selecting from among a plurality of different subsequent targeted screening options, based at least in part on a characteristic of a negative result, a failed result, or an insufficient quality result, or any combination thereof, of the targeted screening process. One of the plurality of different subsequent targeted screening options may be an adjust-and-repeat of the targeted screening process associated with the negative result, the failed result, or the insufficient quality result.


In some embodiments, the system may identify additional information about the subject based on the targeted screening process, responsive to the identifying, assign another category from the plurality of categories to the subject or another subject associated with the subject based at least partially on a result of the targeted screening process, and electronically communicate information for the other category to the electronic device or another electronic device, to direct the subject or the other subject to another location in the targeted screening area which corresponds to the other category, for a subsequent targeted screening process to a threshold associated with the other category. The other category and its associated threshold may represent a higher security level, relative to the category and its associated threshold, to be applied in the subsequent targeted screening process based on the additional information that indicates the higher security level is warranted.


Information Resources


FIG. 9 illustrates resource configurations including third-party resources implemented in conjunction with the devices, systems, methods, approaches, and techniques consistent with this disclosure. The central resource 934 is illustrative of functionality and corresponding hardware/software to support a cloud service/local network 964 that supports management and operation of one or more mobile devices (illustrated as smartphone 906), physical screening devices (a CT machine is illustrated), access control devices, baggage sorters, and the like for identification, routing and targeted physical screening of individuals and items. The central resource 934 (illustrated as server 934A) is shown as sourcing/receiving information from a biometric information resource 960 (illustrated as a server 960A), a passenger information/ticketing system 970 (illustrated as a server 970A), and an aggregate observations system 580 (illustrated as a server 980A). Various computing resources can provide the described information/functionality requested by the central resource 934 and may be embodied as a combination of hardware and/or software that are co-located with the central resource 934 or more likely remotely located. The resources are shown with arrows indicating sample data flows that are physically supported by a variety of communication mediums such as a dedicated network, a semi-dedicated network, the Internet, and so forth. It is to be apparent that the function of the various resources may be provided via a cloud type hardware-software arrangement. As illustrated, the communication is shown as two-way so data can be pushed/retrieved (pulled) to/from the various physical devices based on configuration and design choice as understood by one of ordinary skill in the art, although in various embodiments, one-way communication is compatible. In embodiments, the central resource 934 functions as a gatekeeper by maintaining comparatively high or different security on the central resource 934, in relation to potentially different security schema applied by the passenger information/ticketing system 970 and/or aggregate observations resource 980. The central resource 934 in embodiments can store, obtain/validate information, coordinate information, match records, link information, and combinations thereof on behalf of the mobile devices, cloud service/local network 964, and so on.


For example, the central resource 934 requests a reference image or signature, and any other information (biographic/biometric), from another resource such as a state department of motor vehicles (DMV) database system. Such DMV databases may be operated by or implement a variety of commercial software or hardware and may be virtualized as a cloud type resource. Those of skill in the art will appreciate that such information may be protected using a variety of security methodologies including, but not limited to, public/private key encryption (public key encryption (PKI)), virtual private network communication or the like to protect information.


In embodiments, the central resource 934 includes one or more computing systems constructed to provide central resource functionality. In implementations where multiple computing resources are implemented, individual ones may operate in a redundant fashion, perform load balancing, handling of processor/memory interrupts, and so forth to provide substantially seamless support to the one or more predetermined local environments (e.g., the front-end system and touchpoints). Redundant support and/or load balancing between multiple computing resources can be handled in a variety of ways. In some instances, systems can apportion different tasks or portions of tasks among themselves, while in other instances central resources accept/hand-off tasks as individual computing systems become relatively busy/become less busy. For example, rather than hashing a raw image or matching a hash of an image to hashes of images included in a gallery, the central resource instructs the mobile device to perform this task on its behalf or on behalf of other resources. In additional embodiments, functions performed by the central resource 934 are performed or partially performed by a computing resource located in a local environment, such as at an airport, port, customs facility, port-of-entry, test facility, department of motor vehicles office, and so forth. In scenarios, the central resource 934 and the illustrated resources apportion responsibilities and tasks according to a predetermined load-sharing algorithm.


For example, while in typical operation the central resource 934 functions as a master by controlling (to at least some extent) information exchange with the mobile device, in some instances the mobile device influences information exchange with the central resource 934 or some function or aspect of the central resource, e.g., area availability. An example of the foregoing is the baggage sorter controlling or directing the central resource to avoid sending baggage to a given area, due to a malfunction. The baggage sorter may be configured to scan machine readable information that uniquely identifies an item or is associated with the item and to route the item to a location for targeted screening based on the machine readable information.


For example, responsive to a determination that an identification token is suspect, the central resource 934 queries a state DMV database to determine a date associated with its electronic record and/or the token itself, e.g., driver’s license. An electronic record and/or token with an older date may be accorded a category corresponding to a lower threshold for the physical screening process (compared to a more recent issue date, where a higher threshold might be desired for the physical screening process). In an embodiment, responsive to a determination, by for example the central resource 934, that a proffered driver’s license is “new” due to an original license being lost, stolen, or destroyed, the central resource 934 may apply a categorization corresponding to a higher threshold in comparison to that which it usually implements or apply a different algorithm, and/or obtain additional or comparatively more detailed information than that obtained if the token was not identified as “new.”


It should be apparent that multiple baggage sorters can collaboratively make use of the central resource 934 based on a predetermined algorithm that implements one or more resource management approaches. Examples of such resource management approaches include, but are not limited to, round robin, first in first out, a weighted average importance methodology, and so forth for controlling, managing, accessing, or using the central resource 934 or the central resource functioning on behalf of a particular device.


The mobile device (e.g., smartphone 906) and/or the baggage sorter can communicate with the central resource 934 in a web-enabled manner and can be supported by a cloud-type local resource supported by one or more physical devices, such as server(s) (not shown) or the mobile devices themselves. Data communication may use hypertext transfer protocol (HTTP) or hypertext transfer protocol secure or hypertext secure sockets (both are referenced as HTTPS). In implementations, extensible hypertext markup language (XHTML) is used to communicate or present information. Other standards can be implemented, such as extensible markup language (xml), in conjunction with or separate from public key encryption (PKI) used to encrypt the data for communication or storage. In embodiments, the mobile device/baggage sorter and central resource communicate in a client-host arrangement.


As illustrated, for interactions involving the central resource 934 and resources such as the biometric information resource 960, passenger information/ticketing system 970, and aggregate observations resource 980, the central resource 934 can function as a hub in a hub-and-spoke configuration with the resources supporting the central resource 934 that in-turn supports mobile device(s), baggage sorter(s), and so forth. The resources including the biometric information resource 960, passenger information/ticketing system 970, and aggregate observations resource 980, and can include other collection devices, other systems (e.g., common carrier reservation/check-in systems), computer systems operated by governments or law enforcement, quasi-government organizations (e.g., National Center for Missing and Exploited Children), and so forth. The central resource 934 can function in a variety of ways depending on the corresponding system/device with which it is interacting or receiving communication. The central resource 934, for instance, is configured to exchange information (as indicated by the arrows) with biometric information resource 960, passenger information/ticketing system 970, aggregate observations resource 980 or other common carrier systems, while it handles different tasks for the mobile device(s), baggage sorter(s), and so on.


With particular focus on the central resource 934, the processor 910 for the central resource 934 includes a categorization module 918. The categorization module 918 represents functionality to accept information, generate records, match entry/exit records for individuals, verify information, and so forth. The categorization module 918 is supported by computer executable instructions, e.g., a program or script, which are constructed to enable the processor to perform the described task.


The categorization module 918 in embodiments is constructed to receive information from a variety of sources including, but not limited to, collection devices, other systems, and so forth. For example, the central resource 934 is constructed to save biographic, biometric, and/or travel information in a record 912 in a data structure such as database 914 in memory 916 for an individual that does not have a record. The foregoing occurs when, for instance, the individual enters the country for the first time.


In other instances, the categorization module 918 generates a record 912 on a per instance basis (e.g., each time an individual enters the country). Although biographic and biometric information may be associated with one another in a record 912, the categorization module 918 can be configured to separate the information or otherwise arrange it to promote rapid (e.g., relational) searching based on a particular criterion, criteria, or a design preference. For example, a record 912, to which the categorization module 918 stores the information for an individual, includes a link that directs access to the biometric information stored in a corresponding biometric information record.


Those of skill in the art will appreciate that the functionality and corresponding hardware/software described in conjunction with the information module 926A and the information module 926B can be included in the central resource 934 and/or the biometric information resource 960 for a substantially similar purpose and/or function in a substantially similar manner taking into account its incorporation in the central resource 934 or biometric information resource as appropriate. The information module 926A is illustrated in the central resource 934 and a similarly configured information module 926B is illustrated in the biometric information resource 960. Although the information module 926A is illustrated as being within the categorization module 918 (in part for ease of understanding), it is to be appreciated that the various sub-modules can be designed to be independent with more APIs used to permit the sub-modules to interact based on design preference. Those of skill in the art will appreciate that the arrangement, function, and inclusion of one or more “sub-modules” such as the management, identity, and geolocation modules as described in the system of FIG. 3B and mobile devices can be included, based on design preference with the respective module/submodule functioning in accordance with the role associated with the device within which it is included or associated, e.g., categorization module 918 included in the central resource 934 functions as if it is a host or master (commensurate with the role of the central resource 934) rather than a client.


In implementations, the biometric information resource 960 functions as a dedicated or semi-dedicated resource for the central resource 934, a baggage sorter, or one or more mobile devices if, for example, they collectively perform the functions described in conjunction with the cloud service/local network 964 (e.g., operating as a cloud resource). In this manner, the central resource 934 “offloads” or instructs the biometric resource 960 to perform tasks related to an item or a passenger such as biometric matching, biometric exclusion, data storage, lockout, and so forth to the biometric information resource 960 in favor of comparatively higher-level management tasks. An example of the preceding is the central resource 934 delegating to the biometric information resource 960 the task of setting a record flag of an item in question, scan a corresponding image/hash from the record against a gallery maintained by the biometric information resource 960 (e.g., biometric records 966), call out to a third-party biometric data source (e.g., a database of missing/exploited persons such as the one operated by the Center for Missing and Exploited Children), and so forth.


As should be appreciated, a mobile device and/or baggage sorter may include functionality/modules (supported by hardware/software) to function in a manner as a module(s) of the central resource 934. In embodiments, a local computing resource is used, e.g., as a local part of the cloud service/local network 964, to categorize an item, such as preprocessing information for the central resource 934.


In instances, a subset of the biometric information is retained in the record 912, e.g., a part of the biographic information or a computational result that is indicative of the biometric information, e.g., a biometric signature, a hash of the biometric information. In the foregoing example, the biometric information resource 960 and/or the matching module 926 calculates the biometric signature based on collected biometric information, e.g., facial dimensions. A biometric signature can be used to promote rapid biometric matching for routine identification and categorization. In embodiments involving multiple records, the records can be linked via a unique identifier, such as a passport number, a session identifier, an assigned number, or the like. A biometric resource is constructed to perform biometric related tasks (e.g., biometric data storage, biometric matching, biometric exclusion) to free up central resource’s processing and/or memory resources. While the biometric information resource 960 can perform such roles, it should be apparent that the central resource 934 can hash biometric information while the biometric information resource 960 handles other tasks, such as processing raw images, performing biometric matching and the like as contemplated by one of ordinary skill in the art. For example, the biometric information resource 960 maintains a more detailed hash in comparison to that of the central resource for use in situations where greater accuracy is requested.


For example, the database 914 and records 912 stored therein are structured to facilitate searching based on name, or other identifiable biographic information, e.g., eye color, tattoo description. The computing resource does this by segregating some information in a record 912 (e.g., in a name record or entry record) from other information (e.g., the majority of an individual’s biometric information), duplicating some information in a table (e.g., a lookup table), indexing information, and so on to increase efficiency relative to a system or database without such a feature. Biometric information or portions thereof can be handled in similar manners. In embodiments, information associated with a particular trait or traits, e.g., eye spacing, is used to aid in rapid general identification or elimination of possible matches, while other identification techniques (other traits, combinations of traits, behaviors, etc.) are used to promote accurate identification by confirming an individual’s identity for use in categorization.


In embodiments, the approaches, techniques, algorithms, implemented by the categorization module 918 are tailored based on structure and/or database operating parameters. For example, the algorithm is configured to match an individual leaving with his/her entry record by matching a traveler’s identity with his biographic and historical information in a particular order, for increased efficiency when categorizing the individual for a particular level of targeted physical screening. For instance, the categorization module 918 implements an algorithm that matches entry records based on the country that issued the passport in order to reduce the records to be searched before searching for a particular passport number. Accordingly, the country code can serve as a categorical threshold distinguishing two levels of categorization (e.g., include a physical pat down for individuals not from the United States). In another instance, the algorithm uses a unique identifier (e.g., a machine-readable barcode on a travel document) that points to a record to which a match is to be made. In the previous example, the matching module 926 attempts to make a match, e.g., match identities, based on the unique identifier before reviewing other records and/or lists or a database of individuals for which other procedures are to be employed. It is to be appreciated that biometric features may be similarly categorized to minimize the gallery used for matching or exclusion, thereby increasing efficiency of categorizing corresponding individuals and/or items for physical screening.


The categorization module 918 can be configured to operate in a variety of modes that are accessed responsive to operator input, e.g., a system manager configures the system to implement a higher accuracy level in comparison to standard operation or dynamically based on a variety of information factors. The central resource 934, for example, supports a GUI that is configured to accept user input to increase a certainty level, such as during a time of heightened security in comparison to normal operation. In the preceding instance to increase accuracy, the categorization module 918 matches additional information to increase certainty. The increased certainty can be used to adjust threshold level(s) between different categories in which an item is placed for physical screening. For example, the increased certainty level is used to achieve a higher confidence in a given item, which can allow more tolerance for relaxing a level of physical screening to be applied to the item associated with that higher confidence level. In other embodiments, different information or additional information can be used to increase certainty and/or confidence. For example, instead of performing a “standard” biometric match, that yields ninety-eight percent (98%) certainty, the categorization module 918 performs a more in-depth review that increases accuracy to ninety-nine point nine percent (99.9%) by matching more factors, matching to a greater degree of accuracy, combinations thereof and so forth, resulting in a corresponding increased level of confidence and physical screening category tolerance.


In other embodiments, the categorization module 918 dynamically alters, such as via an algorithm, how and/or what algorithm is used to confirm a match. For example, if it appears based on biographic information that an individual is to be subject to additional procedures, e.g., additional safety screening, the algorithm implements additional checks to heighten certainty that the individual or his/her information does correspond to an individual warranting this type of treatment. The foregoing is done in comparison to a situation in which the individual is not associated with additional procedures. In additional embodiments, the categorization module 918 is configured to alter how, what, and/or to what extent biometric information is used to identify an individual (or item). For example, an algorithm used by the central resource 934 applies a higher facial recognition or tracking standard to an individual associated with poor fingerprint image, such as a brick layer. Accordingly, the central resource 934 can avoid categorizing the brick layer into a more onerous physical screening process, due to obtaining a high level of confidence of the brick layer via facial recognition (with known identity) or facial tracking (with unknown identity anonymously), which level of confidence would not usually correspond to an individual lacking readable fingerprints.


Example heightened checks, which can be used to adjust a threshold for categorizing items, comprise additional information matching, the use of different or more rigorously applied biometric identification algorithms (in comparison to that commonly implemented). For example, while the categorization module 918 implements a target matching algorithm to identify an individual who is not to enter the country, an identification algorithm is used to verify the individual is indeed the individual who is barred from the country. In other examples, the categorization module 918 dynamically lowers accuracy to a predetermined acceptable level in order to increase the number of individuals that can be screened, which can be accommodated by a corresponding adjustment in dynamic thresholding applied to those individuals for a corresponding physical screening process. The foregoing can be done in conjunction with applying a higher exclusion standard, e.g., applying a more rigorous standard that is more likely to associate a captured image with an image in gallery of excluded images.


In some instances, the categorization module 918 coordinates information for a current instance with historical information. For example, current information is married with historical information. In other instances, the categorization module 918 uses historical information as a check or validation on current information. The categorization module 918 can perform this check by comparing a particular piece of information (e.g., a unique identifier such as a passport number) or based on a combination of information. An example of the latter situation is combining a first or given name, a last or surname, with a date of birth, and/or other biographic information to determine what tasks to perform, e.g., obtain additional information, impose predefined procedures, deny access, and so on. The categorization module 918 in addition to or in place of the foregoing can also check the data to determine if it is valid, e.g., a birthdate is composed of a month, day, year in that order.


Other information can be stored in conjunction with at least some of the information (biographic, biometric, travel). For instance, the categorization module 918 includes a unique identifier (e.g., a record identifier, a session identifier) with the information. The categorization module 918 can include other information in the record as well. For example, the categorization module 918 includes one or more of a timestamp, a software version, algorithm configuration, and the like with the information comprising the record 912. This other information can be included directly or used as metadata to biographic, biometric, or travel information.


Memory 916 can be used to store information in a variety of ways or formats. For example, information for an item, whether obtained from a collection device, received in a manifest 942, or obtained from another system/resource, e.g., biometric information resource 960, passenger information/ticketing system 970, and/or aggregate observations resource 980, can be stored in a record 912 that is generated when an item is identified as a candidate for a physical screening process. In other examples, information is stored in a name record that contains information for (potentially) multiple instances. A name record, for example, may contain information for multiple visits, e.g., multiple entries/exits for a particular item in addition to containing biographic information for the individual, if applicable to that item. Memory 916 can house other databases, e.g., a manifest 942 database configured to contain manifests 942 from common carriers. Memory 916 can house or contain other databases, tables (lookup tables) and so forth. For example, information for items meeting pre-specified criterion can be housed in a separate database or lookup table.


Other example databases 914 include a procedure database that details procedures, prompts, questions, additional information, and so on for use. For example, the central resource 934 includes an information database that details common information associated a geographical area (e.g., a departure city, country, state). The central resource 934 may use this database 914 to formulate queries designed to test against an item, e.g., asking whether an individual is aware of information that is commonly known for an area.


In embodiments, the central resource 934 maintains information associated with certain characteristics in a database 914 for comparison against information for items. An example of the foregoing is the categorization module 918, as part of receiving and/or storing information, uses a lookup table to determine whether information for an item matches or at least partially matches that is contained in the table. For example, the categorization module 918 implements a script or other logic to determine whether the item is that of a type, or an individual’s identity, which corresponds to a type of item or individual that is not permitted to use a particular form of transportation (e.g., the item is a weapon banned from airplanes, or the individual is identified as being listed on a no-fly list). In these examples, not only may the lookup table include information on items meeting a preselected criterion, but it can include colorable variations of the information. Example variations include alternative spellings, misspellings, aliases, date ranges such as for birthdates, variations in physical descriptors (e.g., brown for hazel eye color), combinations thereof, and so forth. While such checks have been described with respect to record creation, a substantially similar process can be used when matching information for an individual leaving with that of an entry record. Moreover, the categorization module can implement a matching algorithm, e.g., a graphical based algorithm, which accounts for variation in individual pieces of information.


Furthermore, while the preceding processes are described in conjunction with storing information, in some instances, information is stored in a record 912 and then compared to determine whether a match exists. For example, rather than delaying overall productivity, a server functioning as the central resource 934 temporarily stores information into an overstay database 915 and then reviews it in parallel rather than checking and storing the information in series.


Central resource 934 can retrieve the aggregate observations information collected before the individual reaches the targeted screening area. Example aggregate observation information includes information on detecting a high mass object that may be a pressure cooker or information on potential explosive material, liquid, firearms, or other weapons.


Categorization module 918 determines a first traveler category corresponding to the threshold of intrusiveness applied for screening of passenger and his various items based on the aggregate observations information retrieved by the computing resource 240. As discussed above in reference to FIG. 3A, an example set of category values can correspond to a Low, Medium, and High level of risk to be investigated from the scanning of the traveler and his items. Of course, a set of categories utilized in a scanning process can utilize any number of categories as needed to distinguish the various levels of intrusiveness that are applied as part of the screening of travelers and their items.


In embodiments, the central resource 934, e.g., the categorization module 918, validates information to ensure it is properly formatted (e.g., the information is valid), conducts an initial review of the information, or a combination thereof. In embodiments, the central resource 934 can perform validation, consistency checking, and/or constraint checking. In an embodiment, the categorization module 918 checks the information to determine whether it duplicates previously submitted information. The foregoing can be done by querying the database 914 based on one or more portions of the information. For example, the categorization module 918 may check a passport number against those in the system to identify someone attempting to use an altered passport, e.g., the passport has a valid passport number but the contained information is not accurate to the information upon which the passport was issued. Although validation is described in conjunction with the categorization module 918, in other instances the validation and/or initial review functionality is embodied as a validation module. Such a validation module is representative of functionality to validate information and supported by a program of instructions, e.g., implementation of a set of validation rules by the categorization module 918. For instance, the central resource 934 includes a validation script that executes to perform validation logic. Validation or initial review can be performed in a distributed manner, e.g., a collection device such as a mobile device and/or baggage sorter performs a portion of the task and the central resource 934 performs other portions or confirms the validation or review.


The central resource 934 and categorization module 918 can be configured to perform additional tasks. For example, periodically or upon request the central resource 934 is configured to check whether items corresponding to records 912 in a database 914 meet a predetermined criterion, e.g., an individual overstayed his/her visa, a bag is misrouted to the wrong area and remains (“overstays”) in the wrong area. In instances like this, the categorization module 918 or another component of the central resource 934 checks records 912 containing information meeting the criterion, e.g., “overstay.” In response, the central resource 934 creates or updates a database 914 with information from records 912 that meet the criteria and/or creates/updates a table or other data structure with links to records that meet the criterion. The central resource 934 can add information to the record 912 to indicate the record 912 meets the criterion. In addition to populating the overstay database 915 with information for overstayed items, the categorization module 918 may flag (e.g., set data in memory to indicate a status or condition of logically related data) the records 912 by including information in the record that shows the item has overstayed.


The biometric information resource 960, passenger information/ticketing system 970, and aggregate observations resource 980 are shown to include similar features described above with reference to the central resource 934, with corresponding similar functionality and capability. For example, the biometric information resource 960 includes processor 928, communication unit 962, memory 930, database(s) 932, and (biometric) records 966. The passenger information/ticketing system 970 includes processor 920, communication unit 972, memory 922, database(s) 924, and manifest/ticketing records 976. The aggregate observations resource 980 includes processor 936, communication unit 982, memory 938, database(s) 940, and observations information 986.


The biometric information resource 960, passenger information/ticketing system 970, and aggregate observations resource 980 are shown specifically in FIG. 9, however, while a variety of devices, components, examples, and scenarios are described, multiple devices and components can be used and the various tasks can be handled among the components in a distributive manner, e.g., dividing up tasks, allocating user devices, and the like among the physical computing devices comprising the intermediate. Although only one central resource 934 is illustrated for simplicity, the system can include multiple devices and components with similar functionality or functionality that differs to permit that device/component to perform a particular task or role as described herein. It is to be appreciated, for example, multiple components of similar type can be included. For example, a collection device includes an image capture device for fingerprints and another for iris scanning.


It should be noted that while various structures and functions are described with respect to certain members within the environment, the functions and/or structures may be implemented by other members in the environment, e.g., the central resource 934 includes a validation module, even though not specifically illustrated in FIG. 9. For example, a mobile device includes a matching module to identify an item/individual. For example, instead of the central resource 934 matching an individual (such as through a combination of hardware/ software constructed to perform the described features), matching is performed by the mobile device (e.g., smartphone 906) and/or baggage sorter 204 operated in a local environment of the cloud service/local network 964, e.g., a local network at the departure airport. In scenario such as this, the central resource 934 can preposition information in the local environment of the cloud service/local network 964 for use in categorizing. In some examples, the central resource 934 prepositions biographic and biometric information associated with an item scheduled to depart the local environment.


As illustrated schematically through the use of arrows, the central resource 934 can preposition information collected from various other resources into the central resource 934, such as from the illustrated biometric information resource 960 (to preposition its biometric records 966), from the illustrated passenger information/ticketing system 970 (to preposition its manifest/ticketing records 976), and from the aggregate observations resource 980 (to preposition its observations information 986). Such prepositioning can be accomplished at predetermined times to avoid surges, such as during late/early hours of typically low activity where bandwidth and server resources are not otherwise in high demand. In the illustrated example of FIG. 9, the central resource 934 has prepositioned a copy of a most recent in time manifest information to the overstay database 915 of the central resource 934, which was obtained from the manifest/ticketing records 976 of the passenger information/ticketing system 970. Other information, such as biometric records 966, observations information 986, and the like can be obtained by the central resource 934 from other resources.


Prepositioning can be done at various times, such as on a routine basis (e.g., 24 (twenty-four) hours ahead), or periods of low processing and/or low communication (e.g., overnight). Prepositioning of information may occur at discrete times. For example, biographic information and a hash of a facial image are sent at one time while an image of the individual is sent at another time. The foregoing may be done based on a variety of factors, such as data size, based on a predictive factor (inclement weather is forecast, and so on).


Processing, such as the categorization module 918 categorizing an item at a local level, can occur on a local computing resource or on the mobile device itself. For example, as will be described in additional detail below, the prepositioned information may be in a generic form so it is agnostic of one or more of the device, software, or algorithm used to capture or process the data, such as a biometric signature, e.g., positions of “key” facial features. In some examples, the data is agnostic of proprietary algorithms and/or data formats. In other instances, a module in the mobile device or baggage sorter can perform biometric matching in a proprietary format using generic data. If for example, a facial hash (or other information used for categorizing an item) is determined to be corrupt, underlying information, e.g., from a server on the cloud service/local network 964 or the central resource 934, can be retrieved for applying an algorithm to the aggregate observations information in order to attempt to categorize the item with an image captured contemporaneously from an item to be screened.


In some instances, a common carrier or a local environment, such as an airport authority or port authority, provides to and/or responds to requests for information to/from the central resource 934. A variety of information sources can provide additional and/or revised information for storage/processing by the central resource 934, whether initial or otherwise. Manifests and updates to manifest information may be provided by the passenger information/ticketing system 970, and/or requested by the central resource 934, at various predetermined times prior to or commensurate with physical screening processes to permit efficient processing and/or communication of at least some of the information in the manifest. Information received and/or requested by the central resource 934 can include additional or revised information, including deleted or canceled information to a manifest/ticketing records 976, such as the most recent in time manifest information. A common carrier may provide information such as this on an ad hoc or a scheduled basis, to account for changes that occur after the manifest/ticketing records 976 are requested and/or sent, whether an initial, interim, or final manifest/ticketing records 976. Ad hoc communications can be sent based on dynamic timing. An example of the foregoing is a common carrier responsive to an indication that the central resource 934 has available processing and/or communication resources.


In an embodiment, the manifest information and, as applicable, additional or revised data is combined to prepopulate to a local environment, such as a server or cloud on the cloud service/local network 964. While an initial list may represent all, substantially all, or a significant portion (e.g., by data size or data type such as biographic information) of the biographic/biometric information that is to be provided to a local environment, in other instances it may be a portion of the information. The initial list may include, for example, some biographic information with all, substantially all, or a significant portion (e.g., by data size) of the biometric information to be provided for matching individuals.


In embodiments, the initial list is prepositioned for use in a local environment prior to anticipated usage. For example, the central resource 934 communicates at least some biographic information, biometric information, or combinations thereof to a local environment resource on the cloud service/local network 964. In the previous example, the local environment includes a computing resource or a virtualized resource, such as one or more servers that support, for example, a destination airport. The initial list may include the available biometric information, biographic information, or a combination thereof of information that is available for items that are to undergo physical screening processes for a given time period, associated with a particular aspect of travel/flight, or the like. For example, the list includes the biometric and relevant biographic information for passengers and items on a cruise ship. Example biometric information may include one or more of a historical image (e.g., passport photo), biometric facial measurements, an image of a traveler’s fingerprint, information from a retina scan, and so on that can be used to bio-identify an individual.


In some embodiments, a list may also include instructions for the local resource (e.g., server, collection device) to follow. For example, the central resource 934, via the list of instructions, instructs a device to implement a higher screening threshold, collect additional biometric information (e.g., capture all fingerprints, a palm print), ask for biographic information, require additional screening, check for contraband, and so forth.


In embodiments, an initial list is communicated at various points in time prior to the physical screening process. For example, the central resource 934 sends the local resource the initial list 24 (twenty-four) hours prior, approximately 24 (twenty-four) hours prior, or based on one or more of processing resource or communication link availability at or near a predetermined time. In an additional example, an initial list is processed 24 (twenty-four) hours prior to departure, but the information is not communicated until 20 (twenty) hours prior to departure to avoid overwhelming communication links, local resources, based on another priority (e.g., number of individuals on a flight), or combinations thereof.


Prepositioning information, such as by communicating and receiving an initial list to a local environment can result in the information being populated to memory associated with a local environment of the cloud service/local network 964. For instance, information included in the initial list is used to populate a local database that supports a particular airport or collection of airports. This permits the system to position information based on allocable system resources. The foregoing may speed local processing/identification as communication and central processing delays are avoided.


The central resource 934 and/or local resource(s) of the cloud service/local network 964 may use a dataset including biographic and/or biometric information, such as from biometric information resource 960, passenger information/ticketing system 970, and/or aggregate observations resource 980 to categorize an item. Building a data set may occur similar to assembling information associated with an item during routine information handling. This can include encrypting and/or packetizing the data for communication.


In embodiments, the request and/or information to be provided is subject to various processes (e.g., validation, integrity checks) as part of a dataset build process. In some instances, the dataset build process implements additional procedures based on a variety of factors. Example factors include, but are not limited to, type of travel, time to anticipated departure, departure location, destination location, and factors associated with other individuals/items traveling on the vehicle.


In an embodiment, the encrypted and packetized dataset is communicated to the cloud service/local network 964, e.g., a server or cloud service supporting a departure airport. The communication can occur at a predetermined time, based on the prioritization established when the expedited request was received, as resources are available, on a first-in-first-out basis, or based on other factors, such as local resources, security parameters, travel plans of the individual or vehicle on which the individual is to travel, potential disruption to a common carrier, or the like.


Information in an expedited dataset can be used to populate a database in a local environment of the cloud service/local network 964. For example, the information is used by the local server to build a name record that generally mirrors that of the central resource 934. It should be appreciated that the record on the local resource of the cloud service/local network 964 may not include the extent of information that is stored in memory in association with the central resource 934. For example, the central resource 934 includes additional information, such as information associated with a previous trip taken by the individual, or previous routing of a luggage item.


Additionally, the local resource of the cloud service/local network 964 can accept changes to information that is promulgated back to the central resource 934 at a predetermined time or on the occurrence of an event, e.g., availability of resources. For example, in response to submission of an address change, but for an individual whose information otherwise meets a predetermined threshold, the updated information for the individual and his/her associated items is communicated to the central resource 934 for inclusion in the database. In another example, an individual’s facial image or facial recognition or tracking information is automatically added to the record 912 of the central resource 934 to better identify a passport held as he/she ages for the period of time his/her passport is valid. In this way, so long as a child/young adult makes use of a system employing the method his/her passport life may be extended with the provision that entry/exit is limited to times when updated images or facial recognition or tracking information are available.


In embodiments, central resource 934 and/or a local resource (a local server, collection devices, etc. on the of the cloud service/local network 964) can set a flag on, for example, a name/label record including one or more pieces of information for a specific individual/item. For example, the central resource 934 sets a flag on a record 912 that is being released (e.g., used) to a local resource of the cloud service/local network 964. In this manner, the flag is in place until the local resource of the cloud service/local network 964 releases the flag or the central resource 934 does so on its behalf, e.g., if no other local resources can make use of the name record. Thus, if for some reason the local resource of the cloud service/local network 964 loses communication with the central resource 934, the system (via the flag) ensures that record 912 cannot be reused while communication is unavailable. The local resource of the cloud service/local network 964 that sets the flag can use the information included in the initial list from the record to match an item to its information as reflected in the record 912 on the central resource 934. Such a decision may be a provisional decision that is electronically ratified once communication is reestablished with the central resource 934. The local resource of the cloud service/local network 964 and central resource 934 can reconcile their information once communication is restored or thereafter based on factors including priority, communication and processing resources, and the like. In other instances, upon a communication lapse between the central resource 934 and the local resource that has been populated with information, the local resource of the cloud service/local network 964 (server, collection device, and so on) is programmed to not categorize an individual until communication is reestablished or it may do so provisionally.


The central resource 934 can generate a final database record that includes information from the various resources and categorization processes. The final database record may identify information for items that are, e.g., traveling on a particular vehicle, associated with a particular flight, etc. In some embodiments, in addition to identifying those people and items that were loaded, the database 914 includes a final version of the manifest 942 that includes, or the information generated during screening is otherwise associated with, the manifest 942 and/or an item associated with the manifest 942. For example, facial recognition or tracking information for a lap infant is associated with the individual with whom the infant is traveling, e.g., the parent or legal guardian. Thus, the database 914 can include relational information from screening and/or the mode of travel (flight) can be associated with the item. An example of the latter information is information that associated an item with screening or travel information that is not directly associated with the item itself. In the illustrated embodiment, the cloud service electronically communicates final record, or data composing at least a portion of a record, to the central resource 934 as part of a closeout procedure with the central resource 934. The central resource 934 can release the flag as part of this or responsive successful closeout.


In embodiments, the system may, responsive to receipt of information, determine based on the information which category of a plurality of categories an item is to be associated for a physical screening process to be performed in which respective categories correspond to different thresholds applied in the physical screening process; responsive to receipt of information corresponding to a time-based priority of the item, determine an area that corresponds to the category and the priority information, to screen the item in the physical screening process to the threshold associated with the category, wherein the physical screening process of the determined area is determined to have an estimated completion time consistent with the priority information; and electronically communicate information for the determined area to an electronic device configured to direct the item to the area so the item is screened in the physical screening process to the threshold associated with the category within the estimated completion time consistent with the priority information.


The various network 220, network 320, cloud service/local network 964, as illustrated throughout the drawings and described in other locations throughout this disclosure, can comprise any suitable type of network such as the Internet or a wide variety of other types of networks and combinations thereof. For example, the network may include a wide area network (WAN), a local area network (LAN), a wireless network, an intranet, the Internet, a combination thereof, and so on. Further, although a single network is shown in FIG. 2A (or in other figures), the network 220 can be configured to include multiple networks.


Computer storage media and/or memory includes volatile and non-volatile, removable and non-removable media and memory implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a mobile device, computer, server, and so forth. For example, instructions embodying an application or program are included in one or more computer-readable storage media, such as tangible media, that store the instructions in a non-transitory manner.


Various techniques are described herein in the general context of software or program modules. Generally, software includes routines, programs, objects, components, data structures, and so forth that perform particular tasks or implement particular abstract data types. An implementation of these modules and techniques may be stored on or transmitted across some form of computer readable media. Computer readable media can be any available medium or media that can be accessed by a computing device. By way of example, and not limitation, computer readable media may comprise “computer storage media.”


Conclusion

Certain attributes, functions, steps of methods, or sub-steps of methods described herein are associate with physical structures or components, such as a module of a physical device, that in implementations in accordance with this disclosure make use of instructions (e.g., computer executable instructions) that are embodied in hardware, such as an application specific integrated circuit, computer-readable instructions that cause a computer (e.g., a general-purpose computer) executing the instructions to have defined characteristics, a combination of hardware and software such as processor implementing firmware, software, and so forth such as to function as a special purpose computer with the ascribed characteristics.


For example, in embodiments a module comprises a functional hardware unit (such as a self-contained hardware or software or a combination thereof) designed to interface the other components of a system such as through use of an API. In embodiments, a module is structured to perform a function or set of functions, such as in accordance with a described algorithm. That this disclosure implements nomenclature that associates a particular component or module with a function, purpose, step, or sub-step is used to identify the structure, which in instances includes hardware and/or software that function for a specific purpose. Invocation of 35 U.S.C. § 112(f) will be accomplished through use of ubiquitous and historically recognized terminology for this purpose. The structure corresponding to the recited function being understood to be the structure corresponding to that function and the equivalents thereof permitted to the fullest extent of this written description, which includes the accompanying claims and the drawings as interpreted by one of skill in the art.


Although the subject matter has been described in language specific to structural features and/or methodological steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or steps described. Rather, the specific features and steps are disclosed as example forms of implementing the claimed subject matter. Although headings are used for the convenience of the reader, these are not to be taken as limiting or restricting the systems, techniques, approaches, methods, devices to those appearing in any particular section. Rather, the teachings and disclosures herein can be combined, rearranged, with other portions of this disclosure and the knowledge of one of ordinary skill in the art. It is the intention of this disclosure to encompass and include such variation.

Claims
  • 1. A method, comprising: receiving distributed sensing information on one or more characteristics associated with a subject from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location, the distributed sensing information on the one or more characteristics being obtained from the one or more sensors observing a plurality of candidate subjects including the subject;if the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”) as the subject moves from the starting location to the resolution location, not adjusting a reliability of the distributed sensing information caused by any break in COC;if there are one or more time gaps in the COC as the subject moves from the starting location to the resolution location, determining one or more COC factors based on the one or more time gaps in the COC and adjusting the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors;determining a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; andresolving the security concern of the subject based on the trust score of the subject.
  • 2. The method of claim 1, wherein the trust score of the subject is determined without using personal identity information associated with the subject.
  • 3. The method of claim 1, wherein each COC factor is determined based on one or more of: a length of any of the one or more time gaps in the COC,a change in the distributed sensing information after any one time gap of the one or more time gaps in the COC as compared to the distributed sensing information before said any one time gap,an extent of the change,a total number of changes in the distributed sensing information from the starting location and the resolution location,a total length of the one or more time gaps in the COC,the total length of the one or more time gaps in the COC as a percentage of a total time from the starting location and the resolution location, anda total number of the one or more time gaps.
  • 4. The method of claim 1, wherein a COC factor is determined for each corresponding time gap of the one or more time gaps and used to adjust the reliability of the distributed sensing information immediately before the corresponding time gap.
  • 5. The method of claim 1, wherein a COC factor is determined for each corresponding time gap of the one or more time gaps and used to adjust the reliability of all the distributed sensing information before the corresponding time gap.
  • 6. The method of claim 1, further comprising adjusting the reliability of the distributed sensing information, for any given period of time between the starting location and the resolution location, to obtain an adjusted reliability based on one or more of: reliability of each sensor of the distributed sensors used to collect the distributed sensing information,quality of the distributed sensing information, andwhether the distributed sensing information is collected by one sensor or multiple sensors of the plurality of distributed sensors over the given period of time.
  • 7. The method of claim 6, further comprising: determining the trust score of the subject to assess security concern of the subject based on the distributed sensing information and the adjusted reliability of the distributed sensing information.
  • 8. The method of claim 1, wherein resolving the security concern of the subject based on the trust score of the subject comprises: performing targeted screening of the subject at the resolution location based on the trust score of the subject.
  • 9. The method of claim 8, further comprising: comparing the trust score of the subject to a plurality of targeted screening thresholds to determine which category of a plurality of categories is to be associated with the subject for a targeted screening process to be performed; andelectronically communicating information for the category associated with the subject to an electronic device, to direct the subject to a location of the resolution location which corresponds to the category, for performing the targeted screening process of the subject corresponding to the category.
  • 10. The method of claim 9, further comprising setting the plurality of targeted screening thresholds based on one or more of: the starting location and the resolution location,physical layout of venue which includes the starting location and the resolution location,calendar date of year,time of day,volume of candidate subjects being observed by the distributed sensors,current events, andrecent security threats.
  • 11. The method of claim 1, wherein the distributed sensing information of the subject includes tracking information obtained by tracking the one or more characteristics of the subject with the one or more distributed sensors as the subject moves from the starting location to the resolution location;wherein the distributed sensing information includes tracking information obtained by tracking the one or more characteristics of the subject as the subject moves from the starting location to the resolution location; andwherein the trust score of the subject to assess security concern of the subject is determined based on the distributed sensing information and the reliability of the distributed sensing information including the tracking information obtained by tracking the one or more characteristics of the subject as the subject moves from the starting location to the resolution location.
  • 12. The method of claim 11, wherein the tracking information of the subject includes information of at least one of movement tracking or video tracking or facial tracking of the one or more characteristics of the subject as the subject moves from the starting location to the resolution location.
  • 13. The method of claim 11, wherein the tracking information of the subject is obtained by overlapping tracking of the one or more characteristics of the subject by the plurality of distributed sensors as the subject moves from the starting location to the resolution location.
  • 14. The method of claim 11, wherein the tracking information of the subject is obtained by anonymous tracking of the one or more characteristics of the subject, without associating the tracking information with an identity of the subject, as the subject moves from the starting location to the resolution location.
  • 15. The method of claim 11, wherein the tracking information of the subject is obtained by anonymous tracking of the one or more characteristics of the subject by assigning a unique ID to the subject and associating the tracking information with the unique ID, without associating the tracking information with an identity of the subject, as the subject moves from the starting location to the resolution location.
  • 16. A system comprising a memory and a processor which is programmed to: receive distributed sensing information on one or more characteristics associated with a subject from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location, the distributed sensing information on the one or more characteristics being obtained from the one or more sensors observing a plurality of candidate subjects including the subject;if the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”) as the subject moves from the starting location to the resolution location, not adjust a reliability of the distributed sensing information caused by any break in COC;if there are one or more time gaps in the COC as the subject moves from the starting location to the resolution location, determine one or more COC factors based on the one or more time gaps in the COC and adjust the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors;determine a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; andresolve the security concern of the subject based on the trust score of the subject.
  • 17. The system of claim 16, wherein the trust score of the subject is determined without using personal identity information associated with the subject.
  • 18. The system of claim 16, wherein each COC factor is determined based on one or more of: a length of any of the one or more time gaps in the COC,a change in the distributed sensing information after any one time gap of the one or more time gaps in the COC as compared to the distributed sensing information before said any one time gap,an extent of the change in sensing information of one or more sensors,a total number of changes in the distributed sensing information from the starting location and the resolution location,a total length of the one or more time gaps in the COC,the total length of the one or more time gaps in the COC as a percentage of a total time from the starting location and the resolution location, anda total number of the one or more time gaps.
  • 19. The system of claim 16, wherein a COC factor is determined for each corresponding time gap of the one or more time gaps and used to adjust the reliability of the distributed sensing information immediately before the corresponding time gap.
  • 20. The system of claim 16, wherein a COC factor is determined for each corresponding time gap of the one or more time gaps and used to adjust the reliability of all the distributed sensing information before the corresponding time gap.
  • 21. The system of claim 16, wherein the processor is further programmed to adjust the reliability of the distributed sensing information, for any given period of time from the starting location to the resolution location, to obtain an adjusted reliability based on one or more of: reliability of each sensor of the distributed sensors used to collect the distributed sensing information,quality of the distributed sensing information, andwhether the distributed sensing information is collected by one sensor or multiple sensors of the plurality of distributed sensors over the given period of time.
  • 22. The system of claim 16, wherein the processor is further programmed to: determine the trust score of the subject to assess security concern of the subject based on the distributed sensing information and the adjusted reliability of the distributed sensing information.
  • 23. The system of claim 16, wherein resolving the security concern of the subject based on the trust score of the subject comprises: performing targeted screening of the subject at the resolution location based on the trust score of the subject.
  • 24. The system of claim 23, wherein performing targeted screening of the subject comprises: comparing the trust score of the subject to a plurality of targeted screening thresholds to determine which category of a plurality of categories is to be associated with the subject for a targeted screening process to be performed; andelectronically communicating information for the category associated with the subject to an electronic device, to direct the subject to a location of the resolution location which corresponds to the category, for performing the targeted screening process of the subject corresponding to the category.
  • 25. The system of claim 24, wherein the processor is further programmed to set the plurality of targeted screening thresholds based on one or more of: the starting location and the resolution location,physical layout of venue,calendar date of year,time of day,volume of candidate subjects being observed by the distributed sensors,current events, andrecent security threats.
  • 26. A tangible computer-readable storage medium configured to store processorexecutable instructions that when executed by a processor cause a processor to: receive distributed sensing information on one or more characteristics associated with a subject from one or more sensors of a plurality of distributed sensors distributed between a starting location spaced from a resolution location and the resolution location, the distributed sensing information on the one or more characteristics being obtained from the one or more sensors observing a plurality of candidate subjects including the subject;if the subject is sensed by the plurality of distributed sensors, in combination without any break in chain of custody (“COC”) as the subject moves from the starting location to the resolution location, not adjust a reliability of the distributed sensing information caused by any break in COC;if there are one or more time gaps in the COC as the subject moves from the starting location to the resolution location, determine one or more COC factors based on the one or more time gaps in the COC and adjust the reliability of the distributed sensing information caused by the one or more time gaps in the COC based on the one or more COC factors;determine a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; andresolve the security concern of the subject based on the trust score of the subject.
  • 27. The tangible computer-readable storage medium of claim 26, wherein the trust score of the subject is determined without using personal identity information associated with the subj ect.
  • 28. A method, comprising: sensing one or more anonymous characteristics of a subject with a plurality of distributed sensors;assessing risk information using information on one or more anonymous characteristics associated with the subject from one or more sensors of the distributed sensors between a starting sensor location spaced from a final sensor resolution location;establishing a chain of custody (COC) risk factor based on sensor data corresponding to the anonymous characteristics of the subject;adjusting the COC risk factor based on discrepancies in the COC using data collected in the distributed sensors corresponding to the anonymous characteristics of the subj ect;maintaining the COC risk factor in accordance with risk thresholds set for discrepancies in the COC;if there are one or more discrepancies in the COC, determining one or more COC factors based on the one or more discrepancies in the COC and adjusting reliability of the distributed sensing information caused by the one or more discrepancies in the COC based on the one or more COC factors;determining a trust score of the subject to assess security concern of the subject based on the distributed sensing information and the reliability of the distributed sensing information; andadjusting a security response of the subject based on the trust score of the subject using anonymous characteristics of the subject.
  • 29. The method of claim 28, wherein each COC factor is determined based on the one or more of discrepancies.
  • 30. The method of claim 29, wherein the one or more discrepancies comprise any of: a length of any of one or more time gaps in the COC,a change in the distributed sensing information after any one time gap of the one or more time gaps in the COC as compared to the distributed sensing information before said any one time gap,an extent of the change in sensing information between one or more sensors,a total number of changes in the distributed sensing information from the starting sensor location and the final sensor resolution location,a total length of the one or more time gaps in the COC,the total length of the one or more time gaps in the COC as a percentage of a total time from the starting sensor location and the final sensor resolution location, anda total number of the one or more time gaps.
CROSS-REFERENCE TO RELATED APPLICATIONS

The application is a nonprovisional of and claims the benefit of priority from U.S. Provisional Pat. Application No. 63/307,855, filed on Feb. 8, 2022, entitled ANONYMOUS SCREENING WITH CHAIN OF CUSTODY SENSOR INFORMATION, which is incorporated herein by reference in its entirety. This application is a continuation-in-part of U.S. Pat. Application No. 17/729,763, filed on Apr. 26, 2022, which is a nonprovisional of and claims the benefit of priority from U.S. Provisional Pat. Application No. 63/307,855 referenced above and from U.S. Provisional Pat. Application No. 63/192,603, filed on May 25, 2021, entitled CAUSAL RELATIONSHIP SECURITY SCREENING BASED ON DISTRIBUTED SENSING, the entire disclosures of which are incorporated herein by reference.

SUMMARY STATEMENT OF GOVERNMENT INTEREST

The present invention was made by employees of the United States Department of Homeland Security in the performance of their official duties. The U.S. Government has certain rights in this invention.

Provisional Applications (3)
Number Date Country
63307855 Feb 2022 US
63307855 Feb 2022 US
63192603 May 2021 US
Continuation in Parts (1)
Number Date Country
Parent 17729763 Apr 2022 US
Child 18106760 US