Patent Application
20220206725
Devices and methods herein generally relate to machines having print engines such as printers and/or copier devices and, more particularly, to devices and methods for controlling production and reproduction of documents containing sensitive information by automatic redaction using an account-administered lexicon of sensitive words/phrases and personal names.
Individuals are often comfortable dealing with documents in hardcopy format. In general, hardcopy documents are easier to read, handle, and store than documents kept in the digital domain. However, control of document reproduction and dissemination is a concern because copies of documents containing sensitive information can be easily transmitted from person to person. As such, there is a risk of documents containing sensitive information being reproduced innocently or illicitly by persons without authorization.
In an ever-increasing awareness of the need to keep secure data and Person Identifiable Information (PII) away from intentional or unintentional prying eyes, the need to mask/remove certain elements of secure information, such as code names, customer names, personal names, etc., has become a vital reality. Methods exist to limit the usefulness of unauthorized copying of documents. The emergence of electronic document processing systems has enhanced significantly the functional utility of plain paper and other types of hardcopy documents. Current approaches to dealing with security of electronic document processing systems are heavily human-centered, requiring users to be careful what terms and names they expose as they print, scan, and/or copy documents, as well as limiting exposing secure items in job queues and reports.
While some drivers allow for masking job names or personal names and some printers can be set up to mask/delete all job names or personal names, the effectiveness of current approaches is based on the user setting it up, remembering to use it, and having the masks carry over into usage reports, etc. Additionally, in long job queues, just masking the entire job name for several jobs leads to end users not being able to tell which job is which.
In another approach, human readable information on a document is supplemented by writing appropriate machine readable digital data on the document to control selective exposure of sensitive information. The machine readable digital data enables the hardcopy document to actively interact with certain document processing systems when the document is scanned into the system by an ordinary input scanner.
However, prior attempts to control reproduction offer access that is all or nothing. Once access is granted, it cannot be controlled in any other way. This makes it difficult to control who should have access to the information contained within the document. Prior attempts are limited in that once access is granted, the entire document is decoded. More to the point, the images the user prints, scans, or copies may be filled with sensitive terms or PII, which can be recopied, re-emailed, and/or re-scanned ad infinitum. These terms or PII may even be protected by law and come with significant penalties for unauthorized exposure.
A need exists for a device and method that controls the production and reproduction of sensitive information and PII by restrictions associated with policies incorporated in an account-administered lexicon of sensitive words/phrases and personal names.
According to devices and methods herein, a document output device, such as a Multi-Function Device (MFD), can be set up to redact or mask text or names that represent sensitive information. By using a lexicon or directory, an administrator of the device can configure the device to protect certain data that may be printed, displayed at a User Interface (UI), or transmitted off the device. A general lexicon of mask words can be established according to policy guidelines. At an output device, the mask words in the general lexicon can be changed to create a local lexicon. Devices and methods herein help to avoid user error by setting up the device to automatically detect the sensitive data and redact it or substitute non-sensitive text. The methodology can be extended to allow personal configuration settings and policies to protect additional text and names using a modified local lexicon.
In operation, corporate policies can be established to protect disclosure of sensitive information and names, whether such disclosure is inadvertent or willful. A general lexicon, directory, or database of words, phrases, titles, names, can be setup by an administrator, so that each user does not even need to be aware of corporate policies. The administrator can also change the mask words in the general lexicon at an output device to create a local lexicon for use by specific output devices or specific users.
According to an exemplary apparatus herein, the apparatus includes a processor, a printing device, a user interface, and an input/output device. The printing device is in communication with the processor. The user interface is in communication with the processor. The input/output device is in communication with the processor and with a computerized network external to the apparatus. The processor is adapted to maintain a general lexicon containing mask words. The processor is adapted to provide, through the user interface and the computerized network, options to change the mask words in the general lexicon to create a local lexicon. The processor is adapted to redact the mask words in the local lexicon from at least one of: printed items; items displayed on the user interface; systems that report on device usage; and items provided to the computerized network through the input/output device.
An exemplary printing device herein includes an input device receiving a job for printing or scanning. The job includes a document that may be an electronic document. A processor is operatively connected to the input device. A user interface is operatively connected to the processor. A data transfer device is in communication with the processor and with a computerized network external to the printing device. A marking device is operatively connected to the processor. The processor is adapted to maintain a general lexicon containing mask words. The processor is adapted to provide, through the user interface and the computerized network, options to change the mask words in the general lexicon to create a local lexicon. The processor is adapted to redact the mask words in the local lexicon from the document to create a modified document. The marking device is adapted to print the modified document. The data transfer device is adapted to send the modified document to a storage device or another network connected device. The storage device is adapted to store the modified document.
According to an exemplary method herein, a job is received into a computerized device. The job includes an electronic document. A selection for a general lexicon containing mask words, which is maintained by a processor of the computerized device, is displayed on a user interface of the computerized device. Input is received into the user interface to define a local lexicon from the general lexicon of mask words. The local lexicon is created by changing the mask words in the general lexicon of mask words. The local lexicon is used to redact words from the electronic document to create a modified document. The modified document is output from the computerized device.
These and other features are described in, or are apparent from, the following detailed description.
Various examples of the devices and methods are described in detail below, with reference to the attached drawing figures, which are not necessarily drawn to scale and in which:
For a general understanding of the features of the disclosure, reference is made to the drawings. In the drawings, like reference numerals have been used throughout to identify identical elements. While the disclosure will be described hereinafter in connection with specific devices and methods thereof, it will be understood that limiting the disclosure to such specific devices and methods is not intended. On the contrary, it is intended to cover all alternatives, modifications, and equivalents as may be included within the spirit and scope of the disclosure as defined by the appended claims.
As used herein, an image forming device can include any device for rendering an image on print media, such as a copier, laser printer, bookmaking machine, facsimile machine, or a multifunction machine (which includes one or more functions such as scanning, printing, archiving, emailing, and faxing). “Print media” can be a physical sheet of paper, plastic, or other suitable physical print media substrate for carrying images. A “job”, “print job”, or “document” is referred to for one or multiple sheets copied from an original print job sheet(s) or an electronic document page image, from a particular user, or otherwise related. An original image is used herein to mean an electronic (e.g., digital) or physical (e.g., paper) recording of information. In its electronic form, the original image may include image data in a form of text, graphics, or bitmaps.
As would be known by one skilled in the art, a raster image processor is a component used in a printing system that produces a raster image, also known as a bitmap. The bitmap is then sent to a printing device for output. Raster image processing is the process that turns the job input information into a high-resolution raster image. The input may be a page description using a page description language (PDL) of higher or lower resolution than the output device. In the latter case, the RIP applies either smoothing or interpolation to the input bitmap to generate the output bitmap.
To print an image, a print engine processor, sometimes referred to herein as an image processor, converts the image in a page description language or vector graphics format to a bit mapped image indicating a value to print at each pixel of the image. Each pixel may represent a dot, also called a picture element. The sequence of dots forming a character is called a raster pattern. The number of dots per inch that a printer generates is called the print resolution, or density. A resolution of 240 pixels means that a printer prints 240 pixels per inch both vertically and horizontally, or 57,306 pixels per square inch (240×240).
As used herein, a “pixel” refers to the smallest segment into which an image can be divided. Each bit representing a pixel that is “on” is converted to an electronic pulse. The electronic pulses generated from the raster pixel data at which to deposit toner turns the laser beam on to positively charge the surface of a rotating drum, which is an organic photo-conducting cartridge (OPC) that has a coating capable of holding an electrostatic charge. The laser beam turns on and off to beam charges at pixel areas on a scan line across the drum that will ultimately represent the output image. After the laser beam charges all pixels on the scan line indicated in the raster data, the drum rotates so the laser beam can place charges on the next scan line. The drum with the electrostatic positive charges then passes over negatively charged toner. The negatively charged toner is then attracted to the positive charged areas of the drum that form the image. The paper, which is negatively charged, passes over the roller drum and attracts the toner as the areas of the roller drum with the toner are positively charged to transfer the toner forming the image from the roller drum to the paper.
Thus, an input device is any device capable of obtaining pixel values from an image. The set of image input devices is intended to encompass a wide variety of devices such as, for example, digital document devices, computer systems, memory and storage devices, networked platforms such as servers and client devices which can obtain pixel values from a source device. An image output device is any device capable of rendering the image. The set of image output devices includes digital document reproduction equipment and other copier systems as are widely known in commerce, photographic production and reproduction equipment, monitors and other displays, computer workstations and servers, including a wide variety of marking and image-sending or storage devices, and the like. To render an image is to reduce the image data (or a signal thereof) to viewable form; store the image data to memory or a storage device for subsequent retrieval; or communicate the image data to another device. Such communication may take the form of transmitting a digital signal of the image data over a network.
Referring now to the drawings,
The administrative user can set up, by policy, to identify and mask recognizable series of letters or numbers (e.g., Social Security Number sequences (3-digits-2 digits-4 digits)). Such known sequences could be recognized and automatically masked in scans/prints/held jobs. In some cases, the masking process could be set up to print only the last 4 digits and mask the rest.
Still referring to
In other words, a user with administrative privileges sets up the output device according to policies, such as that all personal names, text being printed or scanned (through text recognition) are checked against an account-administered lexicon of sensitive words/phrases and personal names. If sensitive text/phrases or personal names that are listed in the lexicon/directory are contained in a copy, scan, or print job, then those words/phrases and personal names are automatically rendered unreadable via masking or blanking on copied, scanned, or printed output if designed to do so and set up by policy.
Similarly, devices and methods herein can be used to render personal names and text unreadable before a report is generated and before such information is displayed on the local or web user interfaces for the output device. Devices and methods herein could allow an end user to delete Personal Name or File Name or a record from the Web UI and/or device logs at the same time. Further, devices and methods herein can be used to prevent selected personal names or text from being shared via bi-directional communication with client devices or other communication channels.
Referring now to
According to devices and methods herein, the masking process could be set up to replace redacted words or names with a more generic or less security-sensitive word or name. For example, in a document that uses the proper name of a corporate executive, instead of masking it (****), the processor inserts, for example “Corporate CEO”. In a similar fashion, the same functionality could be used to update all data transmissions when a universal change is implemented. (e.g., Company A is bought out by Company X). Devices and methods herein could be used to always automatically change the old Company A name to ‘Company X’ in all copies, prints and scans going through an output device.
In some cases, the administrative user could set up policies based on level of clearance. This could be useful for ‘group’ mail, distribution lists, etc. For example, scans sent to lower clearance addresses could contain redactions that higher-level clearance recipients are not subject to.
In some cases, the administrative user can schedule removal of words and names in the lexicon and directory; for example, the device can be set up to remove all personal names and job names that match entries in the lexicon and directory from the device queues and reports at the end of each business day. A feature can be added, such as “Clear my info”, so that before an end user walks away from the output device (either by policy or a user selection of a button on a clear all or logout confirmation screen) PII is removed or deleted. In some cases, the end user can be queried if he/she wants to remove the record of their session upon logging out. Such feature can be combined with personalization to allow end users to protect their name and information.
According to devices and methods herein, a policy could be set up based on time of day or day of week. For example, held jobs printed after a certain time (e.g., 5 pm) must redact sensitive word and personal names.
Using similar methodology, a user with administrative privileges could sets up a device to prevent selected personal names or text from being shared via bi-directional communication with client devices or other communication channels, according to appropriate policies. Indeed, policies can allow a device to automatically populate the directory from LDAP (Lightweight Directory Access Protocol), which is an open and cross platform protocol used for directory services authentication, as would be know by one of ordinary skill in the art.
Database 409 includes any database or any set of records or data that the computerized device 406 desires to retrieve. Database 409 may be any organized collection of data operating with any type of database management system. The database 409 may contain matrices of datasets comprising multi-relational data elements. According to devices and methods herein, the database 409 may contain a lexicon of sensitive words/phrases and personal names.
The database 409 may communicate with the computerized device 406 directly. Alternatively, the database 409 may communicate with the computerized device 406 over network 412. The network 412 comprises a communication network either internal or external, for affecting communication between the computerized device 406 and the database 409.
The input/output device 517 may include a data transfer device and is used for communications to and from the computerized device 406. The input/output device 517 may comprise a wired device or wireless device (of any form, whether currently known or developed in the future). The processor 514 controls the various actions of the computerized device. A non-transitory, tangible, computer storage medium device 523 (which can be optical, magnetic, capacitor based, etc., and is different from a transitory signal) is readable by the processor 514 and stores instructions that the processor 514 executes to allow the computerized device to perform its various functions, such as those described herein. For example, according to devices and methods herein, the processor 514 may be adapted to maintain a general lexicon of mask words. Further, the processor 514 may be adapted to provide, through the user interface 520, options to change the mask words in the general lexicon to create a local lexicon.
Thus, as shown in
The controller/processor 514 controls the various actions of the MFD 605, as described below. A non-transitory computer storage medium device 523 (which can be optical, magnetic, capacitor based, etc.) is readable by the controller/processor 514 and stores instructions that the controller/processor 514 executes to allow the MFD 605 to perform its various functions, such as those described herein.
According to devices and methods herein, the controller/processor 514 may comprise a special purpose processor that is specialized for processing image data and includes a dedicated processor that would not operate like a general purpose processor because the dedicated processor has application specific integrated circuits (ASICs) that are specialized for the handling of image processing operations, processing image data, calculating pixel values, etc. In one example, the MFD 605 is special purpose machine that includes a specialized image processing card having unique ASICs for providing image processing, includes specialized boards having unique ASICs for input and output devices to speed network communications processing, a specialized ASIC processor that performs the logic of the methods described herein using dedicated unique hardware logic circuits, etc. It is contemplated that the controller/processor 514 may comprise a raster image processor (RIP). A raster image processer uses the original image description to RIP the print job. Accordingly, the print instruction data is converted to a printer-readable language. The print job description is generally used to generate a ready-to-print file. The ready-to-print file may be a compressed file that can be repeatedly accessed for multiple (and subsequent) passes.
Thus, as shown in
The MFD 605 herein has a media supply 614 supplying media to a media path 617. The media path 617 can comprise any combination of belts, rollers, nips, drive wheels, vacuum devices, air devices, etc. The print engine(s) 608 is positioned along the media path 617. That is, the multi-function device 605 comprises a document-processing device having the print engine(s) 608. The print engine(s) 608 prints marks on the media. After receiving various markings from the print engine(s) 608, the sheets of media can optionally pass to a finisher 620 which can fold, staple, sort, etc., the various printed sheets. As described herein, a return paper path 623 may deliver the printed sheets to the same or different print engine 608 for at least a second layer of toner/ink to be applied. Each return of the media to the print engine 608 is referred to herein as a “pass”.
The print engine(s) 608 may be any device capable of rendering the image. The set of marking devices includes, but is not limited to, digital document reproduction equipment and other copier systems, as are widely known in commerce, photographic production and reproduction equipment, monitors and other displays, computer workstations and servers, including a wide variety of marking devices, and the like. That is, the one or more print engines 608 are intended to illustrate any marking device that applies a marking material (toner, inks, etc.) to continuous media or sheets of media, whether currently known or developed in the future and can include, for example, devices that use a photoreceptor belt or an intermediate transfer belt, or devices that print directly to print media (e.g., inkjet printers, ribbon-based contact printers, etc.).
A Digital Front End (DFE) 626 may be connected to the processor 514 of the MFD 605. The DFE 626 prepares and processes a job for the print engine(s) 608 and may include one or more RIPs (raster image processors) that render from a page description language (PDL) such as PostScript, PDF or XPS to a raster: a pixel-based representation of the page suitable for delivery to the print heads of the print engine(s) 608. The DFE 626 is able to load files from various sources on a network, such as shown in
In addition, the MFD 605 can include at least one accessory functional component, such as a scanner/document handler 629, automatic document feeder (ADF), etc. that operate on the power supplied from the external power source 529 (through the power supply 532). The scanner/document handler 629 is adapted to scan pages for copying or entering into a file. The processor 514 is adapted to automatically redact mask words in the local or general lexicon from at least one of: printed items; items displayed on the user interface 520; and items provided to the networks through the input/output device 517.
In other words, the Multi-Function Device (MFD) 605 can print, send, and store images. That is, the MFD 605 can perform printing from the scanner (e.g., copying), from a client, from a storage device (e.g., attached via a USB cable or flash drive), from a smart phone (e.g., through Bluetooth) and even from the user's access card. The MFD 6058 can also send data to other places electronically via phone lines (e.g., Fax), email, directly to clients or other multi-function devices (e.g., Network Scanning), other servers, and to storage (e.g., Cloud storage, mainframes, etc.). Additionally the MFD 605 is often equipped with its own storage capability, in addition to the non-transitory computer storage medium device 523. According to devices and methods herein, the MFD 605 can enable automatic redaction of mask words in the lexicon on all functions and communications from the MFD 605.
As would be understood by those ordinarily skilled in the art, the multi-function device 605 shown in
As shown in
The processing described herein can be performed by one machine individually or by a combination of machines acting together. For example, the MFDs 605 can individually perform all functions described above in a stand-alone manner. Alternatively, the processing described above as being performed by the processor and some of the user interface display operations can be performed by various ones of the computerized devices 406, with the scanning process being performed by the MFDs 605 or stand-alone scanners.
Referring now to
Now referring to
According to a further devices and methods herein, an article of manufacture is provided that includes a tangible computer readable medium having computer readable instructions embodied therein for performing the steps of the computer implemented methods, including, but not limited to, the method illustrated in
The computer program instructions may be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to process in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the process/act specified in the flowchart and/or block diagram block or blocks.
The hardware described herein plays a significant part in permitting the foregoing method to be performed, rather than function solely as a mechanism for permitting a solution to be achieved more quickly, (i.e., through the utilization of a computer for performing calculations). Specifically, printers, scanners, and image processors that alter electronic documents each play a significant part in the methods (and the methods cannot be performed without these hardware elements). Therefore, these hardware components are fundamental to the methods being performed and are not merely for the purpose of allowing the same result to be achieved more quickly.
As would be understood by one ordinarily skilled in the art, the processes described herein cannot be performed by human alone (or one operating with a pen and a pad of paper) and instead such processes can only be performed by a machine. Specifically, processes such as printing, scanning, using an image processor, etc., require the utilization of different specialized machines. Therefore, for example, the printing/scanning performed by the user device cannot be performed manually (because it can only be done by printing and scanning machines) and is integral with the processes performed by methods herein. In other words, these various machines are integral with the methods herein because the methods cannot be performed without the machines (and cannot be performed by humans alone).
As will be appreciated by one skilled in the art, aspects of the devices and methods herein may be embodied as a system, method, or computer program product. Accordingly, aspects of the present disclosure may take the form of an entirely hardware system, an entirely software system (including firmware, resident software, micro-code, etc.) or an system combining software and hardware aspects that may all generally be referred to herein as a ‘circuit’, ‘module, or ‘system.’ Furthermore, aspects of the present disclosure may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
While some exemplary structures are illustrated in the attached drawings, those ordinarily skilled in the art would understand that the drawings are simplified schematic illustrations and that the claims presented below encompass many more features that are not illustrated (or potentially many less) but that are commonly utilized with such devices and systems. Therefore, the claims presented below are not intended to be limited by the attached drawings, but instead the attached drawings are merely provided to illustrate a few ways in which the claimed features can be implemented.
Many computerized devices are discussed above. Computerized devices that include chip-based central processing units (CPU's), input/output devices (including graphic user interfaces (GUI), memories, comparators, processors, etc., are well-known and readily available devices produced by manufacturers such as Dell Computers, Round Rock Tex., USA and Apple Computer Co., Cupertino Calif., USA. Such computerized devices commonly include input/output devices, power supplies, processors, electronic storage memories, wiring, etc., the details of which are omitted herefrom to allow the reader to focus on the salient aspects of the devices and methods described herein. Similarly, scanners and other similar peripheral equipment are available from Xerox Corporation, Norwalk, Conn., USA and the details of such devices are not discussed herein for purposes of brevity and reader focus.
The terms printer or printing device as used herein encompasses any apparatus, such as a digital copier, bookmaking machine, facsimile machine, multi-function machine, etc., which performs a print outputting function for any purpose. The details of printers, print engines, etc., are well known, and are not described in detail herein to keep this disclosure focused on the salient features presented. The devices and methods herein can encompass devices and methods that print in color, monochrome, or handle color or monochrome image data. All foregoing devices and methods are specifically applicable to electrostatographic and/or xerographic machines and/or processes.
The terms scanner or scanning device as used herein encompasses any apparatus that captures an image of a document for any purpose. The details of scanners, scanning devices, etc., are well known, and are not described in detail herein to keep this disclosure focused on the salient features presented. The devices and methods herein can encompass devices and methods that scan text or other images in color, monochrome, or handle color or monochrome image data. All foregoing devices and methods are specifically applicable to electrostatographic and/or xerographic machines and/or processes.
The terminology used herein is for the purpose of describing particular examples of the disclosed structures and methods and is not intended to be limiting of this disclosure. For example, as used herein, the singular forms ‘a’, ‘an’, and ‘the’ are intended to include the plural forms as well, unless the context clearly indicates otherwise. Additionally, as used herein, the terms ‘comprises’, ‘comprising’, ‘includes’, and/or ‘including’, when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Further, the terms ‘automated’ or ‘automatically’ mean that once a process is started (by a machine or a user) one or more machines perform the process without further input from any user.
The corresponding structures, materials, acts, and equivalents of all means or step plus process elements in the claims below are intended to include any structure, material, or act for performing the process in combination with other claimed elements as specifically claimed. The descriptions of the various devices and methods of the present disclosure have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the devices and methods disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described devices and methods. The terminology used herein was chosen to best explain the principles of the devices and methods, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the devices and methods disclosed herein.
It will be appreciated that the above-disclosed and other features and processes, or alternatives thereof, may be desirably combined into many other different systems or applications. Those skilled in the art may subsequently make various presently unforeseen or unanticipated alternatives, modifications, variations, or improvements therein, which are also intended to be encompassed by the following claims. Unless specifically defined in a specific claim itself, steps or components of the devices and methods herein should not be implied or imported from any above example as limitations to any particular order, number, position, size, shape, angle, color, temperature, or material.
