Patent Grant
7724385
The present invention relates to confidential items such as mail, and more particularly, to providing a handling area that preserves that confidentiality.
A problem in law firms serviced by in-house or remote mailrooms is that the firms would like to have their mail scanned (so they can read it remotely, apply artificial intelligence to filter it, and search it by keyword), but they feel a responsibility (related to attorney-client privilege) to prohibit mail room employees from opening their mail. Innovations are needed to provide that service with greater confidentiality than can be afforded by a non-disclosure agreement. Furthermore, the same problems apply to other document handling situations, such as shredding, copying, printing and inserting.
Current solutions for maintaining confidentiality during document handling include automated document handlers that can be secure containers such that no human will see the documents being processed. However, it is extremely expensive to make these machines handle non-standard documents, such as documents with clips, staples, extra envelopes, bizarre sizes and attachments.
The current invention provides the flexibility of a human document handler, while retaining the security available in a fully automated system. The basic idea of the current invention is to protect the confidentiality of a document that is being handled by filtering what the handler is able to detect about it. The idea is to enforce a kind of “selective blindness” on the handler. The handler can use a viewscreen or translucent window in lieu of the handler's own direct sight, in order to see what they are doing while they handle the document, and the viewscreen displays only non-confidential information. For example, it obscures or blurs the text, but allows the user to see everything else about the document (e.g., the position, shape, number of pages, etc.) as though they were seeing the real thing. A video monitor can be used to record that the handler has followed protocols, and beacons in the field view of the video monitor can establish that the camera feed is authentic. The beacons flash an encrypted time signal, so that a forged camera feed would be readily detectable.
A handling system can thus process pieces in a handling area, without breaching confidentiality of the mail pieces. Such a mail handling system includes a view port device for providing filtered visual access to the mail handling area while at least some information contained in the mail pieces is filtered out. A manual access area allows manual access to the mail handling area while unfiltered visual access to the mail handling area is obstructed. The present system is usable not just for mail handling, but also for handling other types of items such as intra-office papers, packages, or various other types of items. Those various other types of items may be vials of blood with labels containing confidential information. Or, the items may be labeled samples for blind testing, such as water samples from different locations.
The present invention also relates to a handling enclosure for securely handling items, including mail or the other types of items just described. The enclosure is either fully or partly enclosed, and it includes a concealing surface for obstructing unfiltered visual access to the mail handling area from a plurality of vantage points. The mail handling enclosure also includes a manual access area, for allowing manual access to the mail handling area while the visual access is obstructed.
The invention furthermore includes a method for a user to handle mail pieces in a mail handling area without breaching confidentiality of the mail pieces. This method includes the step of providing filtered visual access to a portion of the mail handling area via a view port device that filters out at least some information contained on a mail piece, for example on a letter that is removed from an envelope and unfolded. This method also includes the step of providing the user with physical access to the mail handling area for handling the mail pieces.
According to another embodiment of the present invention, a system authenticates a video image of at least a portion of a secure area, such as a mail handling area. This system includes a video camera, for viewing the secure area, a video image recorder for recording an image produced by the video camera, and authenticating beacons within view of the video camera. The authenticating beacons indicate what time its is, which is the time at which the respective beacon is observed by the video camera. The chronological indication from the authenticating beacon is advantageously encrypted, so as to foil any attempt at providing a false image to the video image recorder. This system may additionally include an image processing unit, responsive to the video camera, for providing a processed video signal to the video image recorder. The image processing unit excludes information concerning confidential mail material that was viewed by the video camera, and that information is excluded from the processed video signal that is fed to the video image recorder.
The current invention permits efficient handling of items that contain confidential material, by permitting the user to see more than someone could see using alternative approaches, such as a blindfold, or enclosing the process in a glovebox with no way to look inside, or employing a blind document handler. Another alternative approach is the non-technological solution of simply binding the user with a non-disclosure agreement, but that would not lend as much confidentiality, since the handler might accidentally disclose information about what the handler saw, or might breach the agreement (and perhaps deny the breach). In contrast, the current invention protects against the risk of accidental disclosure, and empowers the user to prove that confidentiality was not breached.
As seen in
Thus, the view port device 102 provides filtered visual access to at least a portion of the mail handling area while information contained in mail pieces within the mail handling area is filtered out. The manual access area 110 allows manual access to the mail handling area while unfiltered visual access to the mail handling area is obstructed. It is to be noted that, instead of being acquired by the camera 120, the image presented by the view port device 102 may instead be acquired by a scanner on which the user is scanning a document, and thus the user would be able to properly position the document without reading its contents. In that case, the camera 120 can still be useful for security purposes, in order to make a record that proves the confidential material was handled in a secure manner. The mail handling area 110 accommodates not just a scanner, but potentially also other useful mail handling machines such as a shredder, printer, and facsimile machine.
Another embodiment is shown by
Because the manual access area 210 is not very secure, it is advantageous to use a good system of security cameras 216 to make sure that all protocols are followed; for example, one of the protocols is that the user should not peek into the manual access area 210. In order to ensure that the images recorded by the cameras 216 are authentic, beacons 220 may be used in the field of view of the cameras, and the beacons emit signals that vary over time and are preferably encrypted, which allows someone (or a machine) viewing the video to make sure that a forged or false video has not been supplied. The user will typically open an envelope, scan the mail using a scanner 250, send the mail electronically to the intended recipient, and shred the original. The shredder would be located in the secure mail handling area 205 along with the scanner and possibly other devices too such as a facsimile machine.
The present invention may be viewed as having seven components, according to a preferred embodiment. The documents and handling devices (e.g., printer, fax, scanner) are contained in a secure area (e.g. the interior of a box), and an obscuring device (the walls of the box) prevent the human handler from seeing the contents of the secure area with his or her own eyes. To this, the current invention adds cameras/sensors (such as a scanner) that monitor the area and send the information they collect to an image processor which uses that image to construct real-time video of what is happening in the box, but obscures confidential information. The resulting image is presented to the human on a viewscreen outside the secure area. For example, it may translate information from a scanner into a picture of the scanning area (as most scanner software does) except replace any inked areas with boxes filled with the words “ink here.” The human could then see whether the document was positioned correctly, yet could not tell what was on the document.
The image processor also records enough evidence from the sensors to prove that the secure area remained secure. For example, it might record video feed from cameras that monitor the entire secure area. This would, for example, empower an attorney to prove that mail opened and resealed in the secure area did not constitute a breach of attorney-client privilege.
Here is an example scenario for using this invention in a mailroom. The mailroom receives a piece of mail. The intended recipient wants their mail scanned and wants the encrypted resulting images to be sent to an artificially intelligent agent which will decide whether to reroute it. A mailroom worker places the mail in the secure area (which also contains a letter opener, staple remover, stapler, scanner, shredder and empty envelopes).
The obstructing mechanism is engaged so that no one can see into the secure area (in a glovebox, this would entail closing the door). The cameras/sensors monitor the secure area, send the information they collect to the image processor which obscures any potentially confidential information, and the result is seen on the viewscreen by the mailroom worker. From their point of view, it simply looks like they are seeing the secure area, except that the documents in it contain no confidential information. The mailroom worker opens the mail with the letter opener (in a glovebox he/she would place his/her hands into gloves attached to the walls of the box and manipulate the envelope through the gloves. He/she then removes the contents from the envelope and scans them with the scanner. The scanner sends encrypted images of the scanned documents to the artificially intelligent agent which decrypts them, reads them, determines that the mail piece is junk mail, and sends the mailroom worker a message to shred it (the instruction is received in a matter of seconds). The mailroom worker shreds the envelope and its contents, as directed, using the shredder. He/she then opens the next envelope and scans it as before-this time the artificial intelligence instructs him/her to deliver the top page to the intended recipient and the rest to the recipient's secretary. The worker places the top sheet in an envelope, seals it, and addresses it to the intended recipient. He/she places the rest (including the original envelope) in a second envelope, seals it, and addresses it to the secretary. After all the mail has been opened, scanned, and shredded or resealed, the worker disengages the obscuring mechanism, removes the contents, and physically delivers the sealed envelopes as instructed. In addition to the mail and image files, the intended recipient receives an encrypted copy of the videotapes for that session-they can use these to prove that no human saw the contents of the mail during the time between when it was opened and when it was shredded or resealed.
An extension of the present invention addresses what happens if the sensors include chemical or aerosol detectors and the secure area is secure against hazardous materials; in that case, the current invention has been extended to protect people from hazardous materials deployed by mail. Now, if a package is received containing a hazardous material, the danger may be detected in the secure area, and the contents may be scanned before they are destroyed. In this way, the intended recipient receives the encrypted scan image, but is protected from the danger.
The basic idea behind the beacon aspect of the current invention is to detect security attacks in which a camera feed is replaced by a false one, such as when a picture of what a camera usually sees is inserted in front of it, or the video signal coming out of a camera is replaced with false one. Beacons placed in the field of view of the camera emit an expected yet continually varying pattern of pulses detectable through the camera, and an alarm is sounded if the expected pattern is not detected. One can then secure the visual field of the camera by raising an alarm if the camera sees any unauthorized activity occur in it. Current solutions for securing the visual field of a camera: the best known means to securing the visual field of a camera is to have a security guard (or image processing machine) watch the video signal from the camera and raise an alarm if this reveals any unauthorized activity. One might similarly watch the video signal after the fact to determine what happened in the area; this secures the area by threat of retribution. Both methods are vulnerable, however, to an attack in which the attacker inserts a false image or signal between the area to be monitored and the viewing device or image processing machine. The current invention closes the security loop by putting the authentication mechanism in the visual field itself.
Much like the familiar video security system, the current invention involves a camera sending a signal to a viewing device or image processing machine. It additionally involves a number of beacons scattered through the far end of the view area (or randomly through the view area if, like outerspace, it has no far end). Each beacon contains a clock and its own secret key for encryption. Each beacon encrypts the current time and emits the result on the encryption as a pattern of pulses visible to the camera. When the viewing device or image processing machine processes (e.g. displays) the video signal from the camera, it decrypts the patterns emitted by the beacons and raises an alarm if the result of the decryption does not match the time at which the video was supposed to be captured or if the beacon patterns are not present.
An extension of the beacon aspect of the present invention addresses the problem that occurs when using this invention on playback, at which time it is vulnerable to an attack that goes like this: an attacker does something they want to cover up in the view area at time, t. They note the patterns emitted by the beacons at t (either by detecting them at time t or by looking at the security tapes), then they construct a false image and superimpose the noted beacon patterns on it. The true image is replaced with the modified false image.
The solution to this problem is simply to have the camera digitally sign its output with public-private key encryption. Since this would involve a hash of everything the camera sees, the patterns emitted by the beacons would also get signed and it would become impractical to construct the forgery. Hash can be stored in the blanking space of the video frame, for example in the blanking space of every fourth frame.
Another extension of the beacon aspect of the present invention involves the situation where the view area is the surface of a scanner, the beacons may be replaced by the light source of the scanner which may emit the pattern that beacons would by modulating its intensity.
Various changes may be made in the above illustrative embodiments without departing from the scope of the invention, as will be understood by those skilled in the art. It is intended that all matter contained in the above description or shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense. The invention disclosed herein can be implemented by a variety of combinations of hardware and software, and those skilled in the art will understand that those implementations are derivable from the invention as disclosed herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5091777 | Gleason | Feb 1992 | A |
| 20040120016 | Burke | Jun 2004 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20050135657 A1 | Jun 2005 | US |
