AU2008260092A1 - Document authentication and workflow - Google Patents

Description

S&F Ref: 886910 AUSTRALIA PATENTS ACT 1990 COMPLETE SPECIFICATION FOR A STANDARD PATENT Name and Address Canon Kabushiki Kaisha, of 30-2, Shimomaruko 3 of Applicant: chome, Ohta-ku, Tokyo, 146, Japan Actual Inventor(s): Stuart William Perry, Barry James Drake, Myriam Elisa Lucie Amielh, Stephen James Hardy, Ian Richard Gibson Address for Service: Spruson & Ferguson St Martins Tower Level 35 31 Market Street Sydney NSW 2000 (CCN 3710000177) Invention Title: Document authentication and workflow The following statement is a full description of this invention, including the best method of performing it known to me/us: 5845c(1899843_1) DOCUMENT AUTHENTICATION AND WORKFLOW TECHNICAL FIELD The present invention relates to document workflow and in particular to authenticated secure document workflow models for hard copy documents. 5 BACKGROUND As technologies become available to monitor, track and modify hardcopy and electronic documents in the workplace, there is an increasing interest in document workflow management techniques. Document workflow management refers to the 10 management of a document (either electronic or hardcopy) during its lifecycle. This includes concepts like controlling who can copy, modify or add content to a document and who can view certain content of the document and how content is modified to create new versions of the document. Hardcopy versions of documents continue to be preferred over electronic versions of document in many cases due to the convenience and 15 portability of physical documents and the lack of employee access to computers in some workplaces. In addition the physicality of hardcopy documents can make such hard copies preferable over electronic documents from a legal or security perspective. Document workflow management systems exist that involve the use of barcodes to control the actions that can be performed with or on a document during the document's 20 lifecycle. Such barcodes can also be used to authenticate the content of a document as legitimate and without tampering. However since these barcodes are printed onto the document, the barcodes can only authenticate the content of the document and not confirm the authenticity of the underlying document medium (for example the sheet of paper the document is printed on). 25 A number of applications exist where providing access to certain secure information only if possession of an original version of a document is verified is advantageous, for example, when the document in question accesses sensitive information that should not be supplied to a person that has merely made a copy of the original document (even if the content of the copy is identical to the original). Since even 886910 (1899493_1) -2 complicated barcodes can be copied, barcodes do not provide the required level of security for applications such as this. Methods exist that seek to ensure the authenticity of the medium a document is printed on by adding deterministic security features to the media or the contents of the 5 media. Holograms, complicated printed patterns, and magnetic strips are just a few examples. These security features are identical for all authentic media and have been difficult to reproduce in the past. However, with increasing levels of printing and manufacturing technologies available to counterfeiters, in recent times the security features can be more easily reproduced accurately. If the technology exists to enable a 10 legitimate manufacturer of the media to reproduce the security features repeatably, the counterfeiter has the potential to obtain access to similar technology. One technique that addresses this problem involves providing each media with a security feature having a randomly varying structure that is expensive or difficult to copy. For example, a patch on a document can be embedded with a random arrangement 15 of dichroic optical fiber pieces. Natural random processes that cannot be controlled during the manufacturing process determine the positions and orientations of the optical fiber pieces, but the positions and orientations can easily be read using specialized scanning equipment. After producing the media, an interested party can read the random arrangement of the optical fiber pieces and record this information. Subsequently, when a 20 purportedly authentic medium is presented, the random arrangement of the optical fiber pieces in the test medium can be checked against the information in the interested party's database and used to confirm the authenticity of the medium. Such security features rely on the fact that the randomness integrated into the security feature is either impossible to reproduce or requires an expense far outweighing the value of the medium being copied. 25 Disadvantages of this approach include that the interested party must purchase additional equipment to embed the security features and specialized equipment is often required to read the random characteristics of the security feature. Another approach attempting to address this problem involves using inherent randomness in the structure of the medium being authenticated, such as the random 30 arrangement of fibers in paper or the microscopic structure on the surface of a plastic object. Such random structure is difficult or impossible to reproduce and provides a 886910(1899493_1) -3 unique identifying signature for the medium in question. In some techniques, a paper document is scanned using an ordinary document scanner to obtain a unique signature from the image of the paper fiber structure. This image is compared to signatures stored in a database to ascertain whether or not the paper on which the document is printed is 5 original. This technique does not require specialized equipment to create a document signature or verify subsequent documents. Systems exist that track or block the copying of documents protected by a signature based on the inherent randomness in the structure of the medium. However these systems do not allow the content of the document to be tailored to an individual's needs and hence fall short of a useful document management 10 system. SUMMARY In accordance with a first aspect of the invention, there is provided a method of creating a new version of a document using an authenticable medium. The method 15 comprises the steps of: providing content data and authentication information associated with a plurality of printed documents, at least one content modification rule associated with each of the printed documents and at least one unique signature associated with each of the printed documents, the signature being based on at least one intrinsic characteristic of an authenticable medium on which each document is printed; generating 20 a signature from an image of a presented medium of an existing document; obtaining stored content data associated with the existing document based on the generated signature matching one or more signatures in the authentication information; and creating a new version of the document if the signatures match by modifying content data of the existing document using the stored content data dependent upon at least one content 25 modification rule associated with the existing document. The content modification rule may be dependent on a user's ID. The content data may be updateable and the content modification rule may be dependent on the content data being updateable. The method may further comprise the steps of: checking using the content 30 modification rule to determine if at least a portion of the content data is time embargoed; and excluding the portion of the content data that is determined to be time embargoed. 886910(1899493_1) -4 The content modification rule may be dependent upon a physical location of where the existing document is imaged, a physical location of where the new version of the document is created, or both. The content modification rule may be dependent on a predefined document style 5 preference of a user, a company, a division, or a department. The layout of the content in the new version of the document may be modified dependent upon the content modification rule. The method may further comprise the steps of recording a signature of the created new version of the document and associating a content modification rule with the created 10 new version of the document. The content data and authentication information may be provided by a database storing the content data and authentication information. The authenticable medium comprises a medium having an irreproducible inherent random nature or structure in terms of optical properties. 15 The content data and the authentication information associated with the plurality of printed documents may be generated by the steps of: creating a set of content data for each document to be printed in each different version of the document; imaging at least one side having a signature zone of each authenticable medium for each corresponding document; generating a unique signature for each document using the corresponding 20 signature zone of the authenticable medium; and creating at least one content modification rule associated with each signature of a corresponding document. The method may further comprise the step of imaging at least a portion of the presented medium to provide the image. The method may further comprise the step of printing the new version of the document on another authenticable medium. The method 25 further comprise the step of using a multi-function printer for printing and imaging. The method may further comprise the step of selecting new content data from possible content data for the new version of the document using the content modification rule. In accordance with another aspect of the invention, there is provided a method of 30 preparing a document on an authenticable medium for use in creating a new version of the document using the authenticable medium. The method comprises the steps of: 886910(1899493_1) -5 creating a set of content data for the document to be printed in different versions of the document; generating at least one unique signature from at least a portion of an authenticable medium upon which the document is to be printed as authentication information, the signature being based on at least one intrinsic characteristic of the 5 authenticable medium; associating at least one content modification rule with the generated signature of the authenticable medium; and storing the content data and the authentication information for the document to be printed on the authenticable medium. The method may further comprise the step of printing the document on the authenticable medium. The at least one content modification rule may provide a list of 10 approved content data for transfer to a printer to create a new version of the document to be printed. In accordance with still another aspect of the invention, there is provided an apparatus, comprising: a memory for storing data and instructions for a processor; and a processor coupled to the memory, the processor performing the method according to any 15 one of the foregoing aspects dependent upon the instructions and the data. The apparatus may further comprise: at least one interface coupled to the processor and the memory; an imaging device for generating one or more images and a printing device for printing one or more documents, the imaging device and the printing device coupled to the at least one interface. 20 In accordance with yet another aspect of the invention, there is provided a computer program product comprising a tangible computer readable medium having a computer program recorded thereon for execution by a computer system to perform the method according to any one of the foregoing aspects, the computer program comprising computer program code modules for implementing the steps of the method. 25 BRIEF DESCRIPTION OF THE DRAWINGS Embodiments of the invention are described hereinafter with reference to the following drawings, in which: Fig. 1 is a block diagram showing an example of an object printed on an 30 authenticable medium suitable for document workflow management; 886910(1899493_1) -6 Fig. 2 is another block diagram showing examples of content data of a document printed on an authenticable medium to be managed; Fig. 3 is a schematic flow diagram illustrating a method of updating and modifying content in a different version of a document to implement a content modification rule 5 according to an embodiment of the invention; Fig. 4 is a schematic flow diagram illustrating a method of preparing an electronic document using an authenticable medium and a set of hardcopy versions of the electronic document; Fig. 5 is a schematic flow diagram illustrating a method of creating a new version 10 of a document using an authenticable medium according to another embodiment of the invention; and Fig. 6 illustrates a general-purpose computer system with which the embodiments of the invention can be practiced. 15 DETAILED DESCRIPTION Methods, apparatuses, and computer program products are disclosed for creating a new version of a document using an authenticable medium. Methods, apparatuses, and computer program products are also disclosed for preparing a document on an authenticable medium for use in creating a new version of the document using the 20 authenticable medium. The methods enable document authentication and workflow management. This involves preparing an electronic document using an authenticable medium and a set of hardcopy versions of the electronic document, and then controlling preparation of a new version of a document dependent upon an authenticable medium using content modification rules. In the following description, numerous specific details, 25 including particular sizes and locations of signature zones, types of printing medium that can be used, imaging techniques, and the like are set forth. However, from this disclosure, it will be apparent to those skilled in the art that modifications and/or substitutions may be made without departing from the scope and spirit of the invention. In other circumstances, specific details may be omitted so as not to obscure the 30 invention. 886910 (1899493_1) -7 Where reference is made in any one or more of the accompanying drawings to steps and/or features, which have the same reference numerals, those steps and/or features have for the purposes of this description the same function(s) or operation(s), unless the contrary intention appears. Document workflow management can generally be 5 done on either electronic or hardcopy documents, but the embodiments of the invention are directed to document workflow for hardcopy documents. Embodiments of the invention may be implemented using a general purpose computer, such as that shown in Fig. 6. The computer may be coupled to a printer and a scanner, as well as a computer network, to implement the methods described hereinafter. In the preferred embodiment, 10 however, the methods are implemented using a multifunction printing device, i.e. a device having both scanning (imaging) and printing mechanisms, as described hereinafter. Figs. 6A and 6B collectively form a schematic block diagram of a general purpose computer system 600, upon which the various embodiments described can be practiced. 15 As seen in Fig. 6A, the computer system 600 comprises a computer module 601, input devices such as a keyboard 602, a mouse pointer device 603, a scanner 626, a camera 627, and a microphone 680, and output devices including a printer 615, a display device 614 and loudspeakers 617. The scanner and the camera may each be used to image a document as described hereinafter. An external Modulator-Demodulator 20 (Modem) transceiver device 616 may be used by the computer module 601 for communicating to and from a communications network 620 via a connection 621. The network 620 may be a wide-area network (WAN), such as the Internet or a private WAN. Where the connection 621 is a telephone line, the modem 616 may be a traditional "dial up" modem. Alternatively, where the connection 621 is a high capacity (e.g., cable) 25 connection, the modem 616 may be a broadband modem. A wireless modem may also be used for wireless connection to the network 620. The computer module 601 typically includes at least one processor unit 605, and a memory unit 606 for example formed from semiconductor random access memory (RAM) and semiconductor read only memory (ROM). The module 601 also includes an 30 number of input/output (I/O) interfaces including an audio-video interface 607 that couples to the video display 614, loudspeakers 617 and microphone 680, an I/O interface 886910(1899493_1) -8 613 for the keyboard 602, mouse 603, scanner 626, camera 627 and optionally a joystick (not illustrated), and an interface 608 for the external modem 616 and printer 615. In some implementations, the modem 616 may be incorporated within the computer module 601, for example within the interface 608. The computer module 601 also has a local 5 network interface 611 which, via a connection 623, permits coupling of the computer system 600 to a local computer network 622, known as a Local Area Network (LAN). A remote database of content data and authentication information may be accessed using the computer network 622. As also illustrated, the local network 622 may also couple to the wide network 620 via a connection 624, which would typically include a so-called 10 "firewall" device or device of similar functionality. The interface 611 may be formed by an EthernetTM circuit card, a Bluetooth T M wireless arrangement or an IEEE 802.11 wireless arrangement. The interfaces 608 and 613 may afford either or both of serial and parallel connectivity, the former typically being implemented according to the Universal Serial 15 Bus (USB) standards and having corresponding USB connectors (not illustrated). Storage devices 609 are provided and typically include a hard disk drive (HDD) 610. Other storage devices such as a floppy disk drive and a magnetic tape drive (not illustrated) may also be used. An optical disk drive 612 is typically provided to act as a non-volatile source of data. Portable memory devices, such optical disks (e.g., CD 20 ROM, DVD), USB-RAM, and floppy disks for example may then be used as appropriate sources of data to the system 600. The components 605 to 613 of the computer module 601 typically communicate via an interconnected bus 604 and in a manner which results in a conventional mode of operation of the computer system 600 known to those in the relevant art. Examples of 25 computers on which the described arrangements can be practiced include IBM-PC's and compatibles, Sun Sparcstations, Apple MacTM or alike computer systems evolved therefrom. The methods of creating a new version of a document using an authenticable medium and of preparing a document on an authenticable medium for use in creating a 30 new version of the document using the authenticable medium may be implemented using the computer system 600. The processes of Figs. 3 to 5 described hereinafter may be 886910(1899493_1) -9 implemented as one or more software application programs 633 executable within the computer system 600. In particular, the steps of the methods are effected by instructions 631 in the software 633 that are carried out within the computer system 600. The software instructions 631 may be formed as one or more code modules, each for 5 performing one or more particular tasks. The software may also be divided into two separate parts, in which a first part and the corresponding code modules performs the methods of creating a new version of a document using an authenticable medium and of preparing a document on an authenticable medium for use in creating a new version of the document using the authenticable medium and a second part and the corresponding 10 code modules manage a user interface between the first part and the user. The software 633 is generally loaded into the computer system 600 from a computer readable medium and is then typically stored in the HDD 610, as illustrated in Fig. 6A, or the memory 606, after which the software 633 can be executed by the computer system 600. The database of content data and authentication information may 15 be stored on the HDD 610, for example, if the database or a portion of the database is stored locally. In some instances, the application programs 633 may be supplied to the user encoded on one or more CD-ROM 625 and read via the corresponding drive 612 prior to storage in the memory 610 or 606. Alternatively the software 633 may be read by the computer system 600 from the networks 620 or 622 or loaded into the computer 20 system 600 from other computer readable media. Computer readable storage media refers to any storage medium that participates in providing instructions and/or data to the computer system 600 for execution and/or processing. Examples of such storage media include floppy disks, magnetic tape, CD-ROM, a hard disk drive, a ROM or integrated circuit, USB memory, a magneto-optical disk, or a computer readable card such as a 25 PCMCIA card and the like, whether or not such devices are internal or external of the computer module 601. Examples of computer readable transmission media that may also participate in the provision of software, application programs, instructions and/or data to the computer module 601 include radio or infra-red transmission channels as well as a network connection to another computer or networked device, and the Internet or 30 Intranets including e-mail transmissions and information recorded on Websites and the like. 886910 (1899493_1) -10 The second part of the application programs 633 and the corresponding code modules mentioned above may be executed to implement one or more graphical user interfaces (GUIs) to be rendered or otherwise represented upon the display 614. Through manipulation of typically the keyboard 602 and the mouse 603, a user of the computer 5 system 600 and the application may manipulate the interface in a functionally adaptable manner to provide controlling commands and/or input to the applications associated with the GUI(s). Other forms of functionally adaptable user interfaces may also be implemented, such as an audio interface utilizing speech prompts output via the loudspeakers 617 and user voice commands input via the microphone 680. 10 Fig. 6B is a detailed schematic block diagram of the processor 605 and a "memory" 634. The memory 634 represents a logical aggregation of all the memory devices (including the HDD 610 and semiconductor memory 606) that can be accessed by the computer module 601 in Fig. 6A. When the computer module 601 is initially powered up, a power-on self-test 15 (POST) program 650 executes. The POST program 650 is typically stored in a ROM 649 of the semiconductor memory 606. A program permanently stored in a hardware device such as the ROM 649 is sometimes referred to as firmware. The POST program 650 examines hardware within the computer module 601 to ensure proper functioning, and typically checks the processor 605, the memory (609, 606), and a basic input-output 20 systems software (BIOS) module 651, also typically stored in the ROM 649, for correct operation. Once the POST program 650 has run successfully, the BIOS 651 activates the hard disk drive 610. Activation of the hard disk drive 610 causes a bootstrap loader program 652 that is resident on the hard disk drive 610 to execute via the processor 605. This loads an operating system 653 into the RAM memory 606 upon which the operating 25 system 653 commences operation. The operating system 653 is a system level application, executable by the processor 605, to fulfill various high level functions, including processor management, memory management, device management, storage management, software application interface, and generic user interface. The operating system 653 manages the memory (609, 606) to ensure that each 30 process or application running on the computer module 601 has sufficient memory in which to execute without colliding with memory allocated to another process. 886910 (1899493_1) - 11 Furthermore, the different types of memory available in the system 600 must be used properly so that each process can run effectively. Accordingly, the aggregated memory 634 is not intended to illustrate how particular segments of memory are allocated (unless otherwise stated), but rather to provide a general view of the memory accessible by the 5 computer system 600 and how such is used. The processor 605 includes a number of functional modules including a control unit 639, an arithmetic logic unit (ALU) 640, and a local or internal memory 648, sometimes called a cache memory. The cache memory 648 typically includes a number of storage registers 644 - 646 in a register section. One or more internal buses 641 10 functionally interconnect these functional modules. The processor 605 typically also has one or more interfaces 642 for communicating with external devices via the system bus 604, using a connection 618. The application program 633 includes a sequence of instructions 631 that may include conditional branch and loop instructions. The program 633 may also include 15 data 632 which is used in execution of the program 633. The instructions 631 and the data 632 are stored in memory locations 628-630 and 635-637 respectively. Depending upon the relative size of the instructions 631 and the memory locations 628-630, a particular instruction may be stored in a single memory location as depicted by the instruction shown in the memory location 630. Alternately, an instruction may be 20 segmented into a number of parts each of which is stored in a separate memory location, as depicted by the instruction segments shown in the memory locations 628-629. In general, the processor 605 is given a set of instructions which are executed therein. The processor 605 then waits for a subsequent input, to which it reacts to by executing another set of instructions. Each input may be provided from one or more of a 25 number of sources, including data generated by one or more of the input devices 602, 603, data received from an external source across one of the networks 620, 622, data retrieved from one of the storage devices 606, 609 or data retrieved from a storage medium 625 inserted into the corresponding reader 612. The execution of a set of the instructions may in some cases result in output of data. Execution may also involve 30 storing data or variables to the memory 634. 886910 (1899493_1) - 12 The disclosed methods of creating a new version of a document using an authenticable medium and of preparing a document on an authenticable medium for use in creating a new version of the document using the authenticable medium use input variables 654 that are stored in the memory 634 in corresponding memory locations 655 5 658. The disclosed methods produce output variables 661 that are stored in the memory 634 in corresponding memory locations 662-665. Intermediate variables may be stored in memory locations 659, 660, 666 and 667. The register section 644-646, the arithmetic logic unit (ALU) 640, and the control unit 639 of the processor 605 work together to perform sequences of micro-operations 10 needed to perform "fetch, decode, and execute" cycles for every instruction in the instruction set making up the program 633. Each fetch, decode, and execute cycle comprises: (a) a fetch operation, which fetches or reads an instruction 631 from a memory location 628; 15 (b) a decode operation in which the control unit 639 determines which instruction has been fetched; and (c) an execute operation in which the control unit 639 and/or the ALU 640 execute the instruction. Thereafter, a further fetch, decode, and execute cycle for the next instruction may 20 be executed. Similarly, a store cycle may be performed by which the control unit 639 stores or writes a value to a memory location 632. Each step or sub-process in the processes of Figs. 3 to 5 is associated with one or more segments of the program 633 and is performed by the register section 644-647, the ALU 640, and the control unit 639 in the processor 605 working together to perform the 25 fetch, decode, and execute cycles for every instruction in the instruction set for the noted segments of the program 633. The methods of creating a new version of a document using an authenticable medium and of preparing a document on an authenticable medium for use in creating a new version of the document using the authenticable medium may alternatively be 30 implemented in dedicated hardware such as one or more integrated circuits performing the functions or sub functions of corresponding method steps. Such dedicated hardware 886910 (1899493_1) - 13 may include graphic processors, digital signal processors, or one or more microprocessors and associated memories. Overview 5 In the embodiments of the invention, the possible content for different versions of a document known at a particular time are created and stored. Following this, a set of initial versions of the document are created on authenticable media. For each initial version of the document, a unique signature is collected from the authenticable medium, and that information is registered (stored). Each signature is generated based on 10 inherently random properties of each authenticable medium that affect the optical properties of the medium. In addition, each initial version of the document has at least one content modification rule associated with the initial version of the document that is used to create new versions of the document based upon that particular initial version of the document. Once content modification rules have been created, at least some of the 15 document contents are printed onto each of the initial versions of the document. The initial versions of the document are distributed to act as security tokens to access the list of available content and control the creation of subsequent versions of the document. Thus, an existing document can be used as a security token to produce a subsequent version of the document. 20 Subsequently, an example of the authenticable media can be presented as one of the initial versions of the document. The presented medium is scanned, and unique signature information is generated from the presented medium. The generated signature is compared to the previously stored signatures for the initial versions of the document. If the presented medium is confirmed as an original or existing version of the 25 document being managed by the document workflow management system, the list of content data for the document as well as the content modification rule associated with the particular presented version of the document is obtained from storage, and this information is used to create a new version of the document according to the content modification rule. 30 The creation of new versions of the document (see the method 500 of Fig. 5 described hereinafter) from an existing document can be implemented, for example, on a 886910(1899493_1) - 14 multi-function printer with a scanner and network link. Such a multi-function printer has the necessary hardware, as well as the ability to access an external database via the network link and the ability to process the steps of the embodiment. However, as disclosed hereinafter, the document workflow management system can be alternatively 5 implemented using a standard computer with a scanner, a printer, and a network link. The content modification rule may be dependent upon a physical location of where the existing document is imaged, a physical location of where the new version of the document is created, or both. Thus, as explained in greater detail hereinafter, the version of a document produced by a multi-function printer, for example, may depend on where 10 the physical location of the multi-function printer. Authenticable Media The term authenticable medium is defined hereinafter. An authenticable medium is 15 an object that comprises a medium having an irreproducible inherent random nature or structure in terms of optical properties. For example, the authenticable medium may be a sheet of paper (e.g., A4 size) that has a random arrangement of paper fibers, voids, and filler material. The following description concentrates on the case that the authenticable medium is paper; however any medium with a degree of irreproducible randomness in its 20 structure that may be detected using the techniques described in the Section Imaging Techniques Suitable for Collecting Authentication Information below may be used. Examples of other objects that the embodiments of the invention may be applied to are cloth and certain types of plastic. The embodiments of the invention utilize the random arrangement of structural 25 elements present in many different types of media. For example, the positions and orientations of fibers in a sheet of paper are randomly arranged during the manufacturing process and are almost impossible to accurately reproduce in a counterfeit. Using this random component of the structure of the authenticable medium allows a unique characteristic or signature to be created for the purpose of authentication of the medium 30 (e.g., a sheet of paper) and hence the object (e.g. the hardcopy of the document, which normally comprises content recorded, printed, or embedded in the sheet of paper). 886910(1899493_1) - 15 A signature is a number or set of numbers that is derived from the intrinsic randomness of the medium. The signature is dependent on the intrinsic randomness of the structure or physical properties of the medium and a change in the intrinsic randomness greater than a certain degree results in a change in the signature. Since the 5 particular instance of the intrinsic randomness of the medium represents a property unique to the medium, the signature derived from that particular instance of the intrinsic randomness of the medium is also unique to the medium. The signature may for example be simply an image of the medium that displays aspects of the intrinsic randomness of the structure or physical properties of the medium. Alternatively, the signature may be a 10 number or set of numbers derived from the image by a mathematical operation. Objects Suitable for Document Workflow Management Fig. I shows an example of an object suitable for document workflow management using an embodiment of the invention. In this case, the object is a document printed on 15 an authenticable medium 150, such as paper. The reference numeral 105 denotes one planar side of the authenticable medium 150, and the reference numeral 110 denotes the opposite planar side of the authenticable medium 150 (a solid black, twisting arrow at the bottom of the drawing indicates that the illustrated views are flip sides of the authenticable medium 150). The labels "first side" 105 and "second side" 110 are used 20 simply for ease of description. For the purposes of this description, no single side of the authenticable medium 150 is considered to hold a preferred or privileged position, and the actual labels used for each side are interchangeable. The authenticable medium 150 may have textual information (i.e. text) 115 and 120, graphical information 155, image information 125 (indicated by a smiling face 25 icon), or some or all of the foregoing forms of information printed in a variety of locations on either side or both sides 105, 110 of the medium 150. The object can also have a machine readable code 130 (indicated simply by grey hatching for simplicity of illustration but otherwise well known to those skilled in the art) on either side or both sides of the medium 150. The machine readable code 130 (e.g. a bar code or a digital 30 watermark) stores machine readable information. The machine readable code 130 may be visible or invisible to the human eye dependent upon the particular circumstances or 886910(1899493_1) - 16 requirements pertaining to the object. The foregoing information forms the content data recorded on the authenticable medium 150. Alternatively, the object for document workflow management may selectively have one or more of the foregoing content items (i.e., text, graphical information, image information, machine readable code) present on 5 the authenticable medium 150. On either or both sides 105, 110 of the authenticable medium 150, a region is allocated as a signature zone. From this signature zone, information about the random component of the structure of the authenticable medium is collected to form a signature for the medium. 10 With reference to Fig. 1, on the first side 105, the signature zone is labeled 135. The signature zone is depicted with a dashed line box. For the purpose of this description, only one signature zone on the authenticable medium 150 is used, however multiple signature zones on either side or both sides of the medium may be used to authenticate the authenticable medium 150. 15 The locations of the signature zone 135 may be predetermined (i.e., known beforehand) and stored in the machine readable code 130 or a memory external to the medium 150. In the examples given hereinafter, this information is stored together with the signature of the authenticable medium in a database, which may be stored remotely and accessed via a network or stored locally in certain applications. Alternatively, the 20 location of the signature zone 135 may be indicated by a registration mark or marks, in any of a number of given forms. Such registration marks and their form are well known to those skilled in the art. An example of a set of registration marks 145 is shown in Fig 1. In this case, the registration marks 145 are a set of arrows that point toward the corners of the signature zone 135. The registration marks 145 may optionally be visible or 25 invisible to the human eye. Textual information 115, 120, graphical information 155, image information 125, and machine readable code 130 on the medium 150 may overlap the signature zone 135. Imaging Techniques Suitable for Collecting Signatures of Authenticable Media 30 In the embodiments of the invention, a unique signature is generated by imaging an authenticable medium. The medium can be any medium satisfying the properties 886910(1899493_1) - 17 described above in the Section Authenticable Media. However, to explain the requirements of an imaging system for the embodiments of the invention, the case where the medium is a sheet of paper is considered. In this case, the imaging technique can be implemented using a conventional document scanner 626 set at a resolution of at least 5 200 dpi (preferably 600 dpi). Other imaging techniques may be employed, however, such as a digital camera 627 as the sensor, a coherent laser source as the light source, etc. Some scanners and other imaging techniques are designed to image the textual and graphical content of a document and are not designed to image the paper underneath the textual and graphical 10 content. These imaging techniques often deliberately set the value of all pixels associated with the underlying paper to some maximum intensity value (e.g. 255) in the captured image to maximize the number of intensity levels allocated to textual and graphical content. Such imaging techniques without modification would not be suitable for implementing the embodiments of the invention, because the unique structure of the 15 underlying paper would be invisible. Therefore, the imaging technique used must be capable of detecting random structure on the surface and/or within the underlying medium (e.g., paper of the document). For example, an imaging system that collects an 8-bit, grayscale image of the document typically requires that the underlying paper of the document shows at least 2-3 bits of intensity variation. 20 Regardless of the type of authenticable medium to be used for document workflow management, any imaging technique can be employed as long as the imaging technique can collect sufficient information on random structures on the surface of and within the medium to allow a unique signature to be determined. 25 Content Data and Content Modification Rules The embodiments of the invention concern documents with variable content, wherein different versions of the document may display different content to that of other versions of the document. This embodiment is directed to controlling the production and actions that can be performed with various versions of documents. As such, different 30 versions of a document may contain different content from other versions of the document. 886910 (1899493_1) - 18 In this context, the word "document" is used in the general sense to describe all of the possible versions of the document and all of the content that can be used to create different versions of the document. The word "document" refers to all possible versions of the document and not a single master version of the document. The phrase "version of 5 the document" refers to one specific instance of the document, and in particular, a hard copy version of the document displaying some of the possible content data for the more general document. The types of content data that can be associated with a particular authenticable medium are described with reference to Fig. 2. Fig. 2 shows an authenticable medium 10 205 suitable for document workflow management. The authenticable medium 205 has a signature zone 210 that can be used to authenticate the authenticable medium 205. For the purposes of this embodiment, anything that can be printed onto the authenticable media 205 and any additional information that effects what is printed onto the medium is considered to be content data. However, to clarify, some particular examples of content 15 data are shown in Fig. 2. The authenticable medium 205 may have primary textual content written on the medium as indicated by text boxes 215, 220 and 225. Primary textual content means textual content that relays to the reader the primary message of the document. The authenticable medium 205 may have additional secondary textual content, such as the 20 date when the version of the document was created 230, the company logo 235, and/or the name of the creator of the version of the document 240, etc. Secondary textual content means textual content that relays to the reader information unrelated to the primary message of the document, such as the history of a version of the document. The document may also contain graphical content. As an example of such graphical 25 content, the authenticable medium 205 in Fig 2 has a plot 245 showing a company's stock market price and an image 250 that might be used to influence employee morale. The authenticable medium 205 may also have associated with the medium style and positioning information for the various printed content on the authenticable medium 205. As an example of this, an arrow 255 in Fig. 2 represents information regarding the 30 left side margin of the printable area for primary textual content, while an arrow 260 886910 (1899493_1) -19 represents information regarding the top side margin of the printable area for primary textual content. Although Fig. 2 shows a finite set of examples of content data, anything that may be printed onto the authenticable medium 205 and any additional information that effects 5 what is printed onto the medium is considered to be content data for the document. There may indeed be no version of the document that contains all of the relevant content possible for that document. Some content may be mutually exclusive. By way of illustration, consider Fig 2 as containing all possible content data for a document to be managed. Some of this information is constant to all versions of the document. For 10 example the basic description data 215 for the document may be the same for all versions of the document. This data might be, for example, the title and low-level generic explanation of the document content. On the other hand, the Updateable Departmental Technical Data 220 may change depending on which department is logged as owning the particular version of the 15 document. Different departments may have different information tailored to their needs. In addition, the Updateable Departmental Technical Data 220 may change in time as new information becomes available even for the same department. Similarly, the Updateable Company Financial Data 225 may also change over time as new information becomes available or the financial situation of the company changes. In addition, the Updateable 20 Company Financial Data 225 seen in any particular version of the document may also change according to the security level of the person owning the version of the document, or the department the person belongs to. The Updateable Company Financial Data 225 may even be absent in versions of the document supplied to people with low security levels. 25 The plot 245 and the graphical image 250 may also change according to the most recent information, or the security level of the person or department owning the particular version of the document. The document version creation date 230 and document version creator data 240 may also be updated from version to version of the document to provide a visual way of confirming the document history. The company 30 logo data 235 on document versions may also change in time, for example if the company undergoes a takeover. Different users/departments/companies/divisions, etc., 886910(1899493_1) - 20 producing versions of the document may have different style preferences regarding the document content data. Hence, the style information represented by the arrows 255 and 260 may differ between different versions of the document. In addition, the position of the content data may differ between different versions of the document. For example, if 5 the Updateable Company Financial Data 225 grows large at some time in the future, the plot 245 and the graphical image 250 positions may move to accommodate the space required for the expanded Updateable Company Financial Data 225. To manage all the possible content data, for each document in the document workflow management system, there is an entry in an electronic database. Suitable 10 databases for the embodiment are described below in the Section Authentication Information Storage Methods. The database entry for each document contains a list of all possible content data for that document, and a set of content modification rules. When the user presents a version of the document on an authentic medium, the content modification rules take the authentication information (unique signature) of a presented 15 authenticable medium and determine based on that information, and possibly some other additional information, how to create a new version of the document, tailored to the user's needs or security levels. The content modification rule may be dependent upon the identification (ID) of a user. Content modification rules control which versions of a document contain which 20 content data and whether that content data is modified or moved on the document. There are a wide variety of rules that may control content data, some example rules are: * Authentication information obtained from a presented version of the document. e Time of day. 25 0 Date. 0 Security clearance of person or entity for which the copy is being prepared. e User, department or division within the company for whom the copy is being prepared. e Presence or absence of other content data on the requested document version. 30 0 Presence or absence of updated information for a particular content data item. 886910 (1899493_1) -21 An example of a content modification rule 300 is described with reference to Fig. 3. The method 300 is performed to implement a content modification rule and begins at step 310. Prior to step 310, the user presents an authentic, original version of a document on an authenticable medium and requests the creation of a new version of the document. 5 The authentication information of the authenticable medium is checked to verify the authenticity of the presented version of the document and also to select the appropriate content modification rule to control the possible content data to print onto the new version of the document. For example, the authentication information may show that the presented version of the document belongs to a particular division of the user's company. 10 In this case, a content modification rule is selected that restricts content to be printed onto the new version of the document to be only that content relevant to the particular division of the company that the authenticated version of the document belonged to. The process of authenticating the originality of the presented version of the document and selecting an appropriate content modification rule is described hereinafter 15 with reference to Fig. 5. In step 310, content appropriate to the security level of the user is determined by checking the security level of a user presenting the authenticable medium. This may be achieved by having the user log on to a computer system or a printer, or swipe an identity card across a card reader. Based on the identity of the user, their security level can be 20 determined. Information about the identity of the user and the security level may be stored in the memory 606. The processor 605 determines the content appropriate to the user's security level using the stored information in the memory 606. Depending on the user's security level, content data for a document that is inappropriate to that security level can be excluded from being considered by later stages of the content modification 25 rule. If the presented authentic version of the document has been assigned to only one individual (rather than a division of a company as in the example above), then the step 310 might be skipped, since the authenticable medium that the presented version of the document is printed on acts to determine the identity (and hence security level) of the user. Accordingly, the step 310 is depicted with broken lines in Fig. 3 to indicate this 30 step is optional, depending upon the circumstances. 886910 (1899493_1) - 22 In step 315, a check is performed by the processor 605 to determine if updates are available for updateable content data. For example, the Updateable Department Technical Data 220 and the Updateable Company Financial Data 225 in Fig. 2 fall into the category of updateable content data. Any updateable content data has a link to a 5 server, computer and/or data record that contains any updates to the updateable content data. The content modification rule can be dependent upon the content data being updateable. In the step 315, once any updateable content data has been identified by the processor 605, updates for this updateable content data are obtained and may be stored in the memory 606. The updated content data proceeds onto subsequent stages for 10 processing according to the content modification rule, while out-of-date content is excluded from being considered by later stages of the content modification rule. In step 320, a check is performed by the processor 605 to determine whether any of the content data that has passed the previous step 315 (and possibly 310) is subject to any form of time embargo. In other words, some content data may not be cleared to be 15 printed onto new versions of the document until after a specified date and/or time. If time embargoed content data is found and cannot be shown at the present time, the embargoed content is excluded from being considered by later stages of the content modification rule. The result of the step 320 is a list of content data that is to be included on the new printed version of the document requested by the user. 20 In step 325, a check is made by the processor 605 of user, departmental, divisional, or company, etc., style preferences, and the content data is modified in accordance with the user or departmental document style preferences. A department is considered to be a sub-group within a division. For example, such document style preferences may dictate font types and sizes, print area margins, etc. for the document. If the presented original 25 version of the document has been assigned to only one individual rather than a division or department, then the step 325 may be omitted, since the authenticable medium that the presented version of the document is printed on acts to determine the identity of the user and hence document style preferences. Accordingly, the step 325 is depicted with broken lines in Fig. 3 to indicate this step is optional, depending upon the circumstances. 30 While department and division are given as examples of organizational groupings, other 886910 (1899493_1) -23 organizational groupings may be practiced without departing from the scope and spirit of the invention. In step 330, the positions of content on the printed document are modified by the processor 618, if required. In this step, the intended content data positioning of the new 5 printed version of the document is checked. Updates to the content data or the removal of content data by earlier stages of the content modification rule may result in poor or undesirable positioning of content data accepted for inclusion on the new printed version of the document. For example, the content data updated in the step 315 may be larger than the original content data, and the default positioning of this updated content data on 10 the new printed version of the document may cause the updated content data to overlap other content data. In the step 330, the positioning of content data is adjusted so that content data does not overlap other content data, unless that was the intent of the author of the content data. In step 335, a list of approved content data is transferred from memory 606 by the 15 processor 605 to the printer 615. The list of approved content data is sent to the printer (or other device) 615 to create the new printed version of the document dependent upon the content modification rule 335. The method 300 then ends. Preparing a Document for the Document Workflow Management System 20 Fig. 4 illustrates a method 400 of preparing an original document on an authenticable medium for use in the document workflow management system. In this method 400, the possible content for different versions of a document known at the time the method 400 begins is created and stored. Unique signature information is collected from an authenticable medium for each initially printed version of the document, and that 25 information is registered or stored. The initial versions of the document that are printed and distributed act as security tokens to access the complete list of the available content data. The authenticable medium can be a sheet of paper intended for use to create a version of the document described by the content data and content modification rules. In 30 addition, in this embodiment, for each initially printed version of the document, a unique signature for the medium is computed using the steps in Fig. 4, before any textual 886910 (1899493_1) - 24 information, graphical information, image information, machine readable code, and/or other forms of content is printed onto the medium. However, the unique signature information can be collected after such content data has been printed or recorded onto the medium, or otherwise embedded in the medium. A signature zone is a region of the 5 medium surface that must exist on each of the initially printed versions of the document, and each signature zone must not have 100% coverage with content data to enable signature information of each authenticable medium to be generated. Regions of the medium with partial coverage of content data are acceptable for use as signature zones. However, increased levels of coverage with content data reduce the amount of inherent 10 random structure of the authenticable medium that can be used to create the unique signatures. Hence, increased levels of coverage of the signature zones result in decreased performance of the system. Content modification rules are then created for each of the initially printed versions of the document, and those versions of the document are printed. This process is described in greater detail with reference to Fig. 4. 15 The method 400 begins at step 405. In step 405, the document content data is created. The author (or authors) of the document create all of the possible types of content data that can be printed onto all of the different versions of the document, as is known to the author at the time that step 405 is performed. Possible content data is described in Section Content Data and Content Modification Rules hereinbefore. Content 20 data can be created using a word processor such as Microsoft Word, for example, using the computer system 600. Meta-data can be added to each piece of content data to help in the creation of content modification rules. Appropriate meta-data includes any piece of information about a piece of content data that is needed by a content modification rule to control 25 which versions of the document the content data appears on. Examples of meta-data to be associated with each piece of content data include: * Security clearance level of the content data. * Division/Department/Units able to view the content data. * Date/Time at which access to the content data is granted. 30 0 Date/Time at which access to the content data is denied. 886910(1899493_1) -25 * A flag or token indicating if the content data is updateable, and if the content data is updateable, the location of the most version of the content data. * Preferred position of content data on document. " A flag or token indicating if the content data is allowed to overlap other 5 content data. In step 410, the medium is imaged. The side of the authenticable medium that has the signature zone is imaged (e.g., scanned). There are many different imaging techniques that may be used in step 410. Examples of such techniques are described in Section Imaging Techniques Suitable for Collecting Signatures ofAuthenticable Media 10 hereinbefore. A scanner 626 or a camera 627, for example, may be used to image the authenticable medium. While the step 410 is illustrated in a particular sequence of steps in Fig. 4, it will be understood by one skilled in the art in the light of this disclosure that this need not be the case. For example, the step 410 can be performed before the step 405 is performed. Other variations to the ordering of the steps in Fig. 4 may be practiced 15 without departing from the scope and spirit of the invention. The image can be provided to the computer system 600 by the interface 613 and stored in the memory 606 and/or HDD 610. The processor 605 can retrieve the image from the memory 606 and/or HDD 610. In step 415, the signature zone of the authenticable medium in the image is located 20 by the processor 605. The image captured in step 410 is examined by the processor 605 to determine the region of the authenticable medium that is used to generate the signature of the authenticable medium. This may be done by the processor 605 fetching portions of the image from the memory 606 into registers and processing the portions. For ease of description only, this region is denoted the "signature zone". The verb "locate" is to be 25 construed broadly and expansively. The verb "locate" in this context includes a large number of connotations, especially with respect to the step 415 of Fig. 4 and the step 510 of Fig. 5. The actions encompassed by the verb "locate" non-exhaustively include choosing (randomly, selectively, manually, automatically, or using an algorithm), computing, placing, determining, knowing, setting, recording or encoding, being 30 predefined, selecting, marking, printing, and identifying. 886910 (1899493_1) -26 The location and size of the signature zone can be chosen in a number of ways. The location and size of the signature zone may be either known in advance or indicated by registration marks printed on the medium. Alternatively, the location and size of the signature zone may be encoded in a machine readable code recorded on the medium. In 5 yet another alternative, the same location and size may be predefined and used for all media. For example, if the medium to be authenticated is an A4 sheet of paper scanned at 600 dpi, the signature zone may be always set to a square 256-pixel-by-256-pixel zone in the centre of the medium. The location of the signature zone may be anywhere on either side of the medium, and the size of the signature zone may be of any size that may fit on 10 the medium. However, reducing the size of the signature zone generally reduces the uniqueness of the signature computed from the zone. In contrast, increasing the size of the signature zone generally increases the size of the signature computed from the zone and may impact on the performance of the method used to store and retrieve the signature. 15 The location and size of the signature zone may be chosen taking into account the textual information, graphical information, image information, machine readable code, and/or other forms of content data already printed, or expected to be printed, onto the medium following the document workflow preparation operations of Fig. 4. Alternatively, the location and/or size of the signature zone may be chosen randomly, or 20 based on user input. Still further, other methods may be practiced. If the location and size of the first side signature zone is determined randomly, by user input, or by analysis of the medium, and is not set to a pre-determined position each time a medium is registered for authentication, the location and size of the first side signature zone may be added to the content data and authentication information to be stored in step 440, 25 described hereinafter. In step 420, a unique signature for medium is generated by the processor 605 from the signature zone of the image stored in the memory 605 and/or HDD 610. The signature is created from the inherent random structures present in the first side of the authenticable medium and is represented in the information contained in the signature 30 zone identified in the step 415. The verb "generate" is also to be construed broadly and expansively. The verb "generate" in this context includes a large number of 886910 (1899493_1) - 27 connotations, especially with respect to the step 420 of Fig. 4 and the step 515 of Fig. 5. The actions encompassed by the verb "generate" non-exhaustively include choosing (randomly, selectively, manually, automatically, or using an algorithm), computing, calculating, transforming, hashing, creating, and selecting. 5 The signature can be computed by the processor 605 from the image or portion of the image of the signature zone using any of a number of suitable mathematical operations on the pixels imaged in the signature zone. Any mathematical operation that reflects the inherent randomness of the medium imaged in the signature zone in a way that provides a unique identifying number or numbers to describe the signature zone may 10 be used to create the signature. The mathematical operation can be well understood when coupled with a method for determining the difference between two signatures as described below. The mathematical operation must be such that a change in the inherent randomness affecting the optical properties of the medium above a reasonable level produces a large change in the signature, as measured by the associated difference 15 measure. There are a large number of mathematical operations that meet these criteria, and any one of these may be used. For example, an image of the signature zone showing the inherent random structure of the medium affecting the optical properties of the medium is a suitable signature. In the case of images, the differences between two signatures can be measured by cross-correlating the images. Images of different media do 20 not correlate well, while images of the same signature zone on the same authenticable medium correlate well. By way of giving but a few more examples, this may involve transforming the pixels of the image using a transform such as the Fourier transform, Wavelet transform, etc., to some other representation in a Cartesian, polar, or log-polar domain, or creating a 25 hash code based on the pixels in the image of the signature zone. In the embodiment shown in Fig. 4, the signature is simply the image of the signature zone captured by the imaging technique in the step 410 and identified in the step 415. This image may be compressed or have other image processing operations applied to the image. This may aid in storage of the image in an external memory or for other purposes. 30 In step 425, a content modification rule is created and associated with the signature of the authenticable medium generated in the step 420 using the processor 605. Hence, 886910(1899493_1) -28 the rule is associated with the authenticable medium itself and the initial printed version of the document printed on the authenticable medium. Possible content modification rules are described in Section Content Data and Content Modification Rules above. Fig. 3 is an example of a content modification rule. One method to create a content 5 modification rule for the embodiment is for the user to select from a pre-existing list of content modification rules (for example, a set of variations on the rule described in Fig. 3) and assign that rule to the signature generated in the step 420. The signature may also be associated with a number of content modification rules, depending on the specific application of the document workflow management system. 10 The method 400 then proceeds to step 430. In step 430, an initial printed version of the document is created. This may be done by printing using the printer 615 some of the content data created by the computer system 600 in the step 405 onto the authenticable medium. The content data printed on the authenticable medium may be decided by the content modification rule associated with the authenticable medium as created in the step 15 425. In general, the content data printed onto the initial printed version of the document comprises basic, low-security-level data such as Basic Description Data 215 in Fig. 2. Alternatively, the authenticable medium may be left blank. In decision step 435, a check is made using the processor 605 to determine if more physical versions of the document are required. The step 435 checks if additional 20 authenticable media (initial printed versions of the document) should be associated with the document content data created in the step 405. If there are more authenticable media to process (Yes), the method 400 returns to the step 410. Otherwise (No), the method 400 proceeds to step 440. These versions may be stored temporarily in the memory 606. In step 440, the content data and authentication information for the original 25 document and any versions of the document is stored. The content data and authentication information may be stored in the memory 606 and/or the HDD 610. Alternatively, the content data and authentication information may be stored remotely, for example in a database that is remotely accessed via local area network 622 or wide area network 620. The signature of each authenticable medium that has been used to 30 create an initial printed version of the document, the list of all possible content data for the document, and the content modification rule(s) associated with each initial printed 886910 (1899493_1) - 29 version of the document are stored. Collectively, this information is referred to as "content data and authentication information". Several storage methods are described in detail hereinafter. In addition, other information may be stored such as an identifying number for the medium, identifying information regarding the imaging technique (e.g., 5 the scanner) used to image the authenticable medium in step 410, and additional information about the signature and signature zone for the authenticable media. For example, the locations and sizes, etc. of the signature zones for each of the authenticable media used for each of the initial printed versions of the document may be stored. Following step 440, in an optional step 445, the authenticable medium may be 10 subjected to subsequent processing using the processor 605 such as having textual or graphical objects, and/or a barcode or other machine readable mark printed onto the medium. Accordingly, the step 445 is depicted with broken lines in Fig. 4 to indicate this step is optional. The method 400 then ends. 15 Authentication of a Document and Production of a Modified Print With reference to Fig. 5, a method 500 for creating a new version of a document using an authenticable medium for the document workflow management system is illustrated. In the method 500 of Fig. 5, unique signature information is collected from an 20 authenticable medium (e.g., a sheet of paper of a document) presented to be verified. The collected signature is compared to previously stored signatures for the authentic versions of the document for the purpose of verifying the authenticity of the presented medium. For example, the presented authenticable medium may be a sheet of paper used for a version of the document that is managed by the document workflow management system 25 of the embodiment. In addition, the original authenticable medium (the original medium processed in the method 400 that the presented medium is purported to be by the user) had its unique authentication information computed using the steps in the method 400 of Fig. 4 previously and stored in some fashion. In addition, textual information, graphical information, image information, 30 machine readable code, and/or other forms of content may have been printed onto the authenticable medium (i.e., the sheet of paper for the version of the document) at any 886910 (1899493_1) -30 location on the medium, including at least a portion of the signature zone. To enable signature information to be generated, neither the region on the presented medium nor the regions on the original medium corresponding to the signature zone have 100% coverage with textual information, graphical information, image information, machine 5 readable code, and/or other forms of content. Some or all of the above mentioned signature zones may have partial coverage. However, increased levels of coverage of signature zones by content data reduce the amount of the inherent random structure of the authenticable medium that can be used to determine the medium's signature. Hence, increased levels of coverage of the 10 signature regions result in decreased performance of the system. In addition, any machine readable codes on the medium required to store or index the original medium's signature should not be rendered un-readable by subsequent printing of textual information, graphical information, image information, and/or other forms of content on the medium. Once the presented medium is confirmed as an original document being managed 15 by the document workflow management system, the list of content data for the document as well as the content modification rule associated with the particular presented original version of the document is obtained from storage and this information is used to create a new version of the document according to the content modification rule. Prior to the method 500, the user of the document workflow management system 20 has presented a medium to the system and asserts that this medium is one of the initial printed versions of the document as created by the method 400 of Fig. 4. The method 500 then proceeds to verify the medium and act accordingly. The method 500 illustrated in Fig. 5 starts at step 505. In step 505, the presented medium is imaged (e.g., scanned). There are many different imaging techniques that may 25 be used in step 505 as described hereinbefore with reference to the step 410 of Fig. 4. For example, the scanner 626 or the camera 627 may be used to do this. The scanned image can then be transferred to the computer 601 and stored in the memory 606 and/or the HDD 610. In step 510, the test signature zone is located using the processor 605 in the image 30 of the presented medium stored in the memory 606 and/or the HDD 610. The presented medium image captured in the step 505 is examined by the processor 605 to determine 886910(1899493_1) -31 the region of the presented medium that is to be used to determine the signature of the presented medium. The located region is denoted the "test signature zone". In all cases, as described hereinafter, a restriction on the location and size of the test signature zone is that the test signature zone should be constructed to partially or fully cover the same 5 coordinates of the signature zone of the original authenticable medium as determined in the step 415 above. The location and size of the test signature zone on the presented medium may be set to be equal to the location and size of the signature zone on the original medium. Otherwise, the location and size of the test signature zone can be chosen in a number of ways. The location and size of the test signature zone may be 10 known in advance, or the same location and size may be used for all media, or the location and size may be indicated by registration marks recorded on the medium, for example. Still another alternative is that the location and size of the test signature zone may be encoded in a machine readable code on the medium (e.g., sheet of paper). The location and size of the test signature zone may be chosen to take into account the textual 15 information, graphical information, image information, machine readable code, and/or other forms of content already printed onto the authenticable medium. Alternatively, the location and/or size of the test signature zone may be chosen based on user input. Still further, other methods may be practiced. If the location and size of the signature zone on the original medium is known, the 20 location and size of test signature zone on the medium to the verified should be constructed to partially or fully cover the same coordinates of the signature zone of the original medium. Alternatively, when the location and size of the test signature zone are unknown, the test signature zone can be searched for. This can be achieved using the stored 25 database of potential signatures created in step 440. This search can be achieved by: * Taking a potential signature from the database as the current potential signature; e Computing the signatures for various regions of the of the medium to be verified of equal size to the current potential signature according to the process 30 described in step 420 of Fig. 4; and e Comparing those signatures to the current potential signature. 886910(1899493_1) - 32 This process is repeated for one or more of the stored signatures in the database. A match to a signature in the database serves to both identify the location and size of the test signature zone and to identify the version of the document printed onto the presented medium. 5 In step 515, the test signature is generated by the processor 605 from the located signature zone in the image. The test signature may be transferred to the memory 606. A unique signature is created from the inherent random structures present in the presented medium and represented in the information contained in the image of the test signature zone identified in the step 510. This signature is denoted as the test signature. 10 The test signature may simply be the image of the test signature zone captured by the imaging technique in the step 505 and identified in the step 510. This image may be compressed or have other image processing operations applied to the image. This may aid in storage of the image in external memory or for other purposes. Alternatively, the test signature can be computed from the test signature zone using any suitable 15 mathematical operation on the pixels imaged in the test signature zone. However, the test signature must be comparable to the signature of the original medium as generated in the step 420 of Fig. 4. This can be achieved by using the same signature generating function in the step 515 as is used in the step 420. In step 520, the original content and authentication information is obtained from 20 storage, e.g. a database or another storage mechanism. If the original content and authentication information is stored remotely, this may be retrieved via the network 620, 622 and stored in the HDD 610. Otherwise, the information may be stored locally in the HDD 610. The original content and authentication information may be loaded into the memory 606 from the HDD 610. The content and authentication information pertaining 25 to the document associated with the presented medium is determined in the method 400 of Fig. 4. If the document workflow system manages many different documents, one way of resolving which document the presented medium represents is to write a barcode on the medium that identifies the document that the medium is associated with. This barcode is subject to potential forgery for the reasons given above, and so the barcode is not used 30 to authenticate the document, but just to allow easy access to the database entry for the document associated with the presented medium. Another approach for identifying the 886910(1899493_1) - 33 relevant document in the database is to compare the signature for the presented medium (as determined in the step 515 above) with every signature for every document in the document management system until a match is found. Signature comparison methods are described in more detail hereinafter. The matching database entry identifies the correct 5 document associated with the presented medium and identifies which printed version of the document the presented medium represents. The content and authentication information includes the signature of each authenticable medium that has been used to create an initial printed version of the document, the list of all possible content data for the document, and the content 10 modification rule(s) associated with each initial printed version of the document. In addition, other information about the original medium may be extracted from the storage. The other information may include information regarding the imaging technique (e.g., the scanner) used to image the authenticable medium in the step 410 and additional information about the signature and signature zone for the authenticable media. For 15 example, additional information may comprise the locations and sizes, etc. of the signature zones for each of the authenticable media used for each of the initial printed versions of the document. In step 525, the test signature of the presented medium is compared using the processor 605 with original authentication information, e.g., with each of the signatures 20 of the original authenticated media created in the method 400 of Fig. 4. This original information is obtained from storage in step 520. In decision step 530, a check is performed by the processor 605 to determine if the presented medium is authentic. The step determines if the authentication signature of the presented medium matches any of those in the content data and authentication 25 information for the document as obtained in the step 520. If a match is not found (No), the presented medium is rejected in step 545, and then the method 500 ends. If a match is found (Yes) in the step 530, the method 500 has successfully identified the document associated with the presented medium and which version of the document is associated with the presented medium. From this information, a content modification rule for the 30 presented medium can also be identified. 886910 (1899493_1) - 34 The method 500 then proceeds to step 535. Based on the content modification rule for the presented medium, new content data for the medium is selected in step 535 using the processor 605 from the list of all possible content data for the document as set in the step 405 of Fig. 4. The list may be stored in the memory 606. The selection of content 5 data using the content modification rule is discussed hereinbefore. The method 300 of Fig. 3 is an example of a method of selecting content data to print onto a version of the document according to a content modification rule. In step 540, a new version of the document is created using the processor 605. This is done by printing the content data selected according to the content modification rule in 10 the step 405 onto a suitable medium using the printer 615. A suitable medium is generally another sheet of paper. In the general case, the method 500 ends after this step. However, there are possible variations on step 540. For example, if the new printed version of the document is printed onto an authenticable medium (such as office paper), the steps 410, 415, 420, and 425 of method 400 can be used to determine a unique 15 signature for the new printed version of the document and associate a content modification rule with the new version of the document. In this way, the new printed version of the document can be managed according to the document workflow management system. The content modification rule for the new printed version of the document can be different to the rule for the version of the document used to create the 20 new version of the document; however, the content modification rule of a new version of the document can be set to be the same as some other existing version of the document. Many variations may be practiced on the method 500 of Fig. 5, including changing the ordering of the steps. Some steps can be performed at different stages in the method 500. For example, the content and authentication information of the original medium can 25 be extracted from storage without first computing the signatures of the presented medium. As an illustration, the presented medium may contain a machine readable code recorded on the presented medium, and that machine readable code can be used to identify the content and authentication information from the original medium in the storage system. For example, the machine readable code may contain a unique ID that 30 references the location of the content and authentication information in the storage system. 886910(1899493_1) - 35 Also under appropriate circumstances, the comparison of the signature of the presented medium may be compared with that of the original authentic medium in either the step 510 (in the context of identifying the location of the test signature zone) or in the step 520 (in the context of obtaining the original content and authentication information 5 for the document from storage). Either of these cases renders the subsequent authentication step 525 unnecessary. Accordingly, the step 525 is depicted with broken lines to indicate that this step may be optional. Signature Comparison Methods 10 In the step 525 of Fig. 5, the authentication information extracted from the original medium is compared to that extracted from the presented medium to be verified to determine whether the signatures of the two media match in some sense. This can be done in a number of ways. The signature can be an image of the relevant signature zone on the medium. In this case, the signature of the presented medium and the signature of 15 the original medium are compared using cross-correlation. The two signatures (images) are cross-correlated and the maximum value of the two-dimensional cross-correlation is found. If this value is greater than a specified threshold, the two signatures are determined to match, and otherwise the signatures are determined not to match. The threshold used in general depends on the properties of the medium and can be determined 20 by considering the statistical distribution of a collection of maximum correlation values for matching medium images (signatures) and the statistical distribution of a collection of maximum correlation values for non-matching media. In the case that the media used is ordinary office paper, a threshold of 10 times the standard deviation of the noise statistics of the cross-correlation image may be acceptable. 25 The above mentioned cross-correlation technique for determining whether two signatures match is robust to translational misalignment but not rotational misalignment. If rotational misalignment issues may be a problem, rotational misalignment between the two signatures may be corrected prior to the cross-correlation operation mentioned above. There are many methods to correct for rotational misalignment of images. For 30 example, the two images can be deliberately rotated to a given angle relative to each other and the cross-correlation computed. This process is repeated for a number of angles 886910 (1899493_1) -36 until an angle is found that maximizes the maximum value of the cross-correlation image. The images are then rotated relative to each other by this angle to correct for the rotational misalignment. Cross-correlation is not the only method to compare two (or more) signatures to 5 each other. Various mathematical equations can be used, for example the dot-product, or Euclidean norm between the images (signatures) can be computed. In addition, comparison methods exist that are able to compare images with the ability to ignore certain aspects of the images. For example, two images (signatures) with textual or graphical objects printed onto the signatures may be compared while ignoring the printed 10 content data in the comparison operation. If the signatures are stored in a binary representation, the Hamming distance may be used. In general, the comparison function depends on the mathematical formulae used to create the signature in the first place. 15 Authentication Information Storage Methods There are many different ways to store content and authentication information relating to a medium. One method is to collect the content and authentication information in a central electronic database. This might be accessed via the network 620, 622. When a medium to be verified is presented, the database is queried to extract content and 20 authentication information of the original medium for verifying the authenticity of the presented medium. The database may take the form of any electronic, magnetic, optical, etc., storage device well known in the art. Part or all of the content data and authentication information may also be stored by printing the content data and authentication information onto the medium being managed by the document workflow 25 system. Content and authentication information may be extracted from a database dependent on the degree of information known about the medium to be verified. One method of extracting authentication information from a database is herein denoted the "single extract" method. In this method, the original medium that the 30 presented medium claims to be is known. An example of this is the case when a version of a document printed on an authenticable medium is processed using method 400 886910(1899493_1) -37 described above and a unique ID number is written to a machine readable code on the medium. When a medium is presented for authentication, the machine readable code is read and the unique ID is obtained from the code. This unique ID number may be used to access a database and obtain the content data and the authentication information for the 5 original medium. Alternatively, the signature of the authenticable medium itself may be recorded in a machine readable code written onto the authenticable medium. In this case, only one comparison of signatures for two media needs to be conducted. If the medium to be verified fails to match the signature pertaining to the medium with the same unique ID as the medium to be verified, the medium to be verified may be declared a copy. This 10 method may be used to implement the step 525 of Fig. 5. Another method of extracting content data and authentication information from a database is herein denoted the "search extract" method. In this method, the original medium that the presented medium claims to be is unknown, or only partially known. An example of this is the case when a medium to be managed according to the document 15 management workflow system of the embodiment is processed using the method 400 described above and a unique ID number is not written in a machine readable code on the medium. When a medium is presented for authentication, there is no way to directly determine the authentication information for the original medium relating to the presented medium. In this case, the embodiment can query the database of available 20 medium signatures for all or some of the signatures available. The signature obtained for the presented medium is compared to each (or a subset) of the signatures present in the database until a match is found. If no such match is found, the medium to be verified is determined to be counterfeit. Models of the database for storing the signatures that are hybrids of the above 25 methods exist. For example, following the method 400, a medium might have a non unique ID number printed onto the medium using a machine readable code. During the method 500, the ID number may be used to select the authentication information for a limited number of potential original media from the database, so that a "search extract" process can be performed to determine whether or not the medium to be verified is 30 authentic. A few application examples are described hereinafter. 886910 (1899493_1) -38 An Application Example One application is the management of secure documents in a large company. Imagine that a large company has many employees at different security levels in a 5 number of different divisions. Each division has its own general clearance to view information within the company. For example, each division may only be able to view information relevant to that division. Within each division, there are a number of departments, each of which has different requirements regarding information. The company has produced a master strategy document in electronic form that details the 10 strategic direction of all of the divisions and each department within each division. To mitigate the damage of an information leak, the company wants to manage and control access to this document. The master strategy document and a set of versions of the document are created using the method 400. Based on the method 400, all possible content data for the master 15 strategy document is created and stored in a database. For each division, an initial version of the master strategy document is created on authenticable media and the unique signature of each divisional version of the master strategy document is recorded in the database. Each divisional version of the master strategy document is associated with a content modification rule particular to that division. To avoid information leaks, the 20 initial versions of the master strategy document may contain only basic information about the company's strategies. Each divisional version of the document is distributed to that particular division. In each department of a particular division, a multi-function printer (MFP) is set up to access the database containing the content data for the master strategy document. The MFP has a scanner and the ability to print new versions of the 25 master strategy document. Other multi-function printers in the department do not have access to the content of the master strategy document, but can still copy the content of the divisional version of the master strategy document in the manner of any ordinary document. When an employee of a particular department takes the parent division's version of 30 the master strategy document and copies that version of the document using the particular departmental MFP (MFP A) assigned to create updates of the master strategy 886910(1899493_1) -39 document, the employee is asked to enter their ID number. Once this is complete, MFP A implements the method 500. The MFP A checks if the employee has one of the legitimate initial versions of the document assigned to each division. If the employee has the legitimate original version for his/her division, a second version of the master 5 strategy document is created. The second version is tailored for the employee. The second version contains new content appropriate to the employee's grade and security level as well as updated information appropriate to the employee's department. If the employee makes a copy of the second version of the document on MFP A, the employee does not receive any additional information other than that already on the second version 10 of the document. The second version of the document is not being managed by the document management system, and so no updates or content modification is allowed. An authentic divisional version of the document is required to create copies with new updated content. Alternatively, the second version of the document could have signature information recorded and a new content modification rule associated with the second 15 version of the document to allow the second version of the document to create new versions of the master strategy document. The content modification rule assigned to the second version may not allow access to certain content data that the original divisional version was able to access. If the employee takes the authentic divisional version of the master strategy 20 document to a different MFP (MFP B, where MFP B is not authorized to update the master strategy document according to the workflow management system of the embodiment) in his/her department and makes a third copy, the third copy does not contain the updated content and the third copy cannot be used to obtain updated content even if copied using the MFP A, since the third copy is not recognized as the authentic 25 divisional version of the master strategy document. Assume now that the employee takes the authentic divisional version of the master strategy document to another department. The employee may then use an MFP (MFPC) in the second department to create a copy of the divisional master strategy document. Assume that the employee chooses to make a copy of the authentic divisional version of 30 the master strategy document using the MFPC assigned to implement the document workflow management system of the embodiment in the second department. In this case, 886910(1899493_1) - 40 the employee receives a fourth new version of the document. The fourth version contains content data relevant to the employee and his/her department as well as new content data pertaining to the second department. Since the employee is not a member of the second department, full details of the content data relevant to that department up to the 5 employee's security level is not printed on the fourth version of the document. However, information appropriate to a visitor to the second department may be printed instead, such as key contact numbers and an office layout map. From this application example, an embodiment of the invention can manage the content of an important document in an organization and supply employees with 10 information relevant to their circumstances, whilst reducing the damage of information leakage by requiring employees to have supply an original version of a document before obtaining access to the most recent data. Another Application Example 15 In another application example, consider a bank that mails a letter to customers that acts as a token to enable the customers to access additional details of their bank accounts. The customer letters are printed on authenticable media from which unique signatures are generated and stored in a database. The customer letters are versions of a single master document. Possible content data for the master document include the user's latest 20 account details, the user's transaction history, bank advertisements and information, as well as information particular to each branch of the bank. Each customer letter has a content modification rule associated with the letter that prints only the content data appropriate to the customer at any given branch of the bank. Each branch of the bank is supplied with an MFP capable of implementing the document management workflow 25 system of the embodiment of the invention. For example, if the customer takes their letter into a particular branch of the bank and makes a copy of the letter with the bank's MFP, the customer could receive a new version of the letter with their latest account information, special information pertaining to their account, the latest advertisements for the bank, as well as information about the 30 current branch the customer is in such as the branch manager's name and details of the bank's charitable works in the community. 886910(1899493_1) -41 The new versions of the letters cannot be used to obtain access to the customer's latest details and so if the customer loses one of these new versions, the information that a thief would gain from misappropriating the new version is limited. Hence, a convenient way for the customer is provided to access their account information, while giving the 5 customer the security of a physical token to protect that information. Methods, apparatuses, and computer program products have been disclosed for creating a new version of a document using an authenticable medium. Methods, apparatuses, and computer program products have also been disclosed for preparing a document on an authenticable medium for use in creating a new version of said 10 document using said authenticable medium. The embodiments of the invention are applicable to the computer and data processing industries, and in particular to printing and imaging technology industries, amongst others. The foregoing describes only some embodiments of the present invention, and modifications and/or changes can be made thereto without departing from the scope and spirit of the invention, the embodiments 15 being illustrative and not restrictive. 886910(1899493_1)

Claims (20)

1. A method of creating a new version of a document using an authenticable 5 medium, said method comprising the steps of: providing content data and authentication information associated with a plurality of printed documents, at least one content modification rule associated with each of the printed documents and at least one unique signature associated with each of said printed documents, said signature being based on at least one intrinsic characteristic of an 10 authenticable medium on which each document is printed; generating a signature from an image of a presented medium of an existing document; obtaining stored content data associated with said existing document based on said generated signature matching one or more signatures in said authentication 15 information; and creating a new version of said document if said signatures match by modifying content data of said existing document using said stored content data dependent upon at least one content modification rule associated with said existing document.

2. The method as claimed in claim 1, wherein said content modification rule 20 is dependent on a user's ID.

3. The method as claimed in claim 1, wherein said content data is updateable and said content modification rule is dependent on said content data being updateable.

4. The method as claimed in claim 1, further comprising the steps of: checking using said content modification rule to determine if at least a portion of 25 said content data is time embargoed; and excluding said portion of said content data that is determined to be time embargoed.

5. The method as claimed in claim 1, wherein said content modification rule is dependent upon a physical location of where said existing document is imaged, a 30 physical location of where said new version of said document is created, or both. 886910(1899493_1) -43

6. The method as claimed in claim 1, wherein said content modification rule is dependent on a predefined document style preference of a user, a company, a division, or a department.

7. The method as claimed in claim 1, wherein the layout of said content in 5 said new version of said document is modified dependent upon said content modification rule.

8. The method as claimed in claim 1, further comprising the steps of recording a signature of said created new version of said document and associating a content modification rule with said created new version of said document. 10

9. The method as claimed in claim 1, wherein said content data and authentication information is provided by a database storing said content data and authentication information.

10. The method as claimed in claim 1, wherein said authenticable medium comprises a medium having an irreproducible inherent random nature or structure in 15 terms of optical properties.

11. The method as claimed in claim 1, wherein said content data and said authentication information associated with said plurality of printed documents is generated by the steps of: creating a set of content data for each document to be printed in each different 20 version of said document; imaging at least one side having a signature zone of each authenticable medium for each corresponding document; generating a unique signature for each document using said corresponding signature zone of said authenticable medium; and 25 creating at least one content modification rule associated with each signature of a corresponding document.

12. The method as claimed in claim 1, further comprising the step of imaging at least a portion of said presented medium to provide said image.

13. The method as claimed in claim 1, further comprising the step of printing 30 said new version of said document on another authenticable medium. 886910 (1899493_1) - 44

14. The method as claimed in claim 12 or 13, further comprising the step of using a multi-function printer for printing and imaging.

15. The method according to claim 1, further comprising the step of selecting new content data from possible content data for said new version of said document using 5 said content modification rule.

16. A method of preparing a document on an authenticable medium for use in creating a new version of said document using said authenticable medium, said method comprising the steps of: creating a set of content data for said document to be printed in different versions 10 of said document; generating at least one unique signature from at least a portion of an authenticable medium upon which said document is to be printed as authentication information, said signature being based on at least one intrinsic characteristic of said authenticable medium; 15 associating at least one content modification rule with said generated signature of said authenticable medium; and storing said content data and said authentication information for said document to be printed on said authenticable medium.

17. The method according to claim 16, further comprising the step of printing 20 said document on said authenticable medium.

18. The method according to claim 17, wherein said at least one content modification rule provides a list of approved content data for transfer to a printer to create a new version of the document to be printed.

19. An apparatus, comprising: 25 a memory for storing data and instructions for a processor; and a processor coupled to said memory, said processor performing the method as claimed in any one of claims 1-18 dependent upon said instructions and said data.

20. A computer program product comprising a tangible computer readable medium having a computer program recorded for execution by a computer system to 30 perform the method according to any one of claims 1-18, said computer program comprising computer program code means for implementing the steps of said method. 886910(1899493_1) -45 DATED this Eighteenth Day of December, 2008 Canon Kabushiki Kaisha Patent Attorneys for the Applicant SPRUSON & FERGUSON 5 886910 (1899493_1)