AU2009251087A1 - Barcode removal for multi-generation anti-tamper - Google Patents

Abstract

BARCODE REMOVAL FOR MULTI-GENERATION ANTI-TAMPER Disclosed is a method (200) of producing a copy of a tamper protected document, said 5 document including content and a barcode comprising a plurality of marks modulated to encode tamper protection information related to the content of the document. The method comprises scanning the tamper protected document to produce a digital representation of the document and decoding (210, 220) the plurality of modulated marks to recover the tamper protection information stored by the barcode. The method 10 compares (320) the digital representation of the document with the recovered tamper protection information to determine one or more candidate tamper regions on the document, and identifies candidate tamper regions as one of true tamper or artefacts introduced into the document as result of a print and/or scanning process. The barcode is removed from the digital representation of the document to produce revised document 15 content incorporating at least the content of the document and the identified artefacts. The plurality of marks of a second barcode are modulated to encode the revised document content and the copy of the tamper protected document produced by combining the revised document content and the second barcode. 2446491_1 934294_specijlodge Start 110 Scan tamper protected document Process tamper protected document Process Candidate Tamper Regions NO Allow opying 180 Remove Fig I 244649_1 93294Barcodeg Inform Encode revised user document Print New Tamper/ Protected Document 170 SEnd Fig. 1 2446490_1 934294_figs_lodge

Description

S&F Ref: 934294 AUSTRALIA PATENTS ACT 1990 COMPLETE SPECIFICATION FOR A STANDARD PATENT Name and Address Canon Kabushiki Kaisha, of 30-2, Shimomaruko 3 of Applicant: chome, Ohta-ku, Tokyo, 146, Japan Actual Inventor(s): Shaun Peter O'Keefe Graeme Wong-See Address for Service: Spruson & Ferguson St Martins Tower Level 35 31 Market Street Sydney NSW 2000 (CCN 3710000177) Invention Title: Barcode removal for multi-generation anti-tamper The following statement is a full description of this invention, including the best method of performing it known to me/us: 5845c(2456088 1) - 1 BARCODE REMOVAL FOR MULTI-GENERATION ANTI-TAMPER TECHNICAL FIELD The present invention relates generally to documents and, in particular, to document protection. The present invention also relates to a method and apparatus for generating, printing and reading protected documents, and to a computer program 5 product including a computer readable medium having recorded thereon a computer program for generating, printing and reading protected documents. BACKGROUND It is often desirable to have the ability to determine whether a printed document has been altered or tampered in some manner from the time the document was printed. 10 Organisations or individuals using printed documents such as cheques or legal documents can benefit from this kind of protection which ensures the integrity of the printed document. A printed document has certain characteristics or representation. When the printed document is changed, altered or tampered with, those characteristics or 15 representation change as well. The ability to detect those changes or tamper provides a level of protection and assurance that a printed document has not been tampered with. One method to protect a printed document is to encode a representation of a document into a barcode which is then combined with the original contents of that document and then printed to form a tamper protected printed document. 20 A tamper protection application running on a computing device is then used to determine whether the tamper protected printed document has been tampered or not. This is done by scanning the tamper protected printed document to obtain a digital representation of the tamper protected printed document. The barcode is then decoded to 2446491_1 934294_speci-lodge -2 obtain the information which shows the representation of the non tampered document. If the representation of the scanned tamper protected printed document is different from the representation obtained by decoding the barcode, this indicates that tamper has occurred. The tamper protection application can use this information to show where on the tamper 5 protected printed document the tamper has occurred. An advantage of this method is that all the information regarding the original representation of the page is carried within the printed document itself. There is no need for a file server which stores the original document which is then used to compare against. 10 Often a tamper protected printed document needs to be copied for other parties. For example a legal document may need to be copied to be sent to all parties in a transaction. It is desirable to ensure that the legal document has not been tampered with before copying. One approach to producing copies of printed documents is to use a file server to 15 store the original document. A barcode with document page ID information is added to each page of the printed document. When a copy is required, the printed document page is scanned and the barcode is decoded. The document page ID information is then used to retrieve the original document page from the file server and the document page is printed. A disadvantage of this approach is that a file server is required to store all the 20 documents. In addition, a file server has limited storage which restricts the number of documents that can be stored. When the representation of the page is encoded into a barcode and added to the document to form a tamper protected printed document all the information for tamper protection is on the printed document itself. When a copy is required, it is a simple 2446491_1 934294_speci_lodge -3 matter of scanning the tamper protected printed document into the tamper protection application to check for tamper. If a copy is permissible, then print out a copy. A limitation of this method is that reliable tamper protection is only possible for a limited number of copy generations. After a number of copy generations, areas around 5 the edges where toner is laid onto the page will begin to show up as areas of tamper in the tamper protection application even when no tamper has occurred. This is due to an electro-mechanical-photographic process known as dot-gain. When a paper document is scanned and reprinted on a device such as a photocopier or multifunction printer, the newly printed paper is never a perfect copy. 10 Due to dot-gain, the area where toner is laid down will often become larger than on the original paper. After a number of copies, the areas of toner laid down on the paper will be significantly more than the toner laid down on the original due to the accumulated effect of dot-gain. The problem then arises when using the tamper protection data which 15 indicates whether the document has been tampered or not. The anti-tamper application will show that areas in the document, particularly on the edges where toner is laid down have been tampered with due to the increased size of toner area. This leads to a false positive indication that tamper has occurred on the document. It is desirable to have a method whereby the tamper protection in the tamper 20 protected printed document is maintained through several generations of copying to minimise the occurrence of false positive indications of tamper. SUMMARY It is the object of the present invention to substantially overcome or at least ameliorate, one or more of the disadvantages of existing arrangements. 2446491_1 934294_speci-lodge -4 Disclosed is a method of producing a copy of a tamper protected document, said document including content and a barcode comprising a plurality of marks modulated to encode tamper protection information related to the content of the document. The method comprises scanning the tamper protected document to produce a digital 5 representation of the document and decoding the plurality of modulated marks to recover the tamper protection information stored by the barcode. The method compares the digital representation of the document with the recovered tamper protection information to determine one or more candidate tamper regions on the document, and identifies candidate tamper regions as one of true tamper or artefacts introduced into the 10 document as result of a print and/or scanning process. The barcode is removed from the digital representation of the document to produce revised document content incorporating at least the content of the document and the identified artefacts. The plurality of marks of a second barcode are modulated to encode the revised document content and the copy of the tamper protected document produced by combining the 15 revised document content and the second barcode. BRIEF DESCRIPTION OF THE DRAWINGS One or more embodiments of the invention will now be described with reference to the following drawings, in which: Fig. I is a flowchart according to an embodiment of the invention; 20 Fig. 2 is a flowchart of step 120; Fig. 3 is a flowchart of step 130; Fig. 4 is a flowchart of step 140; Fig. 5 shows the modulation of a dot; Fig. 6 shows the modulation of a dot in greater detail; 2446491_1 934294_speci_lodge -5 Fig. 7 shows a portion of a protected document; Fig. 8 shows the area used to calculate the average pixel intensity; Fig. 9 shows a portion of a tampered document where an "e" has been changed to an "8"; 5 Fig. 10 shows the altered area highlighted on the tampered document; Fig. 11 depicts a protected document which has been altered in an unauthorised manner, after processing using the disclosed arrangements; Fig. 12 is a diagram showing a simple technique to remove a dot from a scanned image; 10 Fig. 13 is a diagramming showing an example of copier dot gain; and Figs. 14A and 14B form a schematic block diagram of a general purpose computer system upon which the arrangements described can be practiced. DETAILED DESCRIPTION INCLUDING BEST MODE A barcode can be used to store tamper protection information which can then be 15 added to a digital document and printed. The tamper protection information is made by sampling some representation or image property of the document and then encoding the information into a barcode. When added to the document and printed, the tamper protection information forms an integral part of the document and is carried with the document contents. This forms a convenient means of tamper protection as the tamper 20 protection information is self contained in the printed document and so eliminates the need to store and access the original digital document. Figs. 14A and 14B collectively form a schematic block diagram of a general purpose computer system 1400, upon which the various arrangements described can be practiced. 2446491_1 934294_specijtodge -6 As seen in Fig. 14A, the computer system 1400 is formed by a computer module 1401, input devices such as a keyboard 1402, a mouse pointer device 1403, a scanner 1426, a camera 1427, and a microphone 1480, and output devices including a printer 1415, a display device 1414 and loudspeakers 1417. An external Modulator 5 Demodulator (Modem) transceiver device 1416 may be used by the computer module 1401 for communicating to and from a communications network 1420 via a connection 1421. The network 1420 may be a wide-area network (WAN), such as the Internet or a private WAN. Where the connection 1421 is a telephone line, the modem 1416 may be a traditional "dial-up" modem. Alternatively, where the connection 1421 is 10 a high capacity (eg: cable) connection, the modem 1416 may be a broadband modem. A wireless modem may also be used for wireless connection to the network 1420. The computer module 1401 typically includes at least one processor unit 1405, and a memory unit 1406 for example formed from semiconductor random access memory (RAM) and semiconductor read only memory (ROM). The module 1401 also 15 includes an number of input/output (I/O) interfaces including an audio-video interface 1407 that couples to the video display 1414, loudspeakers 1417 and microphone 1480, an I/O interface 1413 for the keyboard 1402, mouse 1403, scanner 1426, camera 1427 and optionally a joystick (not illustrated), and an interface 1408 for the external modem 1416 and printer 1415. In some implementations, 20 the modem 1416 may be incorporated within the computer module 1401, for example within the interface 1408. The computer module 1401 also has a local network interface 1411 which, via a connection 1423, permits coupling of the computer system 1400 to a local computer network 1422, known as a Local Area Network (LAN). As also illustrated, the local network 1422 may also couple to the wide network 1420 via a 2446491_1 934294_speci-lodge -7 connection 1424, which would typically include a so-called "firewall" device or device of similar functionality. The interface 1411 may be formed by an EthernetTM circuit card, a Bluetoothm wireless arrangement or an IEEE 802.11 wireless arrangement. The interfaces 1408 and 1413 may afford either or both of serial and parallel 5 connectivity, the former typically being implemented according to the Universal Serial Bus (USB) standards and having corresponding USB connectors (not illustrated). Storage devices 1409 are provided and typically include a hard disk drive (HDD) 1410. Other storage devices such as a floppy disk drive and a magnetic tape drive (not illustrated) may also be used. An optical disk drive 1412 is typically provided to act as a 10 non-volatile source of data. Portable memory devices, such optical disks (eg: CD-ROM, DVD), USB-RAM, and floppy disks for example may then be used as appropriate sources of data to the system 1400. The components 1405 to 1413 of the computer module 1401 typically communicate via an interconnected bus 1404 and in a manner which results in a 15 conventional mode of operation of the computer system 1400 known to those in the relevant art. Examples of computers on which the described arrangements can be practised include IBM-PC's and compatibles, Sun Sparcstations, Apple MacTM or alike computer systems evolved therefrom. The method of copying a tamper protected document may be implemented using 20 the computer system 1400 wherein the processes of Figs. I to 13, to be described, may be implemented as one or more software application programs 1433 executable within the computer system 1400. In particular, the steps of the method of copying a tamper protected document are effected by instructions 1431 in the software 1433 that are carried out within the computer system 1400. The software instructions 1431 may be 2446491_1 934294_speci_lodge -8 formed as one or more code modules, each for performing one or more particular tasks. The software may also be divided into two separate parts, in which a first part and the corresponding code modules performs the copying methods and a second part and the corresponding code modules manage a user interface between the first part and the user. 5 The software 1433 is generally loaded into the computer system 1400 from a computer readable medium, and is then typically stored in the HDD 1410, as illustrated in Fig. 14A, or the memory 1406, after which the software 1433 can be executed by the computer system 1400. In some instances, the application programs 1433 may be supplied to the user encoded on one or more CD-ROM 1425 and read via the 10 corresponding drive 1412 prior to storage in the memory 1410 or 1406. Alternatively the software 1433 may be read by the computer system 1400 from the networks 1420 or 1422 or loaded into the computer system 1400 from other computer readable media. Computer readable storage media refers to any storage medium that participates in providing instructions and/or data to the computer system 1400 for execution and/or 15 processing. Examples of such storage media include floppy disks, magnetic tape, CD ROM, a hard disk drive, a ROM or integrated circuit, USB memory, a magneto-optical disk, or a computer readable card such as a PCMCIA card and the like, whether or not such devices are internal or external of the computer module 1401. Examples of computer readable transmission media that may also participate in the provision of 20 software, application programs, instructions and/or data to the computer module 1401 include radio or infra-red transmission channels as well as a network connection to another computer or networked device, and the Internet or Intranets including e-mail transmissions and information recorded on Websites and the like. 2446491_1 934294_speci_lodge -9 The second part of the application programs 1433 and the corresponding code modules mentioned above may be executed to implement one or more graphical user interfaces (GUls) to be rendered or otherwise represented upon the display 1414. Through manipulation of typically the keyboard 1402 and the mouse 1403, a user of the 5 computer system 1400 and the application may manipulate the interface in a functionally adaptable manner to provide controlling commands and/or input to the applications associated with the GUI(s). Other forms of functionally adaptable user interfaces may also be implemented, such as an audio interface utilizing speech prompts output via the loudspeakers 1417 and user voice commands input via the microphone 1480. 10 Fig. 14B is a detailed schematic block diagram of the processor 1405 and a "memory" 1434. The memory 1434 represents a logical aggregation of all the memory devices (including the HDD 1410 and semiconductor memory 1406) that can be accessed by the computer module 1401 in Fig. 14A. When the computer module 1401 is initially powered up, a power-on self-test 15 (POST) program 1450 executes. The POST program 1450 is typically stored in a ROM 1449 of the semiconductor memory 1406. A program permanently stored in a hardware device such as the ROM 1449 is sometimes referred to as firmware. The POST program 1450 examines hardware within the computer module 1401 to ensure proper functioning, and typically checks the processor 1405, the memory (1409, 1406), 20 and a basic input-output systems software (BIOS) module 1451, also typically stored in the ROM 1449, for correct operation. Once the POST program 1450 has run successfully, the BIOS 1451 activates the hard disk drive 1410. Activation of the hard disk drive 1410 causes a bootstrap loader program 1452 that is resident on the hard disk drive 1410 to execute via the processor 1405. This loads an operating system 1453 into 2446491_1 934294_specilodge -10 the RAM memory 1406 upon which the operating system 1453 commences operation. The operating system 1453 is a system level application, executable by the processor 1405, to fulfil various high level functions, including processor management, memory management, device management, storage management, software application 5 interface, and generic user interface. The operating system 1453 manages the memory (1409, 1406) in order to ensure that each process or application running on the computer module 1401 has sufficient memory in which to execute without colliding with memory allocated to another process. Furthermore, the different types of memory available in the system 1400 must be used 10 properly so that each process can run effectively. Accordingly, the aggregated memory 1434 is not intended to illustrate how particular segments of memory are allocated (unless otherwise stated), but rather to provide a general view of the memory accessible by the computer system 1400 and how such is used. The processor 1405 includes a number of functional modules including a control 15 unit 1439, an arithmetic logic unit (ALU) 1440, and a local or internal memory 1448, sometimes called a cache memory. The cache memory 1448 typically includes a number of storage registers 1444 - 1446 in a register section. One or more internal buses 1441 functionally interconnect these functional modules. The processor 1405 typically also has one or more interfaces 1442 for communicating with external devices via the system 20 bus 1404, using a connection 1418. The application program 1433 includes a sequence of instructions 1431 that may include conditional branch and loop instructions. The program 1433 may also include data 1432 which is used in execution of the program 1433. The instructions 1431 and the data 1432 are stored in memory locations 1428-1430 and 1435-1437 respectively. 2446491_1 934294_specijlodge - I1 Depending upon the relative size of the instructions 1431 and the memory locations 1428-1430, a particular instruction may be stored in a single memory location as depicted by the instruction shown in the memory location 1430. Alternately, an instruction may be segmented into a number of parts each of which is stored in a separate 5 memory location, as depicted by the instruction segments shown in the memory locations 1428-1429. In general, the processor 1405 is given a set of instructions which are executed therein. The processor 1405 then waits for a subsequent input, to which it reacts to by executing another set of instructions. Each input may be provided from one or more of a 10 number of sources, including data generated by one or more of the input devices 1402, 1403, data received from an external source across one of the networks 1420, 1422, data retrieved from one of the storage devices 1406, 1409 or data retrieved from a storage medium 1425 inserted into the corresponding reader 1412. The execution of a set of the instructions may in some cases result in output of data. 15 Execution may also involve storing data or variables to the memory 1434. The disclosed copying arrangements use input variables 1454, that are stored in the memory 1434 in corresponding memory locations 1455-1458. The copyingarrangements produce output variables 1461, that are stored in the memory 1434 in corresponding memory locations 1462-1465. Intermediate variables may be stored in 20 memory locations 1459, 1460, 1466 and 1467. The register section 1444-1446, the arithmetic logic unit (ALU) 1440, and the control unit 1439 of the processor 1405 work together to perform sequences of micro operations needed to perform "fetch, decode, and execute" cycles for every instruction in 2446491_1 934294_specilodge - 12 the instruction set making up the program 1433. Each fetch, decode, and execute cycle comprises: (a) a fetch operation, which fetches or reads an instruction 1431 from a memory location 1428; 5 (b) a decode operation in which the control unit 1439 determines which instruction has been fetched; and (c) an execute operation in which the control unit 1439 and/or the ALU 1440 execute the instruction. Thereafter, a further fetch, decode, and execute cycle for the next instruction may 10 be executed. Similarly, a store cycle may be performed by which the control unit 1439 stores or writes a value to a memory location 1432. Each step or sub-process in the processes of Figs. I to 13 is associated with one or more segments of the program 1433, and is performed by the register section 1444 1447, the ALU 1440, and the control unit 1439 in the processor 1405 working together 15 to perform the fetch, decode, and execute cycles for every instruction in the instruction set for the noted segments of the program 1433. The method of copying a tamper protected document may alternatively be implemented in dedicated hardware such as one or more integrated circuits performing the functions or sub functions of copying a tamper protected document. Such dedicated 20 hardware may include graphic processors, digital signal processors, or one or more microprocessors and associated memories. In the preferred embodiment, the barcode used is a two-dimensional dot barcode. Fig. 7 shows an enlarged view 700 of part of a protected document showing the two dimensional dot barcode. Document protection is provided using a large number of 2446491_1 934294_specijlodge - 13 protection dots 702 in an array 706. The dots may be more generically termed marks. Each protection dot 702 is located at or in the vicinity of a corresponding intersection point 703 of a regular square grid 705 formed by horizontal lines 701 and vertical lines 704. It is noted that it is the protection dots 702 that provide the protection, and not the 5 grid 705. The grid is depicted purely to provide a frame of reference for describing the location of the protection dots 702, and accordingly the grid 705 may be considered a "virtual" grid. Data is encoded in the protection dots by placing the dot at some known location relative to the intersection point of the grid. Each different location represents a different 10 data value. Fig. 5 illustrates one example of modulation of the protection dots in greater detail. A spatially modulated protection dot 502 lies close to or upon an intersection point 505 of a regular grid 501. The dot 502 is spatially modulated to one of nine possible positions such as 503. The set of possible modulation positions is depicted by a dashed outline 509. The spatial modulation, performed by translating a protection dot 15 502 in a lateral (507) and transverse (508) direction relative to a corresponding intersection point 505, encodes data in the modulated protection dot. Fig. 6 shows the modulation as depicted in Fig. 5 in more detail. In Fig. 6, the set of modulation positions 606 is centred on a grid intersection point 604 of a grid 602. Each modulation position, such as position 601, has an associated digital code value 603. 20 The digital code value 603 for the position 601 is "0". The nine modulation positions (including the modulation position 601) allows each dot to encode one of nine possible digital code values. Each modulation position may equivalently be represented as a vector 605. Alternate modulation schemes with smaller or larger number of modulation positions can also be used. 2446491_1 934294_speci_lodge - 14 Once the modulation scheme has been chosen, a representation or image property of the document needs to be chosen. In the preferred embodiment, the representation or image property used is average pixel intensity in a defined area known as an annulus. Fig. 8 shows an annulus centred around a sampling point 801 that is used to 5 calculate the average pixel intensity. To determine the image property value and hence which modulation position will be used for an individual protection dot 702 the document is first converted to a greyscale image. The greyscale bitmap image is then binarised to form a black and while image by first applying a filter function, such as a Gaussian blur, to the greyscale image. The greyscale image is then binarised, by 10 applying a threshold function, to form a black and white image. Then, the average pixel intensity of an annular area 802 around the sampling point 801 is determined. Ideally the area 802 overlaps with corresponding areas associated with other protection dots. In the present example, the area 802 encompasses part of a letter 'E' 803. The pixel intensity that is determined for the area 802 is scaled, using a suitable scale factor, to one of the 15 possible digital code values 603 and encoded the sample image property in a protection dot 702. In the preferred embodiment, the property used is average pixel intensity and the shape used is an annulus. However other shapes such as a circle or square could be used. Furthermore different properties such as other measures of pixel intensity or frequency 20 representations could be used. Where tampering occurs, the average pixel intensity in the area of the tamper changes and can therefore be detected by comparing the sampled value with the encoded value. This is illustrated in Fig. 9 where the character "E" 803 from Fig. 8 has been tampered to form an "8" 903. The average pixel intensity in the area 901 around the grid 2446491_1 934294_speci_lodge - 15 intersection 902 will change due to tamper. In this example the average pixel intensity in area 901 will have increased from the average pixel intensity in area 802. If the difference between the expected and actual values for the tamper protection property is greater than a threshold, this indicates possible tamper. Fig. 10 shows the area around 5 the "8" highlighted 1001 because this area has been identified as a candidate tamper region. In cases where it is permissible to copy a tamper protected document, it is desirable to first remove the barcode from the document. This allows us to update the tamper protection information to limit the effects copier artefacts such as dot gain have 10 on the robustness of the tamper protection. Fig. 13 illustrates dot gain that occurs in the copying process. The original letter "E" 1301 is shown. After copying the letter "E" 1302 is shown as slightly enlarged. After several generations of copying, the dot gain is large enough to alter the image property value at a sampling point. Fig. I shows a flowchart of a process to copy a tamper protected document. The 15 process 100 begins at step 110 with the scanning of the tamper protected document to form a digital representation of the tamper protected document. On a device such as a multifunction printer (MFP), a scanner is built into the MFP and is used for this function although alternative scanning devices may be used. Next, step 120 takes the digital representation of the tamper protected document 20 and extracts the tamper protection information that is contained in the barcode printed on the tamper protected document. The encoded tamper protection property value for each sampling point in the document is derived from the tamper protection information. In subsequent step 130, the digital representation of the tamper protected document is used to calculate the tamper protection property value for the same sampling 2446491_1 934294_specijlodge -16 points in the document. The tamper protection property values are used in conjunction with the encoded tamper protection property values for each sampling point in the document and processed together to determine candidate tamper regions. The result of step 130 is the decision to allow or disallow copying is used in step 190. 5 If copying is disallowed, the user is informed in step 180 and proceeds to step 170. If copying is allowed, step 140 is performed where the barcode is removed from the digital representation of the tamper protected document to produce a revised document. 10 Next in step 150, new tamper protection information is created from the revised document. A barcode is created from the new tamper protection information and combined with the revised document to form a new tamper protected document. Step 160 prints the new tamper protected document. The new tamper protected document will contain the document combined with new tamper protection information 15 that takes into account changes such as dot gain introduced by the copying process. After step 160, the process concludes at step 170. Once a digital representation of the tamper protected document has been obtained, step 120 occurs. Fig. 2 shows step 120 in more detail. This process starts at 200. In this process, the digital representation of the tamper protected document is used 20 to decode the barcode to extract the tamper protection information that is carried in the barcode. In the first stage 210, the digital representation is examined and heuristics are used to locate all dots that appear like barcode dots. The output of 210 is a dot list of (x, y) pixel coordinates of the centre of mass of each located dot. Not every dot in this list will be a tamper protection dot as there will be dots that are naturally a part of the 2446491_1 934294_speci-lodge - 17 document. An example is the dot in the lowercase letter "i". It is necessary to extract those dots that are a part of the tamper protection dots. This is done in the second stage 220, a priority-based flood-fill algorithm is used to fit suitable grids over the locations of located dots. The output of 220 will be a single grid 705 that covers the digital 5 representation of the tamper protected document. Step 230 uses knowledge of the grid 705, to extract a list of tamper protection dots 702 associated with grid 705. The tamper protection information is extracted with knowledge of the modulation scheme used in conjunction with knowledge of the grid location and the list of tamper protection dot locations. Step 240 shows the decoded tamper protection data used to establish the 10 expected value of the tamper protection property for each sampling point. This information is used in a subsequent process 300 that compares the expected value with the actual value to determine whether tamper has occurred. The process ends at 250. After calculating the expected value of the tamper protection property for all the sampling points from the tamper protection dots, the actual value of the tamper 15 protection property for all the sampling points from the digital representation of the tamper protected document is calculated in step 130. Fig. 3 shows step 130 in more detail. The process starts at step 300. In step 310 the tamper protection property value for every sampling point is calculated using the same method shown in Fig. 8 from the digital representation of the tamper protected 20 document. In step 320 these values are then compared to the expected values obtained in step 240 from the recovered tamper protection information. If the difference between the expected and calculated tamper protection property value is greater than a predetermined threshold the region is identified as a candidate tamper region. In step 330, after the identifying, all the candidate tamper regions are displayed to the user on a screen. In the 2446491_1 934294_spedlodge - 18 preferred embodiment, the user is visually shown the document with the candidate tamper regions highlighted. Fig. 11 is an example of displaying the highlighted candidate tamper regions. A first view 1100 shows a fragment of a protected document upon which the word "EGG" and an associated array 1101 of protection dots has been 5 printed. A second view 1102 shows the same document fragment after processing using the disclosed arrangements. In the second view, the word "EGG" has been amended to read "EGGS". The tampering is the added letter "S" 1103. The areas around the letter "S" 1103 is highlighted 1104 visually. By examination of the highlighted candidate tamper regions the user can assess whether the tamper is unauthorised (i.e. true tamper), 10 authorised or the result of copier artefacts such as dot gain. An example of authorised tamper could be the addition of a signature to a document. Unauthorised, or true, tamper could be the changing of a monetary amount or date to a document. In step 180 the user is informed if unauthorised tamper has occurred and copying disallowed. This could be done visually on a screen on the MFP, computer screen or 15 similar device. The process 100 then terminates at step 170. If the decision is to allow copying, a revised document is created in step 140. The revised document is created by removing the tamper protection dots from the tamper protected document. Fig. 4 shows this step 140 in more detail where the revised document content incorporates at least the content of the document and the identified 20 artefacts. The location of tamper protection dots to be removed is the list of dot locations produced in step 220. In step 410 a replacement bitmap is calculated for each dot location. For each dot 1201 two concentric squares 1202 and 1203 are defined. Each square has a fixed size that is determined experimentally. Examples for suitable sizes are 4 pixels for 1203 and 10 pixels for 1202. Next, the average pixel value of the 2446491_1 934294_speci_lodge - 19 pixels in the area between the two concentric squares 1204 is calculated. In step 420, dot 1203 is filled with the calculated average pixel value, erasing the dot from the scanned image with minimal background disturbance. In step 150 the content of the revised document is now used to create new tamper 5 protection information. The new tamper protection information is calculated as disclosed earlier. Because the new tamper protection information is based on the revised document, it will take into account copier artefacts such as dot gain that occurs during the copying process. This will improve the robustness of the tamper protection information by making it less susceptible to false positive indications of tamper due to 10 accumulated errors such as dot gain. The new tamper protection information is encoded into a new 2D barcode and combined with the revised document to form a new tamper protected document. In one embodiment, the new 2D barcode may also encode information relating to the generation history of the document, such as the number of times the tamper protection information has been updated, or regions where authorised 15 changes have been made since the document was first created. The copying process is completed in step 160 by printing the new document on the printing device such as a MFP. The process 100 then terminates at step 170. INDUSTRIAL APPLICABILITY 20 The arrangements described are applicable to the computer and data processing industries and particularly for the copying of protected documents. The foregoing describes only some embodiments of the present invention, and modifications and/or changes can be made thereto without departing from the scope and spirit of the invention, the embodiments being illustrative and not restrictive. 2446491_1 934294_specijtodge -20 (Australia Only) In the context of this specification, the word "comprising" means "including principally but not necessarily solely" or "having" or "including", and not "consisting only of'. Variations of the word "comprising", such as "comprise" and "comprises" have correspondingly varied meanings. 5 2446491_1 934294_speci_lodge

Claims (8)

1. A method of producing a copy of a tamper protected document, said document including content and a barcode comprising a plurality of marks modulated to encode 5 tamper protection information related to the content of the document, said method comprising the step of: scanning the tamper protected document to produce a digital representation of the document; decoding the plurality of modulated marks to recover the tamper protection 10 information stored by the barcode; comparing the digital representation of the document with the recovered tamper protection information to determine one or more candidate tamper regions on the document; identifying candidate tamper regions as one of true tamper or artefacts introduced 15 into the document as result of a print and/or scanning process; removing the barcode from the digital representation of the document to produce revised document content incorporating at least the content of the document and the identified artefacts; modulating a plurality of marks of a second barcode to encode the revised 20 document content; and producing the copy of the tamper protected document by combining the revised document content and the second barcode. 2446491_1 934294_speci_lodge -22

2. The method according to claim I wherein the copy of the tamper protected document is produced when none of the candidate regions are identified as true tamper.

3. The method according to claim I wherein the artefacts include dot gain. 5

4. The method according to claim I further comprising prompting a user to identify candidate as one of true tamper or artefacts introduced into the document as result of a print and/or scanning process. 10

5. The method of claim I wherein second barcode also encodes information relating to generation history of the document.

6. A method substantially as described herein with reference to any one of the embodiments as that embodiment is illustrated in the drawings. 15

7. Computer apparatus including a processor and a memory, the memory having a program stored thereon and executable by the processor to perform the method of any one of claims 1 to 6. 20

8. A computer readable storage medium having a program recorded thereon, the program being executable by computer apparatus to perform the method of any one of claims I to 6. 2446491_1 934294_specijlodge -23 Dated this 22nd day of December 2009 5 CANON KABUSHIKI KASIHA Patent Attorneys for the Applicant Spruson&Ferguson 2446491_1 934294_speci_lodge