Search

US-12619688-B2 - Document sharing protection with watermark

US12619688B2US 12619688 B2US12619688 B2US 12619688B2US-12619688-B2

Abstract

Provided is a computing system for protection against document sharing. The computing system includes a processor having associated memory, the processor being configured to execute instructions using portions of the memory to cause the processor to implement a compliance portal where a policy is established covering a plurality of documents, transmit the policy to a client device having a display screen, and in response to receiving an indication that the client device has triggered the policy, instruct the client device to modify a graphics pipeline to add an opaque watermark to a screen image displayed on the display screen.

Inventors

  • Xi Chen
  • Kalin Georgiev Toshev

Assignees

  • MICROSOFT TECHNOLOGY LICENSING, LLC

Dates

Publication Date
20260505
Application Date
20230302

Claims (20)

  1. 1 . A computing system for protection against unauthorized document sharing, comprising: a server computing device including a processor having associated memory, the processor being configured to execute instructions using portions of the memory to cause the server computing device to: implement a data leak prevention compliance portal where a policy is established covering a plurality of documents; transmit the policy to a client device having an associated display screen, wherein the policy, in response to being triggered at the client device, causes the client device to modify a graphics pipeline by a windows manager of the client device at an operating system (OS) level to add an opaque watermark to a screen image displayed on the display screen; receive a camera-captured image of the display screen including at least a portion of the watermark; and decode secure information from the watermark.
  2. 2 . The computing system of claim 1 , wherein the secure information is encoded in the watermark as a hash value.
  3. 3 . The computing system of claim 2 , wherein the server computing device is further configured to: receive the secure information and the hash value corresponding to the secure information once the client device has triggered the policy; store the secure information and hash value; and in response to a query including the hash value that is decoded from the watermark, retrieve the secure information.
  4. 4 . The computing system of claim 1 , wherein the secure information is encoded in a graphical pattern of the watermark.
  5. 5 . The computing system of claim 4 , wherein the graphical pattern illustrates a binary code using at least one of dots and dashes.
  6. 6 . The computing system of claim 1 , wherein the secure information includes at least one of a document file name, a document file type, a document file path, a timestamp, and a device and/or user identifier of the client device.
  7. 7 . The computing system of claim 1 , wherein the policy is further configured to cause the client device to divide the screen image into a plurality of regions and display the watermark in each of the plurality of regions.
  8. 8 . The computing system of claim 7 , wherein each of the plurality of regions is divided into a plurality of blocks including an anchor block indicating a start or a stop of a graphical pattern of the watermark.
  9. 9 . The computing system of claim 7 , wherein each block encodes 1 bit of data in a graphical pattern such that the graphical pattern of one region formed of the plurality of blocks encodes a plurality of bits of data.
  10. 10 . The computing system of claim 1 , wherein the screen image is a final rendered screen image displayed by the entire display screen.
  11. 11 . A method for protection against unauthorized document sharing, comprising: at a server computing device: implementing a data leak prevention compliance portal where a policy is established covering a plurality of documents; and transmitting the policy to a client device having an associated display screen, wherein the policy, in response to being triggered at the client device, causes the client device to modify a graphics pipeline by a windows manager of the client device at an operating system (OS) level to add an opaque watermark to a screen image displayed on the display screen; receiving a camera-captured image of the display screen including at least a portion of the watermark; and decoding secure information from the watermark.
  12. 12 . The method of claim 11 , wherein the secure information is encoded in the watermark as a hash value.
  13. 13 . The method of claim 12 , further comprising, at the server computing device: receiving the secure information and the hash value corresponding to the secure information once the client device has triggered the policy; storing the secure information and hash value; and in response to a query including the hash value that is decoded from the watermark, retrieving the secure information.
  14. 14 . The method of claim 11 , wherein the secure information is encoded in a graphical pattern of the watermark.
  15. 15 . The method of claim 14 , wherein the graphical pattern illustrates a binary code using at least one of dots and dashes.
  16. 16 . The method of claim 11 , wherein the secure information includes at least one of a document file name, a document file type, a document file path, a timestamp, and a device and/or user identifier of the client device.
  17. 17 . The method of claim 11 , wherein the policy is further configured to cause the client device to divide the screen image into a plurality of regions and display the watermark in each of the plurality of regions.
  18. 18 . The method of claim 17 , wherein each of the plurality of regions is divided into a plurality of blocks including an anchor block indicating a start or a stop of a graphical pattern of the watermark.
  19. 19 . The method of claim 11 , wherein the screen image is a final rendered screen image displayed by the entire display screen.
  20. 20 . A computing system for protection against unauthorized document sharing, comprising: a server computing device including a processor having associated memory, the processor being configured to execute instructions using portions of the memory to cause the server computing device to: implement a data leak prevention compliance portal where a policy is established covering a plurality of documents; and transmit the policy to a client device having an associated display screen, wherein the policy, in response to being triggered at the client device, causes the client device to: divide a screen image displayed on the display screen into a plurality of regions; modify a graphics pipeline by a windows manager of the client device at an operating system (OS) level to add a watermark to be displayed in each of the plurality of regions; and divide each of the plurality of regions into a plurality of blocks each including an anchor block indicating a start or a stop of a graphical pattern of the watermark; receive a camera-captured image of the display screen including at least a portion of the watermark; and decode secure information from the watermark.

Description

BACKGROUND Data protection is an area of rising interest across a wide variety of industries and organizations. Whether for privacy, regulation compliance, competition, anti-piracy, or other reasons, many organizations implement some sort of data protection policy to prevent the intentional or accidental distribution of confidential data. Some modes of data leakage have proven technically difficult for organizations to prevent. For example, when a picture is taken of a display screen with a separate device such as a phone camera and then distributed outside of the organization, even accidentally, many security measures such as passwords and user authentication fail to prevent the spread or recurrence of the distribution. SUMMARY A computing system for protection against document sharing may include a processor having associated memory. The processor may be configured to execute instructions using portions of the memory to cause the processor to implement a compliance portal where a policy is established covering a plurality of documents, transmit the policy to a client device having a display screen, and in response to receiving an indication that the client device has triggered the policy, instruct the client device to modify a graphics pipeline to add an opaque watermark to a screen image displayed on the display screen. This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Furthermore, the claimed subject matter is not limited to implementations that solve any or all disadvantages noted in any part of this disclosure. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 shows a schematic view of a computing system for protection against unauthorized document sharing, according to one example of the present disclosure. FIG. 2 shows a schematic view of regions in a screen image displayed on a client device according to a policy generated by a data leak compliance portal of a server computing device and implemented by a data leak compliance service of the client device of the computing system of FIG. 1. FIG. 3 shows a schematic view of blocks within one of the regions of the screen image of FIG. 2. FIG. 4 shows an example screen image displayed on the client device of the computer system of FIG. 1, including a watermark displayed according to the regions and blocks of FIGS. 2 and 3. FIG. 5 shows an example camera image captured by a camera, including the screen image of FIG. 4. FIG. 6 shows partial detail view of a section VI of the camera image of FIG. 5, showing a portion of the watermark of the screen image as captured in the camera image. FIG. 7 shows a schematic view of extracted code computed by performing image processing on the portion of the camera image shown in FIG. 6. FIG. 8 shows a flowchart of a method for protection against unauthorized document sharing, according to one example of the present disclosure. FIG. 9 shows a schematic view of an example computing environment in which the computing system of FIG. 1 may be enacted. DETAILED DESCRIPTION To address the issues discussed above, a computing system 10 is provided for protection against unauthorized document sharing, as shown in FIG. 1. Computing system 10 includes a server computing device 12 that communicates with a client device 14 via a computer network 16, such as the Internet. The server computing device 12 includes one or more processors 18 having associated memory 20. The one or more processors 18 are configured to execute instructions using portions of the memory 20 to cause the server computing device 12 to implement a data leak prevention compliance portal 22. The compliance portal 22 may provide the server computing device 12 with the capability to control access to various confidential or protected documents and information, and may further implement a watermarking feature described below in order to, when confidentiality is breached, quickly trace and address any leaks to prevent further leaks. The client device 14 is configured to be joined to an organization as defined at the compliance portal 22 of the server computing device 12. By virtue of being joined to the organization, the client device 14 is configured to be under the administration of an administrator 24 of the organization, and the data leak prevention compliance portal 22 has access privileges sufficient to install a compliance service 26 on the client device 14. The data leak prevention compliance portal 22 communicates with the compliance service 26 client device 14 via the computer network 16. It will be appreciated that the various instances of network 16 may be the same or a different network. The compliance service 26 may be a standalone service or may be one feature of a greater integrated secu