When copiers aren't just copiers

One of the trickier things we're dealing with these days are multi-function-devices. Or in specific, copiers that can email or save-to-server PDF/BMP/JPG/TIFF images of documents. You'd think this would be easy, but no.

On the one hand, we COULD just let these devices email blindly. Which would allow anonymous users to send butt-scans to the University President, a thing we generally try to avoid.

Or we could configure them with a user ID and password to send authenticated SMTP messages, and still butt-scan bomb the University President.

Ideally every one would have a specific login on these devices so there would be a full audit trail. This kind of thing can be done, but there are caveats. Swipe-card systems require all the devices to use the same back-end processor, and probably mean all the devices come from the same company. We can't use our universal login and passwords since that would require a full keyboard on these devices, and that just isn't going to happen any time soon.

The solution we've come up with isn't a good one, but it's still better than banning the enhanced functionality of these devices. Scanning can indeed reduce the amount of paper we push around. We're disabling the butt-scan vulnerability and forcing potential butt-scanners to drop the scans on a specific file-share where they'll have to forward it from a real email account.

I suspect "email my PDF" will be disabled until such time as we get a card-swipe system, or some other way to individually authenticate copier users.


we're using the DocXcenter from Ricoh, full audit with network authentication can use ldap, edir or AD). it's not cheap and it only works with Ricoh equipment, but most major brands have some sort of backend management software.

Just put up webcams by all the copiers and keep a log of times. There's your audit trail. Might take a bit to identify people from the video, but it should scare most. And video is only 640x480 on most webcams :)
That silly suggestion aside: is USB functionality not an option? At the college I attend we have all Oce printers with USB ports to print off of and presumably scan to.

Or if you actually have an University President that has a clue, you don't disable overwhelming legitimate use under the real, but exceedingly minority potential of a butt-scan.

Sadly, most University administrators don't have a clue, and jump down IT's throat to "do something" instead of dealing with the butt scan just like they deal with obnoxious Athletic Booster - chuckle and move on.