Codentify

From WikiCigar
Jump to navigation Jump to search

Codentify is the name of a product serialization system developed and patented back in 2005 by Philip Morris International (PMI) for tobacco product authenticity, production volume verification and supply chain control. In the production process, each cigarette package is marked with a unique visible code (also called “Codentify”), that allows authenticating the code against a central server.[1][2]

In November 2010, PMI licensed this technology to its three main competitors, namely British American Tobacco (BAT), Imperial Tobacco Group (ITG), and Japan Tobacco International (JTI), and the four companies together formed the Digital Coding and Tracking Association (DCTA) which works to promote the system in order to replace governmental revenue stamps.[3] Codentify was branded by its inventors as a “track & trace and product authentication technology”.[1]

History

In July 2004, Phillip Morris International and the European Union had settled a 12 year long legal dispute concerning cigarette smuggling allegations. PMI agreed to pay 1.25 Billion USD to the EU budget and its member states. In addition, PMI was legally obligated to mark its products with trackable serial codes.[4][5][6] Agreements were subsequently signed with the other three major tobacco companies.

PMI's affiliate company, Philip Morris Products S.A. created and patented the Codentify system in 2005.

In late 2010, PMI licensed Codentify technology to its main competitors BAT, JTI, and ITG free of charge.[3] The four companies, which together account for 71% of global cigarette sales (excluding China), agreed to use the PMI-developed system on all of their products to ensure “the adoption of a single industry standard, based on Codentify.”[7] The Framework Convention on Tobacco Control (FCTC) immediately voiced concerns that “Codentify should never be used for tracking and tracing purposes as tracking and tracing provisions should be implemented under the strict control and management of governments.”[8]

In 2011, the four companies formed the Digital Coding and Tracking Association (DCTA) to promote international standards and digital technologies to help governments fight smuggling, counterfeiting and tax evasion. The association was officially launched in 2013.[9]

According to the DCTA, around 12% of the global cigarette market is illicit, depriving national governments of more than US$40 billion a year in lost tax revenues[10] and some say this is a serious underestimate.[11][12] The agreements between the EU and the four major tobacco companies aim to stem the illicit trade of cigarettes, but some academics and the anti-tobacco movement have criticized it as a wholly inadequate deterrent.[13][14] The EU has since not renewed this deal after MEPs complained that it was inappropriate for governments and tobacco companies have such a deal.[15]

Inexto

In June 2016 the DCTA announced that it transferred Codentify to Inexto, an affiliate of the French Group Impala.[16] This was criticized by leading industry watchdogs such as the FCTC and academics such as Anna Gilmore, who is the director of the tobacco control research group at the University of Bath. She said that “Inexto could not be considered sufficiently independent from the tobacco industry". Martyn Day, Scottish National Party Member of Parliament, says while Codentify was sold "the new owner is merely a front company and that the system is still under the effective control of the tobacco firms".[17] Other academics such as Luk Joossens, who is the advocacy officer of the Association of European Cancer Leagues, said the sale was “predictable” and that tobacco companies will now “pretend” that Codentify is no longer part of the tobacco industry.[18] PMI have rebutted that “Inexto is fully independent from the tobacco industry."[19]


Technology

The Codentify system is based on a machine-created, unique, human-readable multi-digit alphanumeric code that is printed directly onto every individual product during the manufacturing process.[20] A double key encryption system, with separate central authority level and factory level encryption keys are stored on a respective server ,allows for factory line production of a pre-defined number of Codentify codes that have been authorized by a central (e.g.: government) server.[3]

The system generated 12 digit variant of the code is described as pseudo-random, offering 3412 possible combinations. Data which is unique and attributed to each discreet item (product) is encrypted into the code such as the date and exact time of manufacture, machine count of the item, specific machine line of manufacture, brand, variant, pack size, pack type, destination market, and price.[20]

Critics of this system have argued that this approach only allows for the verification of the code itself and not of the product the code is printed on; thereby leaving the potential for copying.[2] A European Commission Assessment Report into Tracking and Tracing notes in section 5.1.2 that in addition to the Codentify code being easily copied, it also fails to link the cigarette packets to the master cases.[21]

However, this critique omits to recognize that the system does allow for recognition of copied codes when an illegitimate copy is queried.  The system logic leverages geo-positioning data and will recognize if a code has been previously queried to highlight and notify that the item is suspect. Illegitimate products are invariably developed and replicated in significant numbers from a legitimate example.  Once the system logic recognizes illegitimate code, it is able to notify the system authority that this code has been compromised and is no longer valid. Due to the pseudo-random encrypted design of Codentify, illegitimate parties cannot predict codes and therefore can either default to replication of one legitimate code, which the system will logically identify from duplicate queries and provide notification, or the generation of random illegitimate codes, which the system will immediately recognize. Given the geo-positioning data at the time of query, both illegitimate approaches provide legitimate authorities important data on the suspect illegitimate supply chain.

Furthermore, when the Codentify technology is coupled with aggregated data (parent-child packaging) and supply chain event tracking, the ability of the system to identify a suspect query is thereafter immediate. In essence, supply chain event tracking along the legitimate supply chain generates additional data encompassing that legitimate product’s specific provenance. Provenance that the illicit supply chain cannot replicate.

Criticism

Codentify has been the subject of harsh criticism as a tobacco industry promoted system which is aimed at undermining public health efforts and not capable of curbing the illicit trade of cigarettes.[22] This criticism has come from some academics and pro-health groups,[2] to include the WHO.[23]

The WHO FCTC Protocol on the Elimination of the Illicit Trade in Tobacco products states in article 8, section 12 that tobacco tracking and regulation “shall not be performed by or delegated to the tobacco industry”.[24][25] Today, the Codentify technology is under a totally independent ownership and management, having no capitalistic or governance link to the tobacco industry, with application of a successor product (INEXTOR) that is now present across multiple industries outside of tobacco, to include beer, fine spirits, luxury goods, automotive parts, and pharmaceuticals.

Critics of the tobacco industry say Codentify is simply not good enough, “because it focuses too much on production and does not store product codes or track them.”[2][26] However, the Codentify system does not require the storage of codes in the clear for security purposes (though it is capable to perform this task, if specified by the central authority), as such mass storage of legitimate codes exposes them to potential compromise. The Codentify technology uses decryption processes to deliver authentication and validation of an item and is able to provide the item’s descriptive and unique attributes in parallel, with a near instant response time.

Heavy criticism has also been launched at the factory-level keys the system uses to provide unique verification codes for the product. Since these secret keys are stored on company and government servers, abuse of privileges on this level would allow criminals to generate additional codes, which would appear to be genuine to the system.[2][27] However, this criticism does not take into account that the central server keys are not shared with the manufacturer nor does it account for the dynamic and static key multi-level encryption method designed into the system, which jointly provide the legitimate authority with complete and secure control over the code authorization process.

The decentralized nature of the system the realities of imperfect connectivity across complex, cross border supply chains by ensuring a central control and oversight of secure code generation within production environments whilst providing legitimate manufacturing assets continuity of production under parameters dictated by the central authority. [27]

Action on Smoking and Health (ASH) described the system as a black box created by the tobacco industry that uses unsecured equipment that is vulnerable to code recycling.[28] However, this criticism does not take into account that: (i) codes can only be legitimized by the central authority server, (ii) the algorithm and both static and dynamic keys remain secret to and under strict control of the central authority, (iii) the method applied in the generation of the codes is patented and therefore visible by the public.  Under this strict control regime, illegitimate creation of codes is not possible.  Illicit techniques such as  “code recycling”, using codes of products rejected in quality control, “code cloning”, printing the same code on multiple products, and “code migration”, reprinting codes used in one country elsewhere, allowing to reuse genuine codes multiple times, are therefore rendered obsolete and defeated by this multi-layer encryption method.

Philip Morris has been accused, via its South American subsidiary Massalin Particulares, of using bribery and extortion to implement Codentify and Inexto in Argentina.[29]

“The directors, managers and legal representatives of PMI and its Argentine subsidiary Massalin Particulares S.R.L. (MP) are being investigated within the framework of a criminal case in federal court…,” Attorney Alejandro Sánchez Kalbermatten wrote in a 2017 letter to the Security and Exchange Commission in the United States.

A decision by the Federal Court of Argentina overseeing the case concluded that the plaintiff, Attorney Alejandro Sánchez Kalbermatten, had no standing and that the accusations made in the complaint were not substantiated by material facts. As a consequence, the case No.17.766/2016 was fully dismissed on September 28, 2017.[30]

References

  1. 1.0 1.1 "Codentify E Brochure" (PDF). Pmi.com. Archived from the original (PDF) on 2016-03-28. Retrieved 2017-03-04.
  2. 2.0 2.1 2.2 2.3 2.4 Joossens, Luk; Gilmore, Anna B. (2013-03-12). "The transnational tobacco companies' strategy to promote Codentify, their inadequate tracking and tracing standard". Tobacco Control. 23 (e1): tobaccocontrol–2012–050796. doi:10.1136/tobaccocontrol-2012-050796. ISSN 1468-3318. PMC 3897562. PMID 23481904.
  3. 3.0 3.1 3.2 "Does the tobacco industry have a tracking and tracing system that governments can use?" (PDF). World No Tobacco Day 2015.
  4. Tran, Mark (2004-07-09). "Philip Morris reaches $1.25bn EU agreement". The Guardian. ISSN 0261-3077. Retrieved 2016-10-27.
  5. "European Commission - PRESS RELEASES - Press release - European Commission and Philip Morris International sign 12-year Agreement to combat contraband and counterfeit cigarettes". europa.eu. Retrieved 2016-10-27.
  6. Madeleine Heyward LL.M. (New York). "Legal analysis of the agreements between the European Union, Member States, and multinational tobacco companies". Fctc.org. Retrieved 2017-03-04.
  7. Hill M. "Digital Tax Verification (DTV) Codentify, The industry Standard, October 2010 and Philip Morris International, Codentify, Brochure, 2012" (PDF). Pmi.com. Archived from the original (PDF) on 2016-03-28. Retrieved 2017-03-04.
  8. "Framework Convention Alliance Bulletin". Fctc.org. Retrieved 2017-03-04.
  9. "Association launched to fight illicit trade in excisable goods". MarketWatch. Retrieved 2016-10-27.
  10. "Tobacco: where volume counts". AIT Central: fighting illicit trade.
  11. "Illicit Tobacco: What is the Tobacco Industry Trying to Do?" (PDF). Ash.org.uk. Archived from the original (PDF) on 2015-10-02. Retrieved 2017-03-04.
  12. Gilmore, Anna B.; Rowell, Andy; Gallus, Silvano; Lugo, Alessandra; Joossens, Luk; Sims, Michelle (2014). "Towards a greater understanding of the illicit tobacco trade in Europe: A review of the PMI funded 'Project Star' report". Tobacco Control. 23 (e1): e51–e61. doi:10.1136/tobaccocontrol-2013-051240. PMC 4078702. PMID 24335339.
  13. "Assessment of the European Union's illicit trade agreements with the four major Transnational Tobacco Companies | Tobacco Control". Tobaccocontrol.bmj.com. Retrieved 2017-03-04.
  14. "Tobacco smuggling - European Commission". Ec.europa.eu. Retrieved 2017-03-04.
  15. "EU to end anti-tobacco smuggling deal with Philip Morris". Financial Times. 5 July 2016. Retrieved 2017-03-04.
  16. "DCTA technology ownership transferred to Inexto, an affiliate of Impala Group" (PDF). Dcta-global.com. Archived from the original (PDF) on 2016-11-07. Retrieved 2017-03-04.
  17. "Christmas Adjournment - Hansard Online". hansard.parliament.uk. Retrieved 2017-02-28.
  18. Saturday 4th Mar 2017 (2016-06-01). "Big Tobacco suspected of dodging EU anti-smuggling rules". Euobserver.com. Retrieved 2017-03-04.
  19. "Pharmalutions Pte Ltd" (PDF). Tobacco.cleartheair.org.hk. Retrieved 2017-03-04.
  20. 20.0 20.1 "Digital Tax Verification". Iticnet.org. Archived from the original on 2016-10-27. Retrieved 2017-03-04.
  21. "Analysis and Feasibility Assessment Regarding EU systems for Tracking and Tracing of Tobacco Products and for Security Features" (PDF). Ec.europa.eu. Retrieved 2017-03-04.
  22. "Condentify: an industry attempt to control illicit trade" (PDF). Corporate Accountability International. Archived from the original (PDF) on 2016-12-13. Retrieved 2016-10-27.
  23. "Dr Vera Luiza da Costa e Silva, head of the Convention Secretariat, sends her remarks to the High Level Conference: Combating tobacco industry tactics: state of play and a way forward, European Parliament, Brussels, 2 March 2016". World Health Organization. Retrieved 2016-10-27.
  24. "Protocol to Eliminate Illicit Trade in Tobacco Products" (PDF). Apps.who.int. Retrieved 2017-03-04.
  25. whyitsbad (2016-02-29). "World Health Organization is the Solution for Codentify". Why It's Bad. Retrieved 2016-10-27.
  26. Geller, Martinne. "Big Tobacco squares up as EU rules aim to track every cigarette". Reuters UK. Retrieved 2016-10-27.
  27. 27.0 27.1 "Major Flaws Discovered in the Codentify Track and Trace System". Tobacco Industry facts. Archived from the original on 2016-10-27. Retrieved 2016-10-27.
  28. "Codentify_final" (PDF).
  29. "Serialization, Tracking and Tracing: Reliable and Secure Solutions - Inexto Philippe Chatelain CEO". inexto.com. Retrieved 2020-08-05.
  30. "Alejandro Sánchez Kalbermatten | Abogados.com.ar". abogados.com.ar. Retrieved 2020-08-05.