Identity -- It's not just for people! (Part 1)

  • Article

Yesterday I sent an email along these lines to a few friends:

Automotive part counterfeiting costs about $12B/year – just for Tier 1 suppliers. Part counterfeiting costs Ford alone $1B. Beyond automotive, according to the National Association of Manufacturing, trade of counterfeit parts is about 5-7% of global trade – around $500B per year. As you know, silver bullets are rare. Even so, I think there are tremendous opportunities for the industry to do better. Today, parts often have barcodes and sometimes RFID tags to automatically indentify them. This surely deters some counterfeiting already, and yet the problem remains enormous. 

In a sense, industry and society have faced this issue before in the form of people counterfeiting. Seriously. When a person pretends to be me in an effort to gain access to my confidential information, they are in effect presenting themselves as an imposter version of me. Just as counterfeit parts are imposters of the real parts. For identity management, industry implemented authentication, and later 2 factor authentication to help manage this problem. It’s not perfect, but it helps a lot. Technologies like CardSpace will help make human authentication even more effective in the future. 

What if parts were issued an “identity” at point of manufacture, and “authenticated” at warehouse, retailers, and service shops, etc? What would that take? Off the top of my head, one or more trusted part identity issuing authorities, a unique “identity” for each part, and a mechanism of attaching part credentials to parts, and a mechanism of validating part identity claims…? Is that it? What else? 

Surely I’m not the first to notice the similarity between part counterfeiting and impersonation attacks…. Anyone know the state of the art on this? Where is AIAG is at on this? Is there a way to adapt CardSpace to this purpose? Any thoughts on Covisint vs. Verisign as a prototype issuing authority? Others?

- Segue to today –

I invested a few minutes in research and discovered:

  • The State of Florida has passed legislation in 2005 requiring an "electronic pedigree" for drugs distributed within the state. 
  • Verisign has been pushing for an Electronic Pedigree service for pharma since 2005. 
  • In January 2007, EPC Global, Inc, ratified a standard for electronic pedigrees in pharma applications, and is currently working on extending and adapting that standard for use in other industries.   
  • I could be wrong, but CPG and Life Sciences appear to be a ways ahead of discrete manufacturing on this topic. 

So...  what is an Electronic Pedigreed (or "ePedigree")? 

According to Ross Enterprise, an electronic pedigree solution provider:

"An electronic pedigree (ePedigree) is an ever-growing chain of custody detailing a drug’s path through the supply chain, in which each company involved in the manufacture or distribution of the drug adds to the pedigree. The seller identifies the drugs and the full chain of custody, then certifies the pedigrees and transmits them in advance to the trading partner receiving the drugs, who authenticates the pedigrees. When a drug shipment arrives, the pedigrees are matched to the products and signed, verifying their accuracy. ePedigree software maintains the product-to-pedigree match while the products are in inventory."

So the key thing here looks to me to be the "chain of custody".  As I understand it, the part/product itself is not authenticated -- only the identity of the people sending the chain of custody information.  In other words, "I am who I say I am, and here's what I'm sending you".  Then recipients get to match up what was received and what was expected.  There’s some value in that, but it seems to me a somewhat cumbersome way to verify that the product in front of you is legit. 

After all, if you could reliably authenticate the product itself that was in front of you (based on a permanently attached, tamper-evident encoding), you wouldn’t need chain of custody information (for anti-counterfeiting purposes).  Instead, you would only be interested in chain of custody if a product failed to authenticate (again, for anti-counterfeiting purposes) to help track down the bad guys.    The chain of custody approach seems like an indirect defense to me.  Like yet another layer that makes counterfeiting even more inconvenient and risky for the bad guys (a good thing).   It provides implied authenticity based on (and requiring) the existence of trust at each link of the custody chain.  

Of course, authenticating each product itself also requires trust, but the trust is only between the manufacturer<->authentication service (e.g., Verisign or someone else) and between the authentication service <-> receiver (where receiver can be any recipient in the extended supply chain including the consumer).  And having a more direct defense against counterfeiting, with fewer required trusts, seems like a good thing. 

There maybe good reasons the pharma industry is focusing on chain of custody.  The very idea of a authenticating at the product level could be problematic in some process manufacturing environments -- where the notion of "product" is partially defined by quantity -- so the difference between a pallet,a bottle, and a single pill of the same substance is arbitrary. 

If you've read this far, I'll remind you of the questions from the email to my colleagues and ask for your help! 

Anyone know the state of the art on this?  Where is AIAG is at on this?  Is there a way to adapt CardSpace to this purpose?  Any thoughts on Covisint vs. Verisign as a prototype issuing authority?  Others?

And I'll add two more questions:

Would product or part authentication effectively deter counterfeiting?  Could it be made sufficiently affordable? 

UPDATE:  I've also posted a "Part 2" here