Security Printing and Imaging : safety

Colorcon On-Dose ID Anti-Counterfeiting Technology

StevenSimske — Tue, 17 Nov 2009 16:42:00 GMT

In July, the US Food and Drug Administration (FDA) provided "guidance advocating greater use of physical chemical identifiers (PCIDs) in drug formulations as a cost-effective way of authenticating genuine products from fakes."

Colorcon has responded with its "On-Dose ID tagging technology", for labeling individual drug tablets (although I didn't at time of writing see mention of it at http://www.colorcon.com/home ).

"The microscopic tags, which are incorporated into immediate-release film coatings for oral solid dose forms, can hold encrypted information ranging from lot and batch numbers to logos, text and other brand identification symbols. Tablets labelled with the 75 – 110 micron sized tags can be read using the portable “Vision” optical viewing system developed by Colorcon’s partner ARmark Authentication Technologies."

Please see the full article on in-Pharma's site here:

http://www.in-pharmatechnologist.com/Materials-Formulation/Colorcon-rolls-out-On-Dose-ID-anti-counterfeiting-tech/?c=JiBz%2FX6W8971ORXdDDv0AQ%3D%3D&utm_source=newsletter_daily&utm_medium=email&utm_campaign=Newsletter%2BDaily

File this under "special approach, special reader needed."

Cheers,

Steve

Security--another offshoring risk

StevenSimske — Tue, 17 Nov 2009 16:29:00 GMT

A terse but excellent article on IEEE's USA Today's Engineer site today focuses on the often forgotten--or at least ignored--risk of offshoring. National security.

The full article is at: http://www.todaysengineer.org/2009/Nov/backscatter.asp. The most salient quote is:

"One area the [National Academy of Engineering] study gave relatively less attention to, listing it last in a series of ten findings, was offshoring’s impact on national security. In that regard, its main concern seemed to center on the possibility of detailed plans and other information about U.S. buildings and infrastructure falling into “the wrong hands,” and that maliciously placed code might compromise the security of DOD networks. Yet back in 1988, the Defense Science Board called the dependence of the U.S. military on foreign parts dangerously high."

I have argued in several previous blogs that it is not just national security--but any product security--that may suffer with offshoring. Offshoring is a bandage, not a cure. Always temporary in nature, it is founded on the assumption that labor will be cheaper elsewhere. Cheaper than the differential cost of transportation, shipping, inefficiencies of distributed teams, etc. Guess what? As many are seeing now, the cycle lasts less than ten years, and the first (and second) wave of offshorers are now offshoring themselves. Does this increase product security? Statistics argue otherwise (ref. WEF estimate of counterfeiting as 8% of world trade).

Offshoring makes a lot of sense when those remote, skilled professionals are invested in your company and strategy. Otherwise, it's a short-term fix to a problem that goes unaddressed.

Cheers,

Steve

GS1 Announcement of the Food Recall Portal

StevenSimske — Wed, 04 Nov 2009 15:45:00 GMT

Yes, this is an HP blog, and so you forgive me when occasionally (and inevitably) I take an HP line on an announcement, event or trend. Out of interest of serving the broader anti-counterfeiting/anti-fraud/anti-tamper/customer safety community, I point you to our partner, GS1's, announcement on the HP/GS1 Product Recall program:

http://www.gs1ca.org/Page.asp?LSM=0&intNodeID=6&intPageID=1396

I couldn't agree more with their opening statement:

"November 3, 2009 – GS1 Canada, as part of a coalition of leading Canadian industry associations representing over 65,000 manufacturers, distributors and retailers, today launched a national product recall program that will enhance consumer safety and reduce the administrative burden for business. With the increasing complexities of a global supply chain, this launch could not have come at a more important time."

Further down, you find the statement:

"The Program is founded on a standardized process created by GS1 Canada, the neutral, non-profit supply chain standards organization most well-known for creation and management of the universal product code (bar code), used by millions of businesses worldwide. This global online platform uses robust HP cloud-computing technology and is based on global GS1 standards."

This is a good approach. GS1 provides accepted and well-considered global standards through GTIN, GDSN, etc., as noted in past posts here. Who wants to spend time dickering over competing standards? Not I. A better use of time is working with the industry experts to create a single standard that is simultaneously useful, fair and globally available, and then spend time differentiating applications built atop these standards.

Cheers,

Steve

EFPIA Announcment, HP Hosting Services

StevenSimske — Mon, 26 Oct 2009 17:31:00 GMT

Remember the 24 August announcement on the HP/GS1 food recall service? If not, please enjoy as if new the following article:

http://www.communities.hp.com/online/blogs/securityprinting/archive/2009/08/25/big-news-hp-develops-cloud-service-with-gs1-canada-to-enhance-product-recall-process.aspx

This announcement introduced the HP Cloud Computing Platform for Manufacturing, as described here:

http://www.hp.com/hpinfo/newsroom/press/2009/090824xb.html

More on the overall solution, including the roles of partners Siemens, SAP and HP, is provided at:

http://www.controlglobal.com/industrynews/2009/278.html#

"In the EFPIA pilot project, Siemens IT Solutions and Services is the general contractor in cooperation with Hewlett Packard (HP) and SAP. The IT service provider is responsible for the project management and integration of the information interfaces between the pharmacies and the manufacturers. Siemens IT Solutions and Services is also responsible for operating and maintaining the IT infrastructure, including the technology and information systems, data integration, system security and system development. SAP Belgium will be in charge of the SAP object event repository (SAP OER) and the implementation services. Hewlett Packard (HP) will provide hosting services and SAP solutions testing."

The hosting services are through the HP Cloud Computing Platform for Manufacturing, as described earlier. Feel free to contact me for details.

Cheers,

Steve

EFPIA Announcements

StevenSimske — Mon, 26 Oct 2009 17:12:00 GMT

Hi, all

The next few blogs will point you to information on the recent announcement of the EFPIA 2D labelling scheme. The EFPIA is the European Federation of Pharmaceutical and Industries Association.

In-Pharma's article on this announcement is:

http://www.in-pharmatechnologist.com/Packaging/2D-barcodes-make-faking-less-attractive-says-EFPIA/?c=JiBz%2FX6W8967KGa2Liah%2FA%3D%3D&utm_source=newsletter_daily&utm_medium=email&utm_campaign=Newsletter%2BDaily

Importantly, as our partner Siemens notes,

[Siemens] "will provide connectivity for pharmacies and manufacturers to the EFPIA database, which is hosted by Hewlett Packard (HP). Manufacturers will populate the EFPIA database with the serial numbers of the saleable units shipped, and pharmacies will read those serial numbers at the point of sale (via 2D barcode) and authenticate the unit sold against the EFPIA database."

In other words, the cloud enables the crowd. 2D barcode readers are not just in the hands of the pharmacists. Look for us all--corporations, enterprises, brand owners, shippers, retailers, consumers, environmentalists--to embrace this approach. It helps level the playing field for everyone, except--one hopes--the counterfeiters.

Cheers,

Steve

In Blacksburg on November 12th? Gimme a Holler!

StevenSimske — Tue, 20 Oct 2009 22:40:00 GMT

Growing up, I lived in Eastern Kentucky "for a spell". Rural Rowan (pronounced like "round" without the "d') County, in fact, where the valley I lived in was called "Quail Hollow". As in, a snake bit me and I had to "holler". I lived right next to a "crick" (creek). I only lived there a little over a year, but the accent can come back on demand.

Another beautiful Appalachian spot to give me a holler is Blacksburg, Virginia (http://www.blacksburg.va.us/) if you're on the road in November. A nice little city where the student population is on a par with the town's population. OK, I guess you can get that in Manhattan, Kansas, too, but you might have to drive farther. And you won't have those Appalachians.

So, if you are in the neighborhood, please drop by to catch my talk at Virginia Tech's ICTAS, or Institute for Critical Technology and Applied Science (http://www.ictas.vt.edu/index.shtml). Here's the brief:

ICTAS Seminar Series – Fall 2009

Date: November 12, 2009

Time: 3:00-4:30pm

Place: 310 ICTAS

Speaker: Steven Simske, Hewlett-Packard Labs

Title: “Consumer Safety in a Rapidly Changing World: Security, Identity and Anti-Counterfeiting”

Bio & Abstract: http://www.ictas.vt.edu/pdf/seminarseries_simske.pdf

Cheers,

Steve

Rude Food? A Bright Future is Ghana Make a Difference

StevenSimske — Wed, 09 Sep 2009 18:56:00 GMT

If recent salmonella, e Coli, melamine and other food scares have you second-guessing your food chain, imagine what it may be like in some rural areas, where connectivity and information technology knowledge may be more limited.

A recent announcement states that "Researchers have presented a low cost track and trace and authentication system, which they believe could be implemented immediately, to combat counterfeiting in the developing world".

The full article is posted at:

http://www.in-pharmatechnologist.com/Processing-QC/Phone-based-anti-counterfeiting-proposed-for-developing-world/

I chatted with Ghana's Bright Simons, an Ashoka Fellow (http://www.ashoka.org/bsimons) and the Coordinator of the mPedigree network (www.mpedigree.net), about this article, since it alludes to mPedigree. Bright noted that there are some misrepresentations in the article, but overall the mPedigree approach is to associate a tamper-evident seal with a unique ID (e.g. mass serialized identifier), which is a strategy that leads to copy-based attacks by would-be counterfeiters. A cloud-based network supporting the unique IDs (i.e. providing track and trace and provenance) will help to defend the system from copy attacks. Overall, the approach is elegant--low-cost to implement, free for the consumer, and potentially ubiquitous through its mobile on-ramp.

The appropriately-named Bright was also recently named to the Tech Awards Laureates 2009, "as one of 15 global innovators recognized each year for applying technology to benefit humanity and spark global change. The Tech Awards, a signature program of The Tech Museum, and presented by Applied Materials, Inc., selected mPedigree Network from among hundreds of nominations representing 66 countries."

"The Tech Awards: Technology Benefiting Humanity (www.techawards.org) is one of the premier annual humanitarian awards programs in the world, recognizing technical solutions that benefit humanity and address the most critical issues facing our planet and its people. The awards program honors 15 scientists and innovators annually alongside the recipient of the Global Humanitarian Award. This year’s Laureates include Al Gore, former Vice President of the United States of America (Global Humanitarian Award)."

Protecting our food and our supply chains is more than just high-priority. It's award-winning.

Cheers,

Steve

NAFDAC branching out to India

StevenSimske — Thu, 06 Aug 2009 16:16:00 GMT

Nigeria is working with Interpol and planning to set up 3 offices in India to fight counterfeiting, and specifically allegedly China-produced fakes labelled “Made in India”.

The full article is posted at:

http://www.in-pharmatechnologist.com/Industry-Drivers/NAFDAC-ups-anti-counterfeiting-actions/?c=JiBz%2FX6W896MgKpnW7DU1A%3D%3D&utm_source=newsletter_daily&utm_medium=email&utm_campaign=Newsletter%2BDaily

and notes: "The battle against counterfeits in Nigeria has been fought by the National Agency for Food and Drug Administration and Control (NAFDAC), which is now taking further steps to tackle the problem. NAFDAC’s latest actions are in response to a seizure of counterfeit drugs that are believed to be of Chinese origin but were labelled 'Made in India'. The seized shipment consisted of counterfeit generic anti-malarial drugs."

I spoke to IMANI's Bright Simons (http://www.imanighana.com/bright.html) when he was in the States a couple of weeks ago. This is in direct alignment with his vision for mPedigree. Counterfeit organizations span countries, continents and hemispheres. Agencies effective at reducing the impact of these worldwide counterfeiting organizations must have worldwide span as well. Think GS1. Think ISO. If the scope of your anti-counterfeiting strategy is too small, the same will be true of its effectiveness.

Cheers,

Steve

Eye in the Sky? Try Crowd in the Cloud...

StevenSimske — Thu, 16 Apr 2009 18:19:00 GMT

Brits have been worried about the "eye in the sky"--the nearly ubiquitous camera system that monitors London. (Maybe they should be more worried about the insect-like drone of the same nickname: http://www.telegraph.co.uk/news/uknews/1580986/Microdrone-the-polices-tiny-eye-in-the-sky.html).

However, a proposed vehicular surveillance box has raised importance privacy issues:

http://www.guardian.co.uk/uk/2009/mar/31/surveillance-transport-communication-box

From the article:

"The system allows cars to 'talk' to one another and the road. A 'communication box' behind the dashboard ensures that cars send out 'heartbeat' messages every 500 milliseconds through mobile cellular and wireless local area networks, short-range microwave or infrared. The messages will be picked up by other cars in the vicinity, allowing vehicles to warn each other if they are forced to break hard or swerve to avoid a hazard. The data is also picked up by detectors at the roadside and mobile phone towers. That enables the road to communicate with cars, allowing for 'intelligent' traffic lights to turn green when cars are approaching or gantries on the motorway to announce changes to speed limits. Data will also be sent to 'control centres' that manage traffic, enabling a vastly improved system to monitor and even direct vehicles. 'A traffic controller will know where all vehicles are and even where they are headed,' said Kompfner. 'That would result in a significant reduction in congestion and replace the need for cameras.'"

It would, except does this data tell you who is in the car, or if the car hasn't been spoofed (box switched from one car to another, hacked, etc.)? Sure, this causes every privacy-firster to complain, but in reality, isn't this a bigger concern for proof? Provenance of the devices? This approach may actually play into the hands of thugs. Spoof someone else's car, and you're in the clear.

Security is not a patch. It's a quilt. This will augment, not replace, the need for cameras. Privacy people won't be happy--perhaps rightly so. But security will benefit.

Cheers,

Steve

Price too good to be true? Then indeed it is...

StevenSimske — Sat, 28 Feb 2009 15:28:00 GMT

I have spent the last two days at the Brand Protection conference here at the Graphics of the Americas (http://www.graphicsoftheamericas.com/conferences/bpc.html). With the world's economy in a tailspin, there have been numerous discussions of how unemployed but creative people can find ways to augment their diminishing incomes. Sure, counterfeiting is one we focus on here, along with product diversion, smuggling, package reuse and warrantee fraud. Often forgotten in the mix is the creative thief in your retail store's front lines--the sticky fingers in the cash drawer.

One scenario is when the rogue at the register brings a few extra coupons to work, and every time the associated item is sold--voila!, magically, the customer has the right coupon for a reduced rate. Security printing--the use of microtext, void pantographs, and other copy prevention/copy voiding methods will help you tell which teller is tolling the till.

Your tellers, quite likely, are the most honest folks in your store--or in your "web presence". Retail crime, not surprisingly, is on the rise. A recent Yahoo article gives an overview:

http://news.yahoo.com/s/nm/20090225/us_nm/us_usa_retail_crime

"Consumer demand for hot new products at huge discounts is fueling organized retail crime, with goods stolen from retailers finding an audience in secondary markets like the web, a retail trade group said. High on the list are the latest video games or trendiest new handbags that can be easily resold. The demand for product at a reduced price is significantly up. Consumers are looking at alternative resources to find products. Unfortunately consumers and the economy are fueling a drive for this illegal or anonymous commerce that is taking place across the country. Black markets for stolen goods can be deceptively bright: flea markets, swap meets and corner markets teeming with bargain hunters, as well as online auction sites like eBay Inc and classified sites like Craigslist.com, accoring to one expert."

As you might expect, there will be legislation to fight this. "Three federal anti-retail crime bills are expected to be introduced this week in Congress, designed to give law enforcement more authority to fight organized retail theft, including online." And EBay contends that they have "been working cooperatively with other companies and law enforcement in order to fight the online sale of stolen goods." EBay called "discriminatory the legislation soon to be introduced in Congress. These bills are less about fighting shoplifting and more about big box retailers wanting to crush legitimate small-business online competition that delivers real value and greater choice to consumers."

The article continues:

Craigslist called misuse of its site for illegal purposes "absolutely unacceptable" and cited its work with law enforcement to combat it. Criminals are unwise to use craigslist, since they create an electronic trail to themselves that police can follow," said Chief Executive Jim Buckmaster in a statement...An estimated nearly 40 percent of goods sold on auction websites advertised as "new in box" were stolen or fraudulently obtained.

The FBI, in fact, estimates that "U.S. retailers lose $15 billion to $30 billion each year from organized retail crime. To combat the escalating crime, retailers have been using global positioning systems (GPS) to track cartons and suspect vehicles. They are also hiring staff from law enforcement, sharing intelligence information and putting their investigators through specialized training, the NRF said. But lower staffing levels at stores trying to cut costs are leaving a door open to some criminals."

In other words, the Yahoo article portrays a situation in which every sale or potential sale is a battle between the legitimate producer and multiple sources of fraud--from theft in-store or in-transit. It doesn't have to be this way. And, in the case of foodstuffs, pharmaceuticals, airplane parts, automobile parts, and many other products where "sticking it to the man" could end up creating another victim, it simply shouldn't be. Trying to roll back the clock is a self-defeating approach. Products will be sold in brick-and-mortar and on-line. Qualify your on-line sales, and let customers have access to the product-unique and brand-registered variability on that unique product before and after the sale. It will allow you to find the fraud faster.

Benny Landa famously said "everything that can be digital, will be digital, including printing." More germane to this discussion, everything that can be variable, will be variable, and every variation that can be interrogated, will be interrogated. Make that variability count. It's one way to catch a thief--in-store or on-line.

Cheers,

Steve

Stocking Stuffers II: Security Printing Acronyms and Getting Started

StevenSimske — Tue, 30 Dec 2008 04:56:00 GMT

[Another whitepaper length summary of some related articles from this year's blog]

PRACTICE Good Anti-Counterfeiting Techniques

I have previously remarked that the approaches to counter counterfeiting depend on the relative mix of addressable and unaddressable counterfeiting occurring in the supply chain. If the counterfeiting is not addressable, then the brand must continue to message the unique qualities offered by their product so that people will want the authentic—and not the counterfeit—product. If a brand owner cannot address the counterfeiting, then the brand owner must provide a product provably superior to the customer. With “unaddressable” counterfeiting, perhaps paradoxically, the brand owner must struggle with the customer, and not with the counterfeiter. If the counterfeiting is addressable, on the other hand, then the brand owner is in a direct struggle with the counterfeiter. And to fight the counterfeiter, a single weapon is rarely sufficient. To deter a counterfeiter takes PRACTICE. And this blog addresses how PRACTICE (Plan, Research, Activate, Collect, Train, Investigate, Convict and Evolve) leads to a multifaceted ecosystem of tactics to prevent, detect and react to counterfeiting.

So, a version of an old joke to start. Patient: “Doc, are you comfortable with your diagnosis?” Doctor: “Ma’am, I’ve been practicing medicine for 40 years.” Patient: “Well, I’d like a second opinion from someone doesn’t need any more practice, and actually knows what he’s doing.” However, any physician worth her salt invests in CME, or continuing medical education. Life is practice. Practice doesn’t make perfect, but it can always improve on the imperfect that is the now. And PRACTICE is the acronym I’ll use for the crucial eight elements in an effective anti-counterfeiting ecosystem. So, let’s take a look, one element at a time.

P is for Plan.

The Plan is paramount, because it anticipates the overall strategy—including the research to be performed. The plan must consider the set of deterrents to be used. Will they be overt, covert, and/or forensic? Who will collect data on them to perform track and trace, inspect, authenticate or forensically analyze? When and how will these deterrents will be researched? When and how will the extent of current and future counterfeiting threat to the product be researched? The plan includes the activation of the ecosystem—the nerve-racking moment when the first products belonging to the security ecosystem roll down the production line—and the data collection roll-out. The plan includes the training: how customers, retailers, inspectors and possibly forensic analysts are educated about the deterrents. How will investigation and potential legal action—based on evidence collection and prosecution—be supported? And, finally, how will the system evolve? That’s right, we must plan for change.

R is for Research.

Research includes how you pick your deterrents. Do you pick ones that are easy for the counterfeiter to spoof? If so, they should cost you nothing. Do you pick one that’s hard and/or expensive for the counterfeiter to reproduce? If so, good, but you need to research how easy it is to use for your would-be counterfeiters. Research also includes understanding the counterfeiting threat to your supply chain. If you think it is small, you’d better look hard. It’s much easier to show it is a large problem than a small problem—sorry, that’s just the nature of statistics. You need hundreds of samples from any relevant section of your market to be sure the problem actually is small.

A is for Activate.

After your research plan is completed, the system must be turned on. This is a huge step—maybe more accurately a “step function”—but the bump of activation can be smoothed by starting small. A 2D barcode is one way to collect information on where your products are going, but some companies start even smaller. Think of the soda pop folks who print numbers under the caps on their 20-ounce plastic bottles. They’re not doing this so you can win a free can of pop—they’re doing it to see where the unique numbers are going, and validate their supply chain. Their “activation” is a matter of setting up a website and asking people to web/dial in the numbers under their caps. No—this doesn’t give true track and trace, and certainly not authentication, but it does help them collect data (see next step!) useful in assessing just how big a problem they have on their hands. Activation in full-fledged, label-based security printing and imaging means having the deterrents integrated into the digital front end of the printing. It means having all of the inspection and authentication algorithms, devices and reporting systems fully tested, qualified and in place for the long run. And, it means integrating the data with your existing manufacturing, distribution and reporting registries.

The first C is for Collect.

Collecting data is not just about reading the 2D barcodes and other printed features on the label, packaging or document. A lot of data must be collected beforehand, as part of the research. One way to get this kind of data is described in the previous paragraph. However, data must be collected on an ongoing basis to determine the extent, location and nature of the counterfeiting threats. To determine the extent, one must research all channels for sales—from supermarket to information superhighway. What percentage of the product in each channel is counterfeit? How many counterfeiters are there? Do the counterfeiters work together? This data is crucial for later investigation and legal reaction to counterfeiting. Other data is also collected on an ongoing basis—inspection, authentication and forensic information on the quality of the printed deterrents. I will talk about specifics of these data in a later blog.

T is for Train.

Training, or educating, the actors in the product’s supply chain, is tied to the ecosystem planning described above. If you are relying on your end customers to validate—inspect and report anomalies, authenticate, whatever—the product, then you have to provide reliable and easy—preferably really easy—steps for them to follow. If you trust your retailers and want them to authenticate, the training can be a little—but only a little—more involved. If you are relying on paid inspectors, the training can be more complicated, but in general they will still need to be able to validate the products with relatively simple, cheap and portable devices. The training plan approach is similar to the one you must take for auditing and compliance with most government bodies—for example, NASA and the FDA. The most important consideration is to have a process in place and to then follow it. If you don’t follow the process, your data won’t link together, you won’t pass an audit, and you won’t have reliable estimates on the extent of the counterfeiting. Additionally, abandoning a process just because counterfeiting is occurring causes confusion for those who wish to legitimately validate your product. Counterfeiters love confusion, it helps them in their (non-legitimate) supply chain. There are better ways to address future counterfeiting, and I’ll talk about the “innate moving target” shortly.

I is for Investigate.

A lot of brand managers fail to understand that in order to investigate, you typically need an additional type of data to the data you use for track and trace, authentication or inspection. Investigations depend on the investigation plan—how data is collected, retained, analyzed and acted upon. Dynamic research is required. If you start to see sporadic counterfeiting in a new area, for example, it is often the case that these counterfeits originate in another, already “counterfeit-established”, region. Investigation is necessary to test for the link(s). And just investigating the “publicly known” security features may not be enough. Instead, additional features of the product—up to forensic analysis of the printing and/or product ingredients—may need to be analyzed to uncover the counterfeit supply chain. I’ll talk about the collection of salient investigative data in more detail in a later blog.

The second C is for Convict.

How do we get a conviction? Well, first of all, you can’t convict anyone if what they’re doing isn’t illegal. So, brand owners who are not working with government (e.g. FDA) and other compliance bodies (e.g. GS1) are encouraging the counterfeiting of their products. If you’re in organized crime and are still resorting to the old ways—gambling, prostitution, weapons, drugs—you’re a fool. Counterfeiting is easier, more rewarding (higher margin!) and less risky. And, brand owners, stay with me here: counterfeiters already know this. So, help stiffen the penalties for counterfeiting, smuggling, product diversion, and other forms of fraud—security is about detection and reaction even more than prevention. Without an onerous reaction, there simply is no deterrence. Even if your deterrents cannot be beaten. With no reaction and unbeatable deterrents, all you do is force the bad guys to resort to old-fashioned insider jobs. Bribery, extortion, blackmail, eavesdropping, collateral theft—they have a lot of options. And they’re creative, so this list is just a sample. To get a conviction, you will need the laws in place. Additionally, to get a conviction, you need an auditing, compliance and data integrity plan. In many countries, even the counterfeiters are presumed innocent until proven guilty. Make sure your data is credible, auditable, and usable. If it’s not, it’s not data, it’s just wasted storage space.

Finally, E is for Evolve.

“They” say people don’t like change. Then, another “they” say that people do like change, and that to be human is to change. “They” are both correct. We like change, when we see it coming. In anti-counterfeiting, we see it coming when we design our security system to be an innate moving target. That is, the system is designed for change, benefits from change, and anticipates the need for change. However, these changes do not cause a system reset, a brand protection blue-screen, a full stop. They simply require the existing system to change its settings. Maybe the counterfeiters have to fully reboot, but that’s OK. Remember the rule, any system that makes the counterfeiters spend more than the brand owner is a deterring system. Any system that doesn’t needs to be changed. I’ll cover this topic more fully in future blogs, including the next.

For now, let’s put PRACTICE into practice. In a healthy anti-fraud ecosystem, all elements of PRACTICE are working together, deployed together and designed to detect counterfeiting as fast as possible. The world’s hardest-to-reproduce deterrents are often compromised precisely because they are the hardest to figure out by someone wanting to validate, too. The difficulty of reproduction is frequently associated with size, features or effects that are also hard to educate people on. An example when the product relies on uneducated consumers to check product validity is the “variable hologram”. Customers are used to looking at holograms for some striking visual effect, but they have no idea the effect should be different from one package to the next—let alone how.

The deterrent used, therefore, must match the training given to the would-be validators. And the only way there is an appropriate “impedance match” between the deterrents and how they are successfully used in the ecosystem is if the planning occurs first, the research second, and the activation third. As with all successful security approaches, security printing will only work if it is built from the ground up.

This form of PRACTICE outlines an end-to-end process for initiating and supporting an anti-fraud program. Each of these—from Plan to Evolve—involves by itself multiple processes as well. Let's look more closely at on two quite different types of processes, each focused on the “Investigate” portion of PRACTICE. The “Investigate” portion includes the continual accumulation of data on the counterfeiting of your product. One means to do this uses security variable data printing, or SVDP. This is the use of multiple variable deterrents to draw out the “style” of the counterfeiter. That is, SVDP regions can be used as “bait” or “decoy” deterrents—not to force the counterfeiters to “replicate” the data in the printed region, but instead to force the counterfeiter, through trying to replicate the appearance of the printed region, to identify himself. This is because complex printed regions cannot be scanned and re-printed without modification. How a counterfeiter will try to reproduce such a complicated region—the choice of color, intensity, spatial frequency, contrast and other transforms the counterfeiter uses—provide a signature for the counterfeiter’s style. This process is an example of an a priori process, in which the data to be collected is designed and deployed. Another means to continually accumulate data on the counterfeiting of your product is to perform a posteriori analysis of the product, and compare the analysis results to those expected of legitimate product.

As a non-printing example, John Jasper, head of Molecular Isotope Technologies (MIT), writes, “Process patents are mechanisms by which to protect and extend the patent-protected lives of pharmaceutical products. They are typically supported by the analysis of reaction impurities, trace metals, etc. Natural stable isotopes present a novel source of information recording evidence of the process manufacturing history – particularly, the synthetic pathway – used to produce pharmaceutical and other chemical materials…[Our] work in the area of product authentication showed that every batch of pharmaceutical materials had a highly-specific ‘isotopic fingerprint,’ allowing individual batches of materials to be tracked and counterfeit batches to be identified.” In other words, MIT’s process for analyzing the reagents in a pharmaceutical are precise enough to disambiguate between the authentic and the counterfeit processes involved in production.Image forensics, not surprisingly, can also be used in an a posteriori manner. The process is, on the surface, similar to the a priori approach: printed regions are analyzed for their characteristics, and different regions classified and clustered to help identify the number and size of the counterfeiters in your supply chain. The difference is that, using such an approach, a suitably difficult-to-reproduce printed area must be identified without the benefit of SVDP. So, a word of advice: if you want to identify counterfeiters, don’t make it easy on them—use SVDP or at minimum a few regions of difficult-to-reproduce printing (natural images, designs such as guilloches, etc.). Otherwise, you’re simply making their job easier, and that’s one process that makes no sense.

Universal ACID

Here I focus in on one specific technology which, if used properly, can help tips the odds in favor of the legitimate supplier and the concerned customer. Variable Data Printing, or VDP, provides the capacity, if so desired, to vary every aspect of a print job. However, for ease of making the print run compatible with the graphic artist’s design for the label, package, document, or other printed material, variable data printing is usually associated with a database that is populated before the job is “ripped”; that is, set to final printing commands by the RIP, or raster image processor.

A simple VDP job is outlined here:

Static elements (background, brand logs, three empty copy holes)

Copy hole #1: Database for 2D bar codes

Copy hole #2: Database for unique text sequences

Copy hole #3: Database for watermarked images

When the RIP occurs, the static portion is printed quickly (usually stored in a cache for quick “ripping”), and then each of the copy holes is filled based on the reference for that printed material, pulling the correct bar code, text sequence or watermarked image from the database and rendering it to the copy hole. In security VDP, or SVDP, the copy holes contain not only variable data, but usually uniquely variable data. Also, this variable data can be (but isn’t always) read by some type of inspection, authentication or forensic device. That is, the copy holes contain data. Most readers are probably familiar with mass serialization, but if not, I will describe that in more detail in an upcoming blog. Suffice it to say for now that mass serialization is a means of ensuring that each copy hole on each printed material—e.g. label, package or document—contains a different identifier that can be read (which means interrogated and the data encoded successfully interpreted).

Once you understand the power that variable data printing brings, it is universal acid—you realize it cuts through everything. And in this case, universal ACID means All Content Is Dynamic. Not just variable—but variably variable, or dynamic. Every element printed can be a variable copy hole and so our scenario above shortens to: For every region on the printed material, Copy from Database for that region Thus, every region is novel, or unique identified, and so capable of being interrogated for its information. In anti-counterfeiting, we wish to provide a moving target for the would-be counterfeiters, staying one step ahead of them in the deployment of security features. However, this is a tedious game for us as well as the counterfeiters. SVDP offers us, however, an innate moving target—the ability to change the very nature of the variability on the fly. With SVDP, we have a way of providing a moving target without having to change our technology. VDP is the technology that provides a continual, built-in moving target. SVDP allows us to interrogate the information that is printed variably. This means that SVDP extends variability beyond just having a different identifier in the variable copy hole. It provides a who, what, when, where, why and how variability to the security printing RIP.

Who varies the job can tie the set of deterrents deployed—and how they link together—to a particular press operator, SKU, brand, or other logical units. By linking, we mean how the set of variable features relate to one other. Examples of deterrent relationships include replication, hashing, sequence fragmentation [sharing the mass serialization data between two or more variable copy holes], and other techniques for making the multiple variable regions “cooperate” with each other. One particularly powerful method is to use one deterrent—usually one used for track and trace or authentication already—as the registry “look up” sequence from which the signed-in user may then obtain information on one or more other variable regions.

What is varied also depends on how many security deterrents the brand requires—some for track and trace, some for authentication, some for forensics, some just to decoy the would-be counterfeiters, some to be used in case of recalls or other contingencies, etc.

When the deterrents are varied—or more importantly when the variability pattern is changed can be tied to pragmatic product details, For example, if the shelf life of a product is 6 months, it makes sense to change the relationship between deterrents every six months, so expired products also exhibit “expired” security strategies.

Where the variability is provided can change, too. Variable regions can be made static, and static regions can be made variable, over time. This keeps the would-be counterfeiter grasping at straws, and yet can still accommodate using a consistent variable deterrent, such as a 2D barcode, over time.

Why the deterrents are made variable depends on the realities in the supply chain and in the hands of customers. If certain deterrents are being successfully attacked, then adding new variability to the printed material is another way of gathering information on who the counterfeiters might be—insidious insiders, for example, may quickly incorporate these new variable regions, even if they are not tracked by your authenticators, and so tip their hand to you.

Finally, how the variability is provided is up to you. With VDP, there are so many “how” possibilities that you are being remiss as a brand owner if you fail to do either of the following two VDP processes: 1) Make a plethora of regions variable2) Change the relationship between the variable regions frequently In other words, we vary the way we vary the variability at various times. It’s VDP to the nth. And the more variable regions you have, the more security bits you can print.

We have to assume that the counterfeiters are aware of all these possibilities. And, at first, they appear rather daunting to the would-be counterfeiter. But, counterfeiters don’t react the way we expect them to, and so we have to be prepared for the unexpected. To help illustrate this, in the next blog, I am going to show how we might set up and defend our own counterfeiting business! And who knows, maybe SVDP will pass even this test…

Are You Making It Too Easy for Counterfeiters? Then, Let Me SLAP You!

Acronyms and anagrams are excellent means to simplify a message and to provide easy recall of this message (thus, the word “mnemonic” [Greek origin]—assisting or intended to assist the memory). For example, in 3^rd Grade, I figured out that my last name was an anagram for “KISS ME”. And I conveyed this knowledge to all of my female classmates. Which, not coincidentally, leads us to discussing the mnemonic SLAP.

SLAP, in the case of producing an effective ecosystem for brand protection and anti-counterfeiting, is an acronym for Scalable, Logical, Analytical, and Progressive.

Scalable means that the solution you propose can be used on multiple production runs, multiple products (SKUs), and for a reasonable amount of time. Don’t try to “divide and conquer”—that is, don’t use a completely different approach on different products. It will confuse your customers, your retailers, and your inspectors. Not only will it make it more difficult for you to get good authentication feedback, but you actually may increase the perception that your products are being counterfeited. Product “A” has deterrents 1, 2 and 3 on it, but Product “B” has deterrents 4, 5 and 6 on it—hmmm, one of these is probably fake. Or, worse yet, the would-be authenticator simply tunes out—too complicated, not worth it, too hard to figure out how to authenticate the product. Keep the message simple, and use an innate moving target for deterrence rather than actually changing the target. Security Variable Data Printing (SVDP) is such an innate moving target. One can change the information embedded in the security print, but never change the way a user interacts with it. And, because SVDP affords so many different means of embedding trackable and authenticable data, it is innately scalable, as well.

Logical means, well, think! Don’t make it easy on the counterfeiters. Here are some illogical approaches: (1) Spend a lot on your deterrent (counterfeiters love these “high margin” deterrents, because they’ll always knock them off more cheaply, and it decreases your margins while increasing theirs); (2) Use a deterrent/approach for only a short while and then stop using it (now your would-be authenticators don’t know what to expect—was it the old deterrent or the new deterrent, and which is legitimate). Much more logical: any time you roll out a new deterrent, which is unavoidable for some products—educate your authenticators; (3) Confuse different utilities in a familiar approach. Using variable data inside a hologram is one such example—most users think holograms are “variable” already, and aren’t likely to even notice the fact that one hologram is different from another; (4) Confuse machine vs. human readability. If you use a deterrent intended for machine reading, then embed data in a way that machines can read better than humans. And vice versa. Humans, for example, are very good at noticing alignment differences and relative color differences. Mach bands and other optical illusions are entirely invisible to machines. Machines are much better at noticing absolute color differences and of course steganographics such as watermarks. Meaning metamerisms are mainly meant for machines (alliterative, no?).

Analytical means your approach to the ecosystem should be geared at generating quantitative data. What is the compliance rate (i.e. what percentage of would-be authenticators actually try to authenticate)? What is the counterfeit rate? Read failure rate? If you can’t disambiguate these latter two—counterfeit vs. read rate, that is—you do not have an analytical solution. SVDP again underpins such an analysis: a counterfeit sample will generally have a different combination of print quality, print forensics and payload (data to be read) than a legitimate but unreadable—e.g. damaged, read with poor lighting, etc.—sample. Because of the multiple modalities—color, saturation, intensity, steganographics, halftoning, etc.—involved in printing, SVDP provides many on-ramps for analytics.

Progressive, finally, means that your approach allows progressively more complicated analysis to proceed smoothly. From an imaging standpoint, this means we move from image quality assessment (image “grading”) to image inspection to image authentication to, finally, image forensics. At each stage, a more in-depth analysis—and thus more difficult to reproduce—of the printed material is obtained. Making the first stage, image grading, relatively fast and painless, is an excellent way to generate “leads” from your customers. HP and many other brands address this by using “high-end” overt deterrents on their packaging. Customers are familiar with the motif—color-shift, thermochromic, etc.—and so notice when these have been unsuccessfully knocked off. Inspection ties layout and partial authentication to quality. Authentication ties the print job to the database of legitimate products. Forensics ties the data to the very material printed on, as discussed above.

Happy 2009!

-Steve

World Economic Forum Selects Four Track and Trace/Anti-Counterfeiting Companies

StevenSimske — Tue, 23 Dec 2008 15:35:00 GMT

Recently, the World Economic Forum has selected 34 companies for special notice as "Technology Pioneers". Please see

http://www.weforum.org/en/Communities/Technology%20Pioneers/index.htm

The selections are based on the following criteria:

"The World Economic Forum has announced 34 visionary companies selected as Technology Pioneers 2009 for their accomplishments as innovators of the highest calibre, and whose technologies will have a deep impact on business and society. The selection of these companies is the result of a vigorous selection process, for which the Forum received more than 320 applications from around the world that were evaluated by 44 global technology experts."

Of these 34 visionary companies, 4 of the 15 in the "IT" category are companies providing products in Track and Trace/Anti-Counterfeiting (TT/ACF). These four pioneers are:

1. Advanced Track & Trace
www.advancedtrackandtrace.com
Jean-Pierre Massicot, Chief Executive Officer
Advanced Track & Trace is a pioneer in digital security solutions applied to Brand Protection.

2. Mojix, Inc.
www.mojix.com
Dr.Ramin Sadr, Founder & Chief Executive Officer - read the interview
Mojix, Inc. was founded in 2004 by a team of former JPL/NASA scientists and engineers with the vision of applying breakthroughs in deep space communications to exponentially refine the precision, reach and scope of RFID technology.

3. MPedigree
www.mPedigree.org
Bright B. Simons, Chief Strategist
mPedigree manages the 1393 service, which has been deployed in Ghana since January of this year, and is the first system anywhere in the world by means of which consumers and patients can instantly verify the source of a purchased pharmaceutical at no cost, at the point of purchase, using standard mobile phones.

4. TraceTracker Innovation ASA
www.tracetracker.com
Ole-Henning Fredriksen, Co-Founder & Chief Executive Officer - read the interview
TraceTracker is the global information exchange for the food industry.

Each of these companies has a different story--bringing advanced digital security printing to the play (ATT), bringing remote sensing advances to RFID (Mojix), making a difference where the introduction to the Internet is largely via phone (MPedigree), or providing food information exchange (TraceTracker). The creativity and utility of these four companies in obvious, and the fact that fully 12% of the World Economic Forum selections are in TT/ACF this year is a clear sign that this is not a fringe, an add-on, a secondary consideration any more. For all the right reasons--product safety, product recall, consumer empowerment, brand protection, supply chain visibility, product freshness, and many more--TT/ACF is the disruptive set of technologies that will be what consumers expect in just a few years.

[Thanks to Justin Picard for the link]

Best wishes for the Holidays!

Steve

No Re-Packaging Ban in EU

StevenSimske — Sat, 13 Dec 2008 01:26:00 GMT

Under pressure from repackagers, who have convinced the EU in this time of economic meltdown that banning repackaging would be a misstep, the EU has changed its decision.

http://www.forbes.com/afxnewslimited/feeds/afx/2008/12/05/afx5786503.html

"EU Industry Commissioner Guenter Verheugen faced heavy pressure from parallel traders who said such a ban would have wiped them out, as they have to repackage drugs so that explanatory leaflets to patients are in the right language."

However, the EU is going to provide a more US/New Zealand like model of advertising for the pharmaceutical providers, another contentious issue (generic pharma feels it is unfair): "Direct-to-consumer advertising of prescription drugs is permitted only in the United States and New Zealand and was heavily attacked by consumers in the wake of the 2004 withdrawal of Merck & Co's heavily promoted painkiller Vioxx."

The main thrust of the legislative reform is to increase customer safety, and to do so requires deft political maneuvering, since repackagers, generic manufacturers and brand manufacturers will all find elements of the legislation against their best wishes. There is to be a more powerful system of safety monitoring for patients, improved anti-counterfeiting legislation, and more direct-to-consumer (DTC) information on the products allowed.

The biggest safety concern is response time--getting all potentially dangerous products out of customer-facing locations as soon as possible. The Irish pork recall showed that the response system is indeed fast, and generally seems to provide patient welfare. But, it needs to be more cost-effective. Full provenance track and trace, then, is more or less inevitable.

Cheers,

Steve

Irish Pork Recall another Track and Trace Debacle

StevenSimske — Mon, 08 Dec 2008 04:06:00 GMT

The latest food recall is a potential disaster for one of Ireland's biggest industries. On the second week of the Advent season (right when shopping for Christmas ham is hitting its stride), consumers have been asked to destroy all Irish pork products dating back to September for fear of dioxin contamination. Because of the nature of track and trace systems currently in place, this may amount to as much as

More information on the reasons for the recall are given at:

http://news.bbc.co.uk/1/hi/uk/7769893.stm

According to the Telegraph (a big UK news service), the pork industry is Ireland's fourth largest industry, with Ireland's 400 pig farms (providing work for 7,000 people in Ireland, including 1,200 on the farms) contributing about 400 million Euros (approximately 600 million dollars) to the Irish economy each year. The contamination of the pork was traced back to animal feed from one supplier used in more than 40 farms. Based on this, 90% of the pork destroyed will probably be wasted (i.e. no contamination), but since the dioxin concentration in the contaminated pork is 80-200 times the safe level for consumption, there is little room for error.

Also, about 90% of the pork products on sale were processed before September, and it is not obvious that or how this will be taken into account in the recall. Clearly, a substantial percentage of the pork products are contaminated, but much uncontaminated pork will be destroyed as well. A full-compliance, global produce track and trace system would not only reduce the waste, but would increase consumer confidence in the recall. Even with the wide swath of recall, will some contaminated products be missed?

It's bad enough that the pork producers suffer a devastating hit to their industry in an already treacherous economy. It's far worse to know that the damage may be much worse than it has to be.

-Steve

Do You Recall This Much Recall?

StevenSimske — Wed, 26 Nov 2008 05:04:00 GMT

We are rolling into the Thanksgiving Holiday here in the States, which traditionally coincides with a modicum of gluttony. Historically, the time right after harvest was the time of festivals--might as well eat the food and let it ferment inside you rather than your cellar!. Given the recent news and FDA announcements, one wonders what is safe to eat at all...

The youngest might not want their formula:

http://news.yahoo.com/s/ap/20081126/ap_on_he_me/infant_formula_6

Don't put tomato sauce on your veggies:

http://www.fda.gov/oc/po/firmrecalls/wegmans11_08.html

Heck, don't have the veggies, period!:

http://www.fda.gov/oc/po/firmrecalls/stopnshop11_08.html

Don't try cheese as an alternative dessert:

http://www.msnbc.msn.com/id/27914220/

Or an alternative cheese as an alternative-alternative!:

http://www.fda.gov/oc/po/firmrecalls/panos11_08.html

Don't try a dietary supplement in place of the big meal:

http://www.fda.gov/oc/po/firmrecalls/balancedhealth11_08.html

Or try fat loss capsules to keep the weight off!:

http://www.fda.gov/oc/po/firmrecalls/fashionsanctuary11_08.html

And don't try rewarding the pooch with an extra helping:

http://www.petcare.mars.com/

Guess it's time to start that diet! Either that, or time for a reliable food track and trace mandate. On that sour (sweet, bitter, salty, MSG or other taste, for that matter) note...

Happy Thanksgiving!

Cheers, Steve