Security Printing and Imaging : variable data printing

Conference Time Part I: Extended Packaging

StevenSimske — Thu, 24 Sep 2009 02:12:00 GMT

It's September. The month when most people's gas bills hit rock bottom. Kids are back in school, harvest is still just sweat and fury in the future. Closed are the pools, open are the schools, and life is good. Too good. So, those wonderful conference organizers have nothing better to do than make us travel. Last week and this, I had the pleasure to present at ACM Doc Eng 2009, IS&T NIP25, and IEEE BIdS. I've already posted the ACM DocEng paper and plugged it a few times on this, my blog, but just to complete the trifecta, it's here:

http://www.hpl.hp.com/techreports/2009/HPL-2009-177.html

This blog focuses, however, on one of the NIP25 papers. It's about how to extend the information you add to packaging by using "semi-covert" variable data printing (VDP) driven layout variability, and it's with my long-time friend and colleague Margaret Sturgill. You'll find the PDF here:

http://www.hpl.hp.com/techreports/2009/HPL-2009-316.html

Thanks to Omer Gila for the invitation to present this work,

Steve

Law of Power 4—Always Say Less Than Necessary

StevenSimske — Wed, 22 Jul 2009 04:44:00 GMT

Continuing a reinterpretation of Robert Greene’s 1998 landmark, “The 48 Laws of Power”, I turn his Law #4 sideways (applying the law to the fighting of counterfeiting and other forms of fraud) and then turn it upside down (using the laws to create better businesses).

Given the definition of Law #4, need I say more? Actually, the irony is that to argue for saying less, a relatively thorough post is needed. Saying less is an art. One must say enough, often provocatively, to obey the other Laws of Power (commanding attention, generating mystery, etc.), but not say too much to appear common. Not only is it an art, but it is also the secret of art. Why did Klein pick (and try to patent) the hue of blue known as Klein Blue? Why did Marcel Duchamp “pick” a urinal for his show? Certainly, neither of them was about to tell. What could be more common than a single element in a palette or a single stall in a men’s room? By saying less than necessary, Klein and Duchamp succeeded where many others fail.

What does it mean? Let the other person decide...

Robert Greene interprets the fourth Law of Power as the power to be vague, open-ended, and sphinx-like. Can such ambiguity be achieved through idiocy? Think of Peter Seller’s character in “Being There,” whose sagacity is certified by his oracle-like “I like to watch” and “I can’t read.” Far better to say less—“I like to sit on my fat derriere watching TV” and “I am illiterate” are unlikely to generate a dedicated followership.

My interpretation of Robert Greene’s sense of this law comes from the field of dietary restriction (I have done research in this area in a past life: see for example Ferguson VL, Greenberg AR, Bateman TA, Ayers RA, Simske SJ: Effect of age and dietary restriction without nutritional supplementation on whole bone structural properties in C57BL/6J mice. Biomed Sci Instrum 35:85-91, 1999). Essentially, food and words are death. The human body is designed to cycle only so many calories—say 80-100 million—in a lifetime. Caloric restriction—willingly reducing your caloric intake—will in general lead to a longer life. The same is true of words. Your power base will only survive so many words. The more apt you are to offer free advice and speak your mind, the shorter your lifespan of power will be. We all love to deliver a witty phrase—we’re light at ease after a litotes, literate through alliteration, happy through hyperbole—but few of us are as clever as we think. And each beautiful flower of true bon mot will be lost in the forest of cliché if we choose the road of sarcasm, cynicism and attack.

Greene cites Louis XIV as following Law #4 to the letter: “L’état, ç’est moi” and the smile of Buddha. So much more effective for a long and unchallenged reign than, for example, Coriolanus, whose spite and common complaining took him from hero to zero, from warrior to weary-er.

SIDEWAYS:

Law of Power #4 is important for anti-counterfeiting. Empower your agents in the field; but do not let them talk themselves into ineffectiveness. Focus your education and training costs to make your agents better able to provide the information you need, but not to digest it themselves. Does your agent need to understand everything she sees? Not unless you want to create a potentially powerful double agent. Do not allow any single agent in the field to collect too much information or know too much. Make her capable of conveying value with a credible degree of deniability of knowledge. It’s safer for your strategy and safer for your agents. The best agents, or “feet on the street”, are not just secret agents; they are to some extent uninformed agents. Make sure they are only capable of saying less than what is necessary to compromise your brand protection program. Otherwise, you will always be competing with the highest-paying counterfeiter for the agent’s services.

UPSIDE DOWN:

How can this Law be turned upside down? Isn’t purposely saying less duplicitous by nature? Not if you turn the art of saying less into the art of listening more. Listen to your partners. You and your partner have the following breakdown of problems: (1) Problems you can solve, (2) Problems the partner can solve, and (3) Problems neither can solve. Usually, (1) and (2) are not fully overlapping, but even if they are, you and the partner will solve them in different ways. Indeed, (1) + (2) = (3), and simply listening to how your partner solves a problem you “already know how to solve” may lead to solving set (3). When you talk, you will naturally address either (1) or (3) and so have 0% chance of solving new problems. When they talk, the focus is problems they can solve—and your chance to learn. This is really, really hard work--listening to someone explain how to solve a problem you already know how to solve. But it is the road to learning.

Ultimately, your “power” rests on what you know. Listening is a much harder skill than saying less than necessary. Listening is an active event—unlike hearing, which is passive. Learn to say less by listening. Let your partner finish her thought, and internalize what she says. If different than what you know, then why? Is it because what you had previously viewed as a single topic is actually two or more? What are the conditions to disambiguate these subtopics? Now you’re not just listening, you’re learning. And when you are likewise allowed to share your experiences, true collaboration has occurred. All by taking turns in saying less.

Cheers,

Steve

See Law #3 at: http://www.communities.hp.com/online/blogs/securityprinting/archive/2009/06/16/law-of-power-3-conceal-your-intentions.aspx

Law of Power 3: Conceal Your Intentions

StevenSimske — Tue, 16 Jun 2009 19:34:00 GMT

In a continuing interpretation of Robert Greene’s 1998 bestseller, “The 48 Laws of Power” (Penguin Books), I turn it sideways (using the laws to fight counterfeiting and other forms of fraud) and then turn it upside down (using the laws to create better businesses).

Today we address Law #3: Conceal Your Intentions. This is a law in two parts.

(1) Use decoyed objects of desire and red herrings to throw people off the scent. Greene suggests false sincerity, ambiguous signals and misleading objects of desire.

(2) Use smoke screens to conceal your actions. Always leave yourself contingency pathways.

Many of Greene’s anecdotes focus on warfare and negotiation, and specifically on the cunning of different strategists. Strategies, as can be seen, cannot be “universally recommended”—that is, they do depend on the individual. Kissinger’s prowess as a negotiator, for example, was fueled by his ostensible dullness. Greene portrays Kissinger as nearly lulling his adversaries to sleep and then just as the wave of ennui threatened to submerse them in torpor, he would make otherwise unreasonable demands and get buy-off.

Such a strategy, clearly, would not have worked for Napoleon. Instead, Napoleon’s path to success would have been to put more power in the hands of his competent students of the Laws of Power—Talleyrand and Fouché, for example. Napoleon, being Napoleon, was unable to work with such indirect, “cunning” personalities.

A key to concealing your intentions is to eschew the use of a pattern. This is not the same as foregoing a design. Without a design, you are quite liable to respond to any nuance, distraction, red herring, or ploy of your adversary. The design is essential, as it is nothing else but the pathway from the present to the future. Your design, however, should include decoyed objects of desire and smoke screens to prevent anyone else from determining your design. If your pattern is A, B, C, D, guess what? Your adversary can pick E, F, G, H, etc., to face you. And a smart adversary (you must assume your adversary is smart until proven otherwise) will pick the node in the sequence where she is relatively strongest in comparison to you.

What could be more fun? Combining creativity, design, thinking on your feet and secrecy—concealing your intentions gives you time to collect information on your adversary. And, when the reversal occurs, it should not be ambiguous. When you suddenly reveal your intentions, either because of a (well-earned) reputation for fraud or because it will no longer provide value to conceal your plans forward, do it in full.

Think of Hamlet. The play was indeed the thing to catch the conscience of the king, and Hamlet knew it. He concealed his intentions—was he brooding over Ophelia, going through existential angst, in deep anxiety over an inevitable confrontation with Fortinbras? Meticulously, Hamlet pieced together enough clues to formulate the last stage in his intelligence work. It was the play, with his uncle’s murder of his father echoed in the actions of the players, that would bring out the final, unequivocal reaction in Claudius. After that reaction, the rest of Hamlet’s “contingency plan”, always part of his design, would inexorably bring the bloody end to one of the world’s greatest works of literature. After the play, the rest was almost predestined.

Hidden intent. What am I looking at? What matters here?

SIDEWAYS:

Of the 48 Laws of Power, perhaps none is more central to security printing, anti-counterfeiting and brand protection than Law #3. Variable data printing (VDP) provides ease of printing decoys and smokescreens, while hiding the overall intention.

Since every printed region can be variable, the would-be counterfeiter can take one of three (at least) approaches. First, he may try to reverse-engineer every element of the print job. This is a time-consuming, mind-numbing approach, but the advantages are that the counterfeit samples will inevitably appear more real, and so get by more customers and more retailers and more inspectors undetected. Counterfeiters with substantial R&D budgets (and there are many) will occasionally attempt this approach. Other counterfeiters will do the minimum possible to get their products into the supply chain, and so the counterfeit products will be generally easy to distinguish. However, these counterfeiters may be more interested in replace-and-sell strategies, which are consistently seen for example with large systems (cars, servers, airplanes, appliances, etc.) where the parts are very expensive and the system behaves similarly with the counterfeit parts in place. Thirdly, other counterfeiters will simply move to the inside. It is much easier to spoof a product if you simply build the product. Insidious insiders, third-shifters (factory overruns), and false fronts (“fake” companies that work with all of your suppliers) are a significant threat.

Conceal your intentions with counterfeiters by using variable VDP—changing your VDP design is not much more difficult than printing using VDP. Your design is to change; your pattern of change is your own.

Security printing principles are in direct alignment with concealing one’s intents. Decoys are printed marks used to get a counterfeiter to respond, even though they may not be (normally, ever) tracked or investigated. Use decoyed objects of desire and red herrings to throw people off the scent. Printed marks can also be used as “bait” to get counterfeiters to respond to them—generally, these are overt marks, so the lack of response by the counterfeiter usually means that they will not be able to counterfeit for long. Your response may be about the data embedded, or it may be the appearance itself. Use smoke screens to conceal your actions. These decoys and bait can serve as “contingency” deterrents which can be tracked or investigated in cases of need (recall, change in auditing requirements, new regulatory concerns, change in branding, etc.).

Intentions stripped bare. Nothing to conceal. No future.

UPSIDE DOWN:

Concealing your intentions is obviously to your advantage when dealing with an adversary. Many would therefore conclude that to benefit from the obvious advantages of Law #3, you will treat your business partners as adversaries, concealing your long-term strategy. I argue for a different approach.

Consider your interaction with worthwhile business collaborators and partners the way you might consider your interaction with worthwhile life collaborators and partners at a social gathering. Start with the premise that your story is boring unless the other can share in the story. Get the other person/partner to speak. Be genuinely interested. Every conversation, every partnership, is a learning opportunity. “Conceal” your intentions by engaging in theirs.

“Ah!” you say, “but there is no security through obscurity.” Meaning the would-be collaborator will also know Law #3 and will be applying it on you, as well. And right you are! That’s the beauty of the approach. If each of you applies the “Upside Down” Law #3, then inevitably the conversation will lead to common ground. It takes active engagement, but it does not preclude concealment of your true long-term plans. Both parties benefit from finding a common, profitable area of engagement, without having to say “I’m not ready to share that with you yet.”

Let’s illustrate with a simple example. UBB (Unbelievably Big Business) has long-term plans to take over all fossil fuel surveying, production and distribution. USS (Unbelievably Sustainable Systems) has long-term plans to provide 100% of the world’s energy needs, where possible, with 100% renewable fuels. In drawing into the conversation discussion of sustainability, UBB comes to understand how “grow and sell local” approaches will significantly streamline their own distribution chain. In drawing into the conversation discussion of the need for high-octane, fossil based fuels in many existing transportation networks, USS comes to understand “asset inertia” and also understands better the adoption roadmap for sustainable energy.

A healthy combination of concealment and the visible. Share enough to help your friends, conceal enough to derail your adversaries.

--Steve

See Law #2 at: http://www.communities.hp.com/online/blogs/securityprinting/archive/2009/05/31/law-of-power-2-never-put-too-much-trust-in-friends-learn-to-use-your-enemies.aspx

Law of Power 2—Never Put Too Much Trust in Friends; Learn To Use Your Enemies

StevenSimske — Sun, 31 May 2009 05:34:00 GMT

In 48 posts on this site, Robert Greene’s modern-day Machiavellian masterpiece on the principles of power, “The 48 Laws of Power” (1998, Penguin Books), is being turned sideways (using the laws to fight counterfeiting and other forms of fraud) and then upside down (using the laws to create better businesses).

Today’s blog focuses on Law #2: Never Put Too Much Trust in Friends, Learn To Use Your Enemies. The impetus behind this law is that friends, knowing you well, perhaps ascending to power along with you, are prone to jealousy and privy to your weaknesses. When they turn on you, they generally know more about you than your enemies.

Beware your friends!

SIDEWAYS: The “enemy” for an authentic producer is an agent of fraud. From counterfeiting to coupon fraud, there are a plethora of ways in which all the planning, research, development, marketing and branding costs associated with putting a valuable product together can be squandered by an agent of fraud.

On the other hand, as your countermeasures—security deterrents, investigations, evidence gathering, etc.—become more effective in staunching the plans of your enemies, you drive would-be counterfeiters to theft or toward “insidious insider” activity. In the latter case, it is truly your friends who betray you. Someone working for your company, your brand, your product, sells out to the counterfeiters. When the turn on you, they generally know more about you than your enemies.

In this case, learning how to use your enemies is using the counterfeiters themselves to help you reduce their impact. Security printing, using the power of variable data printing (VDP), enables this. Use multiple printing techniques, including color, special designs, unique halftoning approaches, and other specialty printing, to force the counterfeiter to reveal something about himself when he tries to mimic your legitimate printing. Security printing features such as color bar codes, guilloches, etc., enable point-of-sale, authentication and mobile commerce, simultaneously. With VDP, however, any number of printed regions can be made variable. To use your enemy, the counterfeiter, effectively, use additional security printing features as decoys (make the counterfeiter think you’re inspecting them) or as bait (to make the counterfeiter reveal himself in replicating them).

Robert Greene notes that the reversal of this Law is almost always concomitant with the loss of the friendship. It is best not to mix work with friendship. For this reason, this rule is, in my opinion, strongly amenable to being turned upside down, as described next.

UPSIDE DOWN: Turning this rule upside down to create better business, use former enemies as new friends in the reality of the 21^st century global, distributed, fully supply-chain dependent world of business. The former enemies—your branded competitors—face the same common enemy. Counterfeiters, smugglers, third shifters (for factory overruns), and manufacturers of inferior (perhaps dangerous!) products. Your former competitors can unite with you to produce products that are safer, better-built, more environmentally friendly, more energy-efficient, more sustainable, and a host of other ameliorations. Rather than (rat)race your traditional competitors to the bottom (which is the history of the 21^st Century to date), KEEP THE BOTTOM DOWN. Counterfeiters now comprise the single largest competitor for legitimate brands in many product areas. Use your “enemies”, your former brand competitors, to fight this threat to us all.

Cheers,

Steve

See Law #1 at: http://www.communities.hp.com/online/blogs/securityprinting/archive/2009/05/27/91834.aspx

Law of Power 1—Never Outshine the Master

StevenSimske — Wed, 27 May 2009 05:35:00 GMT

Robert Greene’s eclectic masterpiece on the ethics—or lack thereof—of success, “The 48 Laws of Power”, serves as the stimulus for a set of 48 blogs to come on how to use these laws in fighting fraud (turning his rules sideways) and then using them to create better businesses (turning his laws upside down).

Today addresses Law #1: Never outshine the master. This is an excellent starting point, since the fine balance between attentiveness and obsequiousness and is the difference between a trusted aide and dusted aide. Greene’s chapter on Law#1 focuses on how biding one’s time and waiting for a truly inferior master to shoot himself in the foot is a better strategy than exposing the master as a fool.

SIDEWAYS: When it comes to defeating counterfeiters, not outshining the master means not spending more than the counterfeiter on the deterrents used to protect the product. Good advice here is not placing expensive, eye-catching deterrents on the product that a criminal can credibly spoof for less cost. Remember, counterfeiters are creative, counterfeiters typically invest in R&D, and counterfeiters like a challenge. Some examples are using holograms—counterfeiters can credibly spoof these using anything from aluminum foil to cheap lenticular prints. If you try to outspend counterfeiters, then you typically will. They will find ways to simulate your expensive deterrents for less, taking advantage of the indolence, insouciance or innocence of your retailers.

Robert Greene notes that the reversal of this Law is when the “master” is on his or her way down. Then, he advises, one must destroy the master completely. This is because the “master” is no longer master, and to prevent an angered master from coming back to power (with a grudge against you), annihilation is suggested. This makes sense in the realm of counterfeiting. Let the counterfeiters’ R&D skills shine, tease out their talents with inexpensive overt features. Achieve this with variable data printing (VDP) rather than expensive deterrents, where and when possible. When the counterfeiter tips his hand (by the counterfeiter R&D team’s “signature” in attempting to replicate your low-cost deterrence), destroy him completely.

UPSIDE DOWN: Knowing of this law can be used positively to create a collaborative business environment. Here, the law is “never outshine your partner”. Hold one card in reserve, and offer one card free for public viewing (like the dealer in Blackjack, for example). Never play until you have two strategies, each of which is fully thought out beforehand and which tie together after both are deployed. The strategy you give away for free leads to the one you hold in reserve. Bring in any useful, long-term partner (and any truly useful partner should be considered a potential long-term partner) by giving them something for free, or by letting them shine in the early phase. Do not outshine the partner means to share the publicity, the credit and the early glory. Strategy 2 might even make them look better—that is no small price to pay for longevity of your plans—but should also ensure your goals. The only place to outshine a partner is in the differential balance sheet between what you have with them over what you would have had without them.

Work together. It’s more profitable. It’s less stress, too.

Cheers, Steve

Partnership for Safe Medicines

StevenSimske — Sat, 25 Apr 2009 03:58:00 GMT

Security printing, RFID and related mechanisms to address counterfeiting and others supply chain fraud depend on the stick (investigation, evidence, prosecution) and the carrot (reward for compliance). The carrot is readily addressed through variable data printing.

The stick must be wielded carefully. This is the goal of the Partnership for Safe Medicines:

http://www.safemedicines.org/

And, they even provide a helpful acronym, "LEADER" for pharmacists (http://www.safemedicines.org/leaders-guide-for-pharmacists.html):

"The World Health Organization estimates that as much as 10 percent of medicines sold worldwide are counterfeit...It is important for all pharmacists to be aware of the dangers of counterfeit drugs, as well as be able to recognize and help prevent counterfeit drugs from reaching patients...Here are six steps for becoming a L.E.A.D.E.R. in the fight to protect patient safety.

Learn about contraband and counterfeit drugs.

Educate customers.

Avoid unsafe medicines and vendors

Decline suspicious offers. (Partnership for Safe Medicine claims of 365 pharmacies on-line, only 2 are legitimate).

Evaluate your medicines.

Report counterfeit drugs and suspicious vendors."

Good advice. This kind of education goes a long way. Successful anti-counterfeiting ecosystems are designed with a good estimate of the compliance rate. Education like that provided by PSM may not increase compliance, but it makes those pre-disposed for compliance more effective. Remember that 2x2 is equal to 4 just as 2+2 is. If the same number of users are compliant, but are on average twice as effective, the brand and the patient both win.

Cheers,

Steve

(Pipo Caban, gracias para la informacion acerca de PSM)

Print 2.0...and Barcode 2.0?

StevenSimske — Thu, 26 Mar 2009 21:17:00 GMT

I just received the updated (5th) edition of "The Bar Code Book" for work on track and trace, security labels, etc. The author has jumped to Trafford, an on-demand printer, http://www.trafford.com/, and the author notes in his forward, "Very little inventory is carried, and the whole process is quite amenable to making changes as updates are required"...in other words, even the sometimes assumed staid, stolid, stodgy, storefront world of barcodes has gone 2.0...on-demand printing is surely a "just in time" solution that actually makes sense to all involved. Reduced waste, instant versioning (if desired), decreased inventory, etc.

All of this makes the supply chain managers and bean counters happy. Imagine what it does for customers. They get personalized, to-the-minute salient information on the topic at hand. Software has versions like 9.0.1.1, why shouldn't books. Imagine getting a book that says, on the title/verso page, "934,567th Printing". Stick around, it's coming.

Why does this matter to security, brand protection and anti-counterfeiting aficionados? Because customization means evey copy is unique. When every copy is unique, every copy can be authenticated. Think of it as the digital way of hand-writing your name on the title/verso page.

Cheers,

Steve

Amusing ourselves to death

StevenSimske — Thu, 26 Feb 2009 15:36:00 GMT

A blog on a 24-year old book? Seems to go against the whole mobile, Web 2.0, "change is changing" metaphor of the 21st century, at first.

But, it has never been more important. The Wikipedia entry on Neil Postman's seminal book, officially titled "Amusing Ourselves to Death: Public Discourse in the Age of Show Business" hits home: "television is the primary means of communication for our culture and it has the property of converting a culture's conversations with itself into entertainment, so much so that public discourse on important issues has disappeared. Since the treatment of serious issues as entertainment inherently prevents them from being treated as serious issues and indeed since serious issues have been treated as entertainment for so many decades now, the public is no longer aware of these issues in their original sense, but only as entertainment".

I was reminded of this last night waiting to board the airplane. A "news" program was on television (our house is television-free since 2000...videos and Internet have superceded this technology for Chez Simske, but don't get me wrong--we have entertainment, we just don't pretend television is anything but), and it addressed important items like the fact that one of President Obama's top financial people drinks Diet Coke. The impact of this information on the current budgetary crisis in the U.S. is difficult to estimate.

The code of blogging for HP prevents us discussing politics, religion and the ingredients in a hot dog. Postman's book covers all but the hot dogs. And the point rings home--to address a $20-$34 trillion debt load in the U.S. (national, consumer, other, estimates vary), we see the current President and his chief rival in the last election joking about the cost of his helicopter (this is a bipartisan comment, so I haven't crossed those dangerous political guidelines). Is this seriously addressing very real, very pronounced economic meltdown or is it pandering to the camera?

Postman argues that education (Sesame Street then, try Blues Clues now) is focused not on teaching children to think--but inevitably to teaching them how to like TV. Religious leaders, politicians, news broadcasters--all people responsible for considering the most serious issues in life--are converted (some willingly, some begrudgingly) into entertainers. And, at some point, critical thinking is not only discouraged, but simply forgotten.

Postman spends a good portion of the book arguing that a Huxleyan, not Orwellian, world has resulted (the book was largely written in 1984). I think this is an oversimplification. Sure, there is rampant anti-intellectualism in the U.S., and it has certainly grown with the rise of television, DVDs, BlueRay, YouTube and other video. And, with a flair that Huxley would have envied, it has all been done willingly--but this harkens back before Huxley to Dostoevsky's Grand Inquisitor chapter in the Brothers Karamazov--bread before freedom.

I argue, however, that Orwell is not forgotten in this scenario--the very language people speak is influenced and nuanced now through television and its progeny. Orwell's "1984" featured Newspeak, famously "the only language in the world whose vocabulary gets smaller every year". We see the Orwellian dehydration of language in, for example, making nouns of verbs ("How much is the 'spend'"?) and verbs of nouns ("Sorry, can't think right now, I'm televisioning"), and neologism through the formalization of litotes ("that is seriously ungood, dude"), to give just a few examples.

I'm not trying to be pedantic here. Blogs, after all, are to some extent a form of entertainment. However, you will note that the use of images and videos does not necessarily contribute much to the impact of the present discussion (assuming you have not used a "television attention span" and moved to the next link already). Text, which is incumbent to a "log" (even a weblog), requires exposition--sequential thought, developing, elaborating, and nuanced. Postman's book argues that the television killed the age of exposition, and there is certainly some truth to that. But blogs, variable data printing (printing as customized information!) and exposition-enabling Web 2.0 technologies such as Twikis may actually provide the "revenge of nuanced thought". If you disagree, well, of course, I'd love to hear your exposition..."A statement or rhetorical discourse intended to give information about or an explanation of difficult material."

[Thanks to Jason Aronoff for loaning me the book to re-read after more than two decades!]

Cheers,

Steve

Stocking Stuffers II: Security Printing Acronyms and Getting Started

StevenSimske — Tue, 30 Dec 2008 04:56:00 GMT

[Another whitepaper length summary of some related articles from this year's blog]

PRACTICE Good Anti-Counterfeiting Techniques

I have previously remarked that the approaches to counter counterfeiting depend on the relative mix of addressable and unaddressable counterfeiting occurring in the supply chain. If the counterfeiting is not addressable, then the brand must continue to message the unique qualities offered by their product so that people will want the authentic—and not the counterfeit—product. If a brand owner cannot address the counterfeiting, then the brand owner must provide a product provably superior to the customer. With “unaddressable” counterfeiting, perhaps paradoxically, the brand owner must struggle with the customer, and not with the counterfeiter. If the counterfeiting is addressable, on the other hand, then the brand owner is in a direct struggle with the counterfeiter. And to fight the counterfeiter, a single weapon is rarely sufficient. To deter a counterfeiter takes PRACTICE. And this blog addresses how PRACTICE (Plan, Research, Activate, Collect, Train, Investigate, Convict and Evolve) leads to a multifaceted ecosystem of tactics to prevent, detect and react to counterfeiting.

So, a version of an old joke to start. Patient: “Doc, are you comfortable with your diagnosis?” Doctor: “Ma’am, I’ve been practicing medicine for 40 years.” Patient: “Well, I’d like a second opinion from someone doesn’t need any more practice, and actually knows what he’s doing.” However, any physician worth her salt invests in CME, or continuing medical education. Life is practice. Practice doesn’t make perfect, but it can always improve on the imperfect that is the now. And PRACTICE is the acronym I’ll use for the crucial eight elements in an effective anti-counterfeiting ecosystem. So, let’s take a look, one element at a time.

P is for Plan.

The Plan is paramount, because it anticipates the overall strategy—including the research to be performed. The plan must consider the set of deterrents to be used. Will they be overt, covert, and/or forensic? Who will collect data on them to perform track and trace, inspect, authenticate or forensically analyze? When and how will these deterrents will be researched? When and how will the extent of current and future counterfeiting threat to the product be researched? The plan includes the activation of the ecosystem—the nerve-racking moment when the first products belonging to the security ecosystem roll down the production line—and the data collection roll-out. The plan includes the training: how customers, retailers, inspectors and possibly forensic analysts are educated about the deterrents. How will investigation and potential legal action—based on evidence collection and prosecution—be supported? And, finally, how will the system evolve? That’s right, we must plan for change.

R is for Research.

Research includes how you pick your deterrents. Do you pick ones that are easy for the counterfeiter to spoof? If so, they should cost you nothing. Do you pick one that’s hard and/or expensive for the counterfeiter to reproduce? If so, good, but you need to research how easy it is to use for your would-be counterfeiters. Research also includes understanding the counterfeiting threat to your supply chain. If you think it is small, you’d better look hard. It’s much easier to show it is a large problem than a small problem—sorry, that’s just the nature of statistics. You need hundreds of samples from any relevant section of your market to be sure the problem actually is small.

A is for Activate.

After your research plan is completed, the system must be turned on. This is a huge step—maybe more accurately a “step function”—but the bump of activation can be smoothed by starting small. A 2D barcode is one way to collect information on where your products are going, but some companies start even smaller. Think of the soda pop folks who print numbers under the caps on their 20-ounce plastic bottles. They’re not doing this so you can win a free can of pop—they’re doing it to see where the unique numbers are going, and validate their supply chain. Their “activation” is a matter of setting up a website and asking people to web/dial in the numbers under their caps. No—this doesn’t give true track and trace, and certainly not authentication, but it does help them collect data (see next step!) useful in assessing just how big a problem they have on their hands. Activation in full-fledged, label-based security printing and imaging means having the deterrents integrated into the digital front end of the printing. It means having all of the inspection and authentication algorithms, devices and reporting systems fully tested, qualified and in place for the long run. And, it means integrating the data with your existing manufacturing, distribution and reporting registries.

The first C is for Collect.

Collecting data is not just about reading the 2D barcodes and other printed features on the label, packaging or document. A lot of data must be collected beforehand, as part of the research. One way to get this kind of data is described in the previous paragraph. However, data must be collected on an ongoing basis to determine the extent, location and nature of the counterfeiting threats. To determine the extent, one must research all channels for sales—from supermarket to information superhighway. What percentage of the product in each channel is counterfeit? How many counterfeiters are there? Do the counterfeiters work together? This data is crucial for later investigation and legal reaction to counterfeiting. Other data is also collected on an ongoing basis—inspection, authentication and forensic information on the quality of the printed deterrents. I will talk about specifics of these data in a later blog.

T is for Train.

Training, or educating, the actors in the product’s supply chain, is tied to the ecosystem planning described above. If you are relying on your end customers to validate—inspect and report anomalies, authenticate, whatever—the product, then you have to provide reliable and easy—preferably really easy—steps for them to follow. If you trust your retailers and want them to authenticate, the training can be a little—but only a little—more involved. If you are relying on paid inspectors, the training can be more complicated, but in general they will still need to be able to validate the products with relatively simple, cheap and portable devices. The training plan approach is similar to the one you must take for auditing and compliance with most government bodies—for example, NASA and the FDA. The most important consideration is to have a process in place and to then follow it. If you don’t follow the process, your data won’t link together, you won’t pass an audit, and you won’t have reliable estimates on the extent of the counterfeiting. Additionally, abandoning a process just because counterfeiting is occurring causes confusion for those who wish to legitimately validate your product. Counterfeiters love confusion, it helps them in their (non-legitimate) supply chain. There are better ways to address future counterfeiting, and I’ll talk about the “innate moving target” shortly.

I is for Investigate.

A lot of brand managers fail to understand that in order to investigate, you typically need an additional type of data to the data you use for track and trace, authentication or inspection. Investigations depend on the investigation plan—how data is collected, retained, analyzed and acted upon. Dynamic research is required. If you start to see sporadic counterfeiting in a new area, for example, it is often the case that these counterfeits originate in another, already “counterfeit-established”, region. Investigation is necessary to test for the link(s). And just investigating the “publicly known” security features may not be enough. Instead, additional features of the product—up to forensic analysis of the printing and/or product ingredients—may need to be analyzed to uncover the counterfeit supply chain. I’ll talk about the collection of salient investigative data in more detail in a later blog.

The second C is for Convict.

How do we get a conviction? Well, first of all, you can’t convict anyone if what they’re doing isn’t illegal. So, brand owners who are not working with government (e.g. FDA) and other compliance bodies (e.g. GS1) are encouraging the counterfeiting of their products. If you’re in organized crime and are still resorting to the old ways—gambling, prostitution, weapons, drugs—you’re a fool. Counterfeiting is easier, more rewarding (higher margin!) and less risky. And, brand owners, stay with me here: counterfeiters already know this. So, help stiffen the penalties for counterfeiting, smuggling, product diversion, and other forms of fraud—security is about detection and reaction even more than prevention. Without an onerous reaction, there simply is no deterrence. Even if your deterrents cannot be beaten. With no reaction and unbeatable deterrents, all you do is force the bad guys to resort to old-fashioned insider jobs. Bribery, extortion, blackmail, eavesdropping, collateral theft—they have a lot of options. And they’re creative, so this list is just a sample. To get a conviction, you will need the laws in place. Additionally, to get a conviction, you need an auditing, compliance and data integrity plan. In many countries, even the counterfeiters are presumed innocent until proven guilty. Make sure your data is credible, auditable, and usable. If it’s not, it’s not data, it’s just wasted storage space.

Finally, E is for Evolve.

“They” say people don’t like change. Then, another “they” say that people do like change, and that to be human is to change. “They” are both correct. We like change, when we see it coming. In anti-counterfeiting, we see it coming when we design our security system to be an innate moving target. That is, the system is designed for change, benefits from change, and anticipates the need for change. However, these changes do not cause a system reset, a brand protection blue-screen, a full stop. They simply require the existing system to change its settings. Maybe the counterfeiters have to fully reboot, but that’s OK. Remember the rule, any system that makes the counterfeiters spend more than the brand owner is a deterring system. Any system that doesn’t needs to be changed. I’ll cover this topic more fully in future blogs, including the next.

The deterrent used, therefore, must match the training given to the would-be validators. And the only way there is an appropriate “impedance match” between the deterrents and how they are successfully used in the ecosystem is if the planning occurs first, the research second, and the activation third. As with all successful security approaches, security printing will only work if it is built from the ground up.

This form of PRACTICE outlines an end-to-end process for initiating and supporting an anti-fraud program. Each of these—from Plan to Evolve—involves by itself multiple processes as well. Let's look more closely at on two quite different types of processes, each focused on the “Investigate” portion of PRACTICE. The “Investigate” portion includes the continual accumulation of data on the counterfeiting of your product. One means to do this uses security variable data printing, or SVDP. This is the use of multiple variable deterrents to draw out the “style” of the counterfeiter. That is, SVDP regions can be used as “bait” or “decoy” deterrents—not to force the counterfeiters to “replicate” the data in the printed region, but instead to force the counterfeiter, through trying to replicate the appearance of the printed region, to identify himself. This is because complex printed regions cannot be scanned and re-printed without modification. How a counterfeiter will try to reproduce such a complicated region—the choice of color, intensity, spatial frequency, contrast and other transforms the counterfeiter uses—provide a signature for the counterfeiter’s style. This process is an example of an a priori process, in which the data to be collected is designed and deployed. Another means to continually accumulate data on the counterfeiting of your product is to perform a posteriori analysis of the product, and compare the analysis results to those expected of legitimate product.

As a non-printing example, John Jasper, head of Molecular Isotope Technologies (MIT), writes, “Process patents are mechanisms by which to protect and extend the patent-protected lives of pharmaceutical products. They are typically supported by the analysis of reaction impurities, trace metals, etc. Natural stable isotopes present a novel source of information recording evidence of the process manufacturing history – particularly, the synthetic pathway – used to produce pharmaceutical and other chemical materials…[Our] work in the area of product authentication showed that every batch of pharmaceutical materials had a highly-specific ‘isotopic fingerprint,’ allowing individual batches of materials to be tracked and counterfeit batches to be identified.” In other words, MIT’s process for analyzing the reagents in a pharmaceutical are precise enough to disambiguate between the authentic and the counterfeit processes involved in production.Image forensics, not surprisingly, can also be used in an a posteriori manner. The process is, on the surface, similar to the a priori approach: printed regions are analyzed for their characteristics, and different regions classified and clustered to help identify the number and size of the counterfeiters in your supply chain. The difference is that, using such an approach, a suitably difficult-to-reproduce printed area must be identified without the benefit of SVDP. So, a word of advice: if you want to identify counterfeiters, don’t make it easy on them—use SVDP or at minimum a few regions of difficult-to-reproduce printing (natural images, designs such as guilloches, etc.). Otherwise, you’re simply making their job easier, and that’s one process that makes no sense.

Universal ACID

Here I focus in on one specific technology which, if used properly, can help tips the odds in favor of the legitimate supplier and the concerned customer. Variable Data Printing, or VDP, provides the capacity, if so desired, to vary every aspect of a print job. However, for ease of making the print run compatible with the graphic artist’s design for the label, package, document, or other printed material, variable data printing is usually associated with a database that is populated before the job is “ripped”; that is, set to final printing commands by the RIP, or raster image processor.

A simple VDP job is outlined here:

Static elements (background, brand logs, three empty copy holes)

Copy hole #1: Database for 2D bar codes

Copy hole #2: Database for unique text sequences

Copy hole #3: Database for watermarked images

When the RIP occurs, the static portion is printed quickly (usually stored in a cache for quick “ripping”), and then each of the copy holes is filled based on the reference for that printed material, pulling the correct bar code, text sequence or watermarked image from the database and rendering it to the copy hole. In security VDP, or SVDP, the copy holes contain not only variable data, but usually uniquely variable data. Also, this variable data can be (but isn’t always) read by some type of inspection, authentication or forensic device. That is, the copy holes contain data. Most readers are probably familiar with mass serialization, but if not, I will describe that in more detail in an upcoming blog. Suffice it to say for now that mass serialization is a means of ensuring that each copy hole on each printed material—e.g. label, package or document—contains a different identifier that can be read (which means interrogated and the data encoded successfully interpreted).

Once you understand the power that variable data printing brings, it is universal acid—you realize it cuts through everything. And in this case, universal ACID means All Content Is Dynamic. Not just variable—but variably variable, or dynamic. Every element printed can be a variable copy hole and so our scenario above shortens to: For every region on the printed material, Copy from Database for that region Thus, every region is novel, or unique identified, and so capable of being interrogated for its information. In anti-counterfeiting, we wish to provide a moving target for the would-be counterfeiters, staying one step ahead of them in the deployment of security features. However, this is a tedious game for us as well as the counterfeiters. SVDP offers us, however, an innate moving target—the ability to change the very nature of the variability on the fly. With SVDP, we have a way of providing a moving target without having to change our technology. VDP is the technology that provides a continual, built-in moving target. SVDP allows us to interrogate the information that is printed variably. This means that SVDP extends variability beyond just having a different identifier in the variable copy hole. It provides a who, what, when, where, why and how variability to the security printing RIP.

Who varies the job can tie the set of deterrents deployed—and how they link together—to a particular press operator, SKU, brand, or other logical units. By linking, we mean how the set of variable features relate to one other. Examples of deterrent relationships include replication, hashing, sequence fragmentation [sharing the mass serialization data between two or more variable copy holes], and other techniques for making the multiple variable regions “cooperate” with each other. One particularly powerful method is to use one deterrent—usually one used for track and trace or authentication already—as the registry “look up” sequence from which the signed-in user may then obtain information on one or more other variable regions.

What is varied also depends on how many security deterrents the brand requires—some for track and trace, some for authentication, some for forensics, some just to decoy the would-be counterfeiters, some to be used in case of recalls or other contingencies, etc.

When the deterrents are varied—or more importantly when the variability pattern is changed can be tied to pragmatic product details, For example, if the shelf life of a product is 6 months, it makes sense to change the relationship between deterrents every six months, so expired products also exhibit “expired” security strategies.

Where the variability is provided can change, too. Variable regions can be made static, and static regions can be made variable, over time. This keeps the would-be counterfeiter grasping at straws, and yet can still accommodate using a consistent variable deterrent, such as a 2D barcode, over time.

Why the deterrents are made variable depends on the realities in the supply chain and in the hands of customers. If certain deterrents are being successfully attacked, then adding new variability to the printed material is another way of gathering information on who the counterfeiters might be—insidious insiders, for example, may quickly incorporate these new variable regions, even if they are not tracked by your authenticators, and so tip their hand to you.

Finally, how the variability is provided is up to you. With VDP, there are so many “how” possibilities that you are being remiss as a brand owner if you fail to do either of the following two VDP processes: 1) Make a plethora of regions variable2) Change the relationship between the variable regions frequently In other words, we vary the way we vary the variability at various times. It’s VDP to the nth. And the more variable regions you have, the more security bits you can print.

We have to assume that the counterfeiters are aware of all these possibilities. And, at first, they appear rather daunting to the would-be counterfeiter. But, counterfeiters don’t react the way we expect them to, and so we have to be prepared for the unexpected. To help illustrate this, in the next blog, I am going to show how we might set up and defend our own counterfeiting business! And who knows, maybe SVDP will pass even this test…

Are You Making It Too Easy for Counterfeiters? Then, Let Me SLAP You!

Acronyms and anagrams are excellent means to simplify a message and to provide easy recall of this message (thus, the word “mnemonic” [Greek origin]—assisting or intended to assist the memory). For example, in 3^rd Grade, I figured out that my last name was an anagram for “KISS ME”. And I conveyed this knowledge to all of my female classmates. Which, not coincidentally, leads us to discussing the mnemonic SLAP.

SLAP, in the case of producing an effective ecosystem for brand protection and anti-counterfeiting, is an acronym for Scalable, Logical, Analytical, and Progressive.

Scalable means that the solution you propose can be used on multiple production runs, multiple products (SKUs), and for a reasonable amount of time. Don’t try to “divide and conquer”—that is, don’t use a completely different approach on different products. It will confuse your customers, your retailers, and your inspectors. Not only will it make it more difficult for you to get good authentication feedback, but you actually may increase the perception that your products are being counterfeited. Product “A” has deterrents 1, 2 and 3 on it, but Product “B” has deterrents 4, 5 and 6 on it—hmmm, one of these is probably fake. Or, worse yet, the would-be authenticator simply tunes out—too complicated, not worth it, too hard to figure out how to authenticate the product. Keep the message simple, and use an innate moving target for deterrence rather than actually changing the target. Security Variable Data Printing (SVDP) is such an innate moving target. One can change the information embedded in the security print, but never change the way a user interacts with it. And, because SVDP affords so many different means of embedding trackable and authenticable data, it is innately scalable, as well.

Logical means, well, think! Don’t make it easy on the counterfeiters. Here are some illogical approaches: (1) Spend a lot on your deterrent (counterfeiters love these “high margin” deterrents, because they’ll always knock them off more cheaply, and it decreases your margins while increasing theirs); (2) Use a deterrent/approach for only a short while and then stop using it (now your would-be authenticators don’t know what to expect—was it the old deterrent or the new deterrent, and which is legitimate). Much more logical: any time you roll out a new deterrent, which is unavoidable for some products—educate your authenticators; (3) Confuse different utilities in a familiar approach. Using variable data inside a hologram is one such example—most users think holograms are “variable” already, and aren’t likely to even notice the fact that one hologram is different from another; (4) Confuse machine vs. human readability. If you use a deterrent intended for machine reading, then embed data in a way that machines can read better than humans. And vice versa. Humans, for example, are very good at noticing alignment differences and relative color differences. Mach bands and other optical illusions are entirely invisible to machines. Machines are much better at noticing absolute color differences and of course steganographics such as watermarks. Meaning metamerisms are mainly meant for machines (alliterative, no?).

Analytical means your approach to the ecosystem should be geared at generating quantitative data. What is the compliance rate (i.e. what percentage of would-be authenticators actually try to authenticate)? What is the counterfeit rate? Read failure rate? If you can’t disambiguate these latter two—counterfeit vs. read rate, that is—you do not have an analytical solution. SVDP again underpins such an analysis: a counterfeit sample will generally have a different combination of print quality, print forensics and payload (data to be read) than a legitimate but unreadable—e.g. damaged, read with poor lighting, etc.—sample. Because of the multiple modalities—color, saturation, intensity, steganographics, halftoning, etc.—involved in printing, SVDP provides many on-ramps for analytics.

Progressive, finally, means that your approach allows progressively more complicated analysis to proceed smoothly. From an imaging standpoint, this means we move from image quality assessment (image “grading”) to image inspection to image authentication to, finally, image forensics. At each stage, a more in-depth analysis—and thus more difficult to reproduce—of the printed material is obtained. Making the first stage, image grading, relatively fast and painless, is an excellent way to generate “leads” from your customers. HP and many other brands address this by using “high-end” overt deterrents on their packaging. Customers are familiar with the motif—color-shift, thermochromic, etc.—and so notice when these have been unsuccessfully knocked off. Inspection ties layout and partial authentication to quality. Authentication ties the print job to the database of legitimate products. Forensics ties the data to the very material printed on, as discussed above.

Happy 2009!

-Steve

Does Theft Matter?

StevenSimske — Tue, 09 Sep 2008 05:15:00 GMT

One of my colleagues and friends, Puneet Mehta (one of HP’s top RFID/Supply Chain experts), pinged me recently, and mentioned “I found this interesting article about the theft of baby formula. [Is it salient] to Security Printing?” This is an excellent question. Does Theft Matter?

When you consider the logic of a three-part plan for your company against its worst competitors (the counterfeiters), yes, theft really matters. In act, it is logically where you are directing the counterfeiters. As I’ve discussed before, one of the main advantages of security printing is to provide a low-cost means of adding product security. You’re going to print, anyway, so a would-be consumer can see it’s your product, so why not print something that helps you identify authentic, as opposed to counterfeit, product in your supply chain (or in someone else’s supply chain, come to that). Yes, you need security-VDP (variable data printing) to do so, but if you haven’t already gone digital (and thus variable), it’s time you considered it.

This segues directly to Step #1 in forcing the counterfeiters to do you bidding—get them to spend more on counterfeiting than you did in legitimately creating the product. If you spend nothing incrementally using security-VDP, then the counterfeiter will outspend you, if for no other reason than to figure out what you did, while you did it effortlessly. This is one place where reverse-engineering costs more than the original engineering. Use it. Don’t, however, think you can get the counterfeiter to spend more than you by getting an expensive, but restricted-access deterrent. The counterfeiter will either more cheaply spoof it, purchase them from an insidious insider at the very same provider as you purchase it from, or simply buy in greater bulk than you, and thus get a cheaper rate on the deterrent than you do! Remember, a good counterfeit company (“good” meaning successful here—don’t get all judgmental on me!) will have multiple products in the market, and so they can afford a good price for bulk purchasing.

Step #2 is to get the counterfeiter to buy your equipment. As mentioned above, I’m sure plenty of security deterrent companies are already achieving this “success”. How many security deterrents—from holograms to Holy-cruds [this being those Holy-crud-are-these-hard-to-open plastic shells around many toys and electronic items]—are purchased by counterfeiters to make their product seem “legitimate”? Probably more than we care to know. A more successful strategy is to provide packaging/labeling/printing of products—from notebooks and doughnuts to banknotes and documents—using a special printer that the counterfeiters need to replicate the job. I recommend the HP Indigo, but in fairness there are other non-HP presses with signature technologies and capabilities, especially in finishing. Get one of them, and use it for your products. If you use static and/or generic printing, you’re asking for trouble. And, in the case of HP (or any other special print device provider), you’re missing a revenue opportunity. Just because counterfeiters have become our biggest competition, there’s no reason they can’t become our customers, too.

Step #3, however, is the main focus of today’s blog. Puneet pointed out an article (http://www.phillyburbs.com/pb-dyn/news/113-09012008-1584236.html) describing how thieves have begun targeting baby formula. The article reports on thefts of up to or exceeding $1,000 worth of formula at a time. The response? The infant formula was brought behind the counter. A sure way to stop thieves, but for those who like browsing while shopping, a turn off. Sales are lost when wares are locked. The director of CVS Pharmacy stated, “The store will soon display the formula in a locked case.”

Who are these thieves? Not desperate housewives or househusbands, usually that is. The article notes “Many times the culprits are rings of thieves who sweep Similac, Enfamil and similar products from the shelves because they are a valuable commodity in the retail-theft marketplace”. Oh yeah, baby formula is easy to sell. In other words, it has high turnover in the undermarket, or what I call the market underneath the marketplace. And the rest is, sadly, old hat to any long-time readers of this blog. The thieves mislabel the formula, store it at the wrong temperature, and are often members of organized crime rings with big, nasty folks nicknamed “Bubba” and “Hurty”.

But, in Step #3 of any cohesive anti-counterfeiting program, you will drive the thieves to stealing. If they actually can’t economically reproduce your branding and security, they’ll start to hijack your trucks and raid your distributors. Your supply chain’s integrity is only as robust as the weakest deterrent, lock or mind you have working for you. Remember the mantra—security is not as much about prevention as it is about detection and reaction. Using tamper-evident, copy-evident and uniquely identifiable deterrents forces the thieves to steal. And you complete, with success, the three part program to “win” the brand protection battle. Now you must be prepared to “win” the after-branding battle. When you drive your competition—the counterfeiters—to theft, you need to bring the rest of your armaments to the fray. These are education, investigation, evidence and reaction. I’ve talked about how to put a system providing this into PRACTICE (May 12, 2008), but let me recapitulate briefly.

Make the brand identification integral to your security. That way, if a thief uses your label, he can be tracked. If he doesn’t, well, he will still provide clues to his identity by how he tries to mimic your label. If he doesn’t try to mimic your label and uses his own, fewer clues are gained (and less pity felt for the purchaser, who should know better). But, you’re surely getting the drift here—if you routinely inspect your packages, labels and documents as part of track and trace and authentication, then you will also gather intelligence on the rats scurrying around in your supply chain warehouses. I mean the two-legged rats, of course. This intelligence can be used to define—find and fingerprint—the counterfeiters and thieves, and provide evidence to those willing to prosecute them.

So, does theft matter? It sure does. First off, it is a sign of success. Yeah! You’re making it so hard for your counterfeiters, they’re resorting to stealing. They may actually go to jail for that. But, there’s no time to rest on your laurels. Stealing still requires a smart, security-VDP-driven approach. Why not plan for the future, and put into place a practical program that can both help prevent counterfeiting and later help fight theft?

-Steve

High and dry

StevenSimske — Sat, 12 Jul 2008 06:37:00 GMT

Hiking in the mountains above the Black Canyon of the Gunnison, I saw the dead tree shown in the photo below...

I was interested in how the tree had died. Was it too high on the mountain? Was the ground beneath it too porous to hold water during the growing season? Was it old? Was it due to a late frost?

When I returned home, I found a much larger (locust) tree in my backyard was also bereft of life, photosynthesizing no more, an x-tree. And this is true of an astonishing number of trees in Fort Collins this year. Not to mention the rest of Colorado and Wyoming (see for example www.rockymountainnews.com/news/2008/jan/15/beetle-infestation-get-much-worse/). Every single lodgepole pine will be dead in this area in 5 years.

Monocultures, such as a lodgepole pine-only forest, are generally quite fragile, susceptible to sudden decimation, and poorly robust in response to a challenge. Trite expressions such as "don't put all your eggs in one basket" come to mind, and for good reason. When you've reduced what should be a complex system to a single element, you are at the whims of fate. It's not linear. One element, no interactions, and the only resiliency your system has is the resiliency of that element. Two elements: you have the resiliency of element 1, or element 2, or the combination of element 1 and 2. Three elements--seven resiliencies (including the interactive resiliency of all 3 elements together). Four elements--15 resiliencies. In general, with N elements, there are 2 to the power of N minus 1 resiliencies.

A robust brand should benefit from the same mathematics. Multiple suppliers, multiple manufacturers, multiple assembly locations. When one of the suppliers, manufacturers or assemblers is compromised, there is a network left behind, robust to the loss. The brand quality and consistently can still be maintained.

So why do brands let themselves go "high and dry", reducing their supply/value chains to a single element? An easy answer is the relentless pursuit of reduced cost, but this is a false pursuit. Measuring cost is like measuring the length of a coastline--its value changes depending on how closely you look. On a related example, if you wanted to get from Provincetown to Plymouth, your path will differ greatly depending on whether your vision extends five miles or fifty miles. If the former, you can only move along the coast of Cape Cod and the journey extends 80 miles. If the latter, you set out almost due west, and the journey is 20 miles.

Short-term cost--that is, cost in the NEXT QUARTER--has become paramount for the US (and other) economies. However, strategies for the next quarter typically have little bearing on costs for the next five years. Steering your strategy by single quarters? Enjoy rowing four times as hard.

Brand protection strategies must also look beyond the next quarter. There must be an innate moving target, which means you can change the specifics of your deterrent, inspection and authentication implementations without your having to change how the strategy is implemented. Variable data printing, as I've described before on this blog, provides an innate moving target. So does refusal to be complacent. Be interactive, be adaptive, respond to what your customers are seeing. Think beyond the current counterfeiting approaches. Attack your own protection. Otherwise, your product will truly be left high and dry, and no amount of rowing will get you to the destination of brand protection.

-Steve

Thanks for making it easy!

StevenSimske — Sat, 31 May 2008 06:20:00 GMT

This week on my blog I am Guido De Terenza, the crime lord of deterrents, and I am starting off my counterfeit counterblog thanking all of you good people in brand owner land for making my job easier. Nothing makes Guido happier than a brand owner who hands over their brand without a fight.

Not that I'm unwilling to fight. I've got a few friends--the six foot tall, 260 pound, failed at pugilism and failed at the NFL type, who I could send by to "convince" you, but thanks to your indolence, satiety and/or smugness, well, I can use them for other purposes, like say cleaning my brand new Olympic size pool. Thanks for buying me that, by the way.

You see, today, as I am most grateful for a successful migration to the new Blogging platform, I am also most grateful to you wonderful brand owners employing static deterrents for your high-margin products. I know you think it's not possible to reproduce your lovely protection feature, but you forgot that I have a little friend in every company, even in the one you pay an extortionate rate for that "unbreakable" deterrent. And that friend, well, let's just say he needed a new car. Or not to die. Or not to have his daughter followed on the way home from school. I'll spare you the details. Needless to say, just as there's no security through obscurity, there's also no security by outspending the counterfeiter. You're only spending your margin.

Thanks, Guido

Universal Acid

StevenSimske — Mon, 19 May 2008 03:21:00 GMT

In the previous blog, I outlined the broad PRACTICE of preventing anti-counterfeiting. In today’s blog, I focus in on one specific technology which, if used properly, can help tips the odds in favor of the legitimate supplier and the concerned customer.

Variable Data Printing, or VDP, provides the capacity, if so desired, to vary every aspect of a print job. However, for ease of making the print run compatible with the graphic artist’s design for the label, package, document, or other printed material, variable data printing is usually associated with a database that is populated before the job is “ripped”; that is, set to final printing commands by the RIP, or raster image processor.

A simple VDP job is outlined here:

Static elements (background, brand logs, three empty copy holes)

Copy hole #1: Database for 2D bar codes

Copy hole #2: Database for unique text sequences

Copy hole #3: Database for watermarked images

In security VDP, or SVDP, the copy holes contain not only variable data, but usually uniquely variable data. Also, this variable data can be (but isn’t always) read by some type of inspection, authentication or forensic device. That is, the copy holes contain data. Most readers are probably familiar with mass serialization, but if not, I will describe that in more detail in an upcoming blog. Suffice it to say for now that mass serialization is a means of ensuring that each copy hole on each printed material—e.g. label, package or document—contains a different identifier that can be read (which means interrogated and the data encoded successfully interpreted).

For every region on the printed material,
Copy from Database for that region

Thus, every region is novel, or unique identified, and so capable of being interrogated for its information. In anti-counterfeiting, we wish to provide a moving target for the would-be counterfeiters, staying one step ahead of them in the deployment of security features. However, this is a tedious game for us as well as the counterfeiters. SVDP offers us, however, an innate moving target—the ability to change the very nature of the variability on the fly. With SVDP, we have a way of providing a moving target without having to change our technology. VDP is the technology that provides a continual, built-in moving target. SVDP allows us to interrogate the information that is printed variably.

This means that SVDP extends variability beyond just having a different identifier in the variable copy hole. It provides a who, what, when, where, why and how variability to the security printing RIP.

1) Make a plethora of regions variable

2) Change the relationship between the variable regions frequently

In other words, we vary the way we vary the variability at various times. It’s VDP to the nth. And the more variable regions you have, the more security bits you can print.

PRACTICE Good Anti-Counterfeiting Techniques

StevenSimske — Mon, 12 May 2008 04:35:00 GMT

In the previous blog, I remarked that the approaches to counter counterfeiting depend on the relative mix of addressable and unaddressable counterfeiting occurring in the supply chain. If the counterfeiting is not addressable, then the brand must continue to message the unique qualities offered by their product so that people will want the authentic—and not the counterfeit—product. If a brand owner cannot address the counterfeiting, then the brand owner must provide a product provably superior to the customer. With “unaddressable” counterfeiting, perhaps paradoxically, the brand owner must struggle with the customer, and not with the counterfeiter.

If the counterfeiting is addressable, on the other hand, then the brand owner is in a direct struggle with the counterfeiter. And to fight the counterfeiter, a single weapon is rarely sufficient. To deter a counterfeiter takes PRACTICE. And this blog addresses how PRACTICE (Plan, Research, Activate, Collect, Train, Investigate, Convict and Evolve) leads to a multifaceted ecosystem of tactics to prevent, detect and react to counterfeiting.

However, any physician worth her salt invests in CME, or continuing medical education. Life is practice. Practice doesn’t make perfect, but it can always improve on the imperfect that is the now. And PRACTICE is the acronym I’ll use for the crucial eight elements in an effective anti-counterfeiting ecosystem.

So, let’s take a look, one element at a time.

P is for Plan. The Plan is paramount, because it anticipates the overall strategy—including the research to be performed. The plan must consider the set of deterrents to be used. Will they be overt, covert, and/or forensic? Who will collect data on them to perform track and trace, inspect, authenticate or forensically analyze? When and how will these deterrents will be researched? When and how will the extent of current and future counterfeiting threat to the product be researched? The plan includes the activation of the ecosystem—the nerve-racking moment when the first products belonging to the security ecosystem roll down the production line—and the data collection roll-out. The plan includes the training: how customers, retailers, inspectors and possibly forensic analysts are educated about the deterrents. How will investigation and potential legal action—based on evidence collection and prosecution—be supported? And, finally, how will the system evolve? That’s right, we must plan for change.

R is for Research. Research includes how you pick your deterrents. Do you pick ones that are easy for the counterfeiter to spoof? If so, they should cost you nothing. Do you pick one that’s hard and/or expensive for the counterfeiter to reproduce? If so, good, but you need to research how easy it is to use for your would-be counterfeiters. Research also includes understanding the counterfeiting threat to your supply chain. If you think it is small, you’d better look hard. It’s much easier to show it is a large problem than a small problem—sorry, that’s just the nature of statistics. You need hundreds of samples from any relevant section of your market to be sure the problem actually is small.

A is for Activate. After your research plan is completed, the system must be turned on. This is a huge step—maybe more accurately a “step function”—but the bump of activation can be smoothed by starting small. A 2D barcode is one way to collect information on where your products are going, but some companies start even smaller. Think of the soda pop folks who print numbers under the caps on their 20-ounce plastic bottles. They’re not doing this so you can win a free can of pop—they’re doing it to see where the unique numbers are going, and validate their supply chain. Their “activation” is a matter of setting up a website and asking people to web/dial in the numbers under their caps. No—this doesn’t give true track and trace, and certainly not authentication, but it does help them collect data (see next step!) useful in assessing just how big a problem they have on their hands.

Activation in full-fledged, label-based security printing and imaging means having the deterrents integrated into the digital front end of the printing. It means having all of the inspection and authentication algorithms, devices and reporting systems fully tested, qualified and in place for the long run. And, it means integrating the data with your existing manufacturing, distribution and reporting registries.

The first C is for Collect. Collecting data is not just about reading the 2D barcodes and other printed features on the label, packaging or document. A lot of data must be collected beforehand, as part of the research. One way to get this kind of data is described in the previous paragraph. However, data must be collected on an ongoing basis to determine the extent, location and nature of the counterfeiting threats. To determine the extent, one must research all channels for sales—from supermarket to information superhighway. What percentage of the product in each channel is counterfeit? How many counterfeiters are there? Do the counterfeiters work together? This data is crucial for later investigation and legal reaction to counterfeiting.

Other data is also collected on an ongoing basis—inspection, authentication and forensic information on the quality of the printed deterrents. I will talk about specifics of these data in a later blog.

T is for Train. Training, or educating, the actors in the product’s supply chain, is tied to the ecosystem planning described above. If you are relying on your end customers to validate—inspect and report anomalies, authenticate, whatever—the product, then you have to provide reliable and easy—preferably really easy—steps for them to follow. If you trust your retailers and want them to authenticate, the training can be a little—but only a little—more involved. If you are relying on paid inspectors, the training can be more complicated, but in general they will still need to be able to validate the products with relatively simple, cheap and portable devices.

The training plan approach is similar to the one you must take for auditing and compliance with most government bodies—for example, NASA and the FDA. The most important consideration is to have a process in place and to then follow it. If you don’t follow the process, your data won’t link together, you won’t pass an audit, and you won’t have reliable estimates on the extent of the counterfeiting. Additionally, abandoning a process just because counterfeiting is occurring causes confusion for those who wish to legitimately validate your product. Counterfeiters love confusion, it helps them in their (non-legitimate) supply chain. There are better ways to address future counterfeiting, and I’ll talk about the “innate moving target” shortly.

I is for Investigate. A lot of brand managers fail to understand that in order to investigate, you typically need an additional type of data to the data you use for track and trace, authentication or inspection. Investigations depend on the investigation plan—how data is collected, retained, analyzed and acted upon. Dynamic research is required. If you start to see sporadic counterfeiting in a new area, for example, it is often the case that these counterfeits originate in another, already “counterfeit-established”, region. Investigation is necessary to test for the link(s). And just investigating the “publicly known” security features may not be enough. Instead, additional features of the product—up to forensic analysis of the printing and/or product ingredients—may need to be analyzed to uncover the counterfeit supply chain. I’ll talk about the collection of salient investigative data in more detail in a later blog.

The second C is for Convict. How do we get a conviction? Well, first of all, you can’t convict anyone if what they’re doing isn’t illegal. So, brand owners who are not working with government (e.g. FDA) and other compliance bodies (e.g. GS1) are encouraging the counterfeiting of their products. If you’re in organized crime and are still resorting to the old ways—gambling, prostitution, weapons, drugs—you’re a fool. Counterfeiting is easier, more rewarding (higher margin!) and less risky. And, brand owners, stay with me here: counterfeiters already know this. So, help stiffen the penalties for counterfeiting, smuggling, product diversion, and other forms of fraud—security is about detection and reaction even more than prevention. Without an onerous reaction, there simply is no deterrence. Even if your deterrents cannot be beaten. With no reaction and unbeatable deterrents, all you do is force the bad guys to resort to old-fashioned insider jobs. Bribery, extortion, blackmail, eavesdropping, collateral theft—they have a lot of options. And they’re creative, so this list is just a sample. To get a conviction, you will need the laws in place.

Additionally, to get a conviction, you need an auditing, compliance and data integrity plan. In many countries, even the counterfeiters are presumed innocent until proven guilty. Make sure your data is credible, auditable, and usable. If it’s not, it’s not data, it’s just wasted storage space.

Finally, E is for Evolve. “They” say people don’t like change. Then, another “they” say that people do like change, and that to be human is to change. “They” are both correct. We like change, when we see it coming. In anti-counterfeiting, we see it coming when we design our security system to be an innate moving target. That is, the system is designed for change, benefits from change, and anticipates the need for change. However, these changes do not cause a system reset, a brand protection blue-screen, a full stop. They simply require the existing system to change its settings. Maybe the counterfeiters have to fully reboot, but that’s OK. Remember the rule, any system that makes the counterfeiters spend more than the brand owner is a deterring system. Any system that doesn’t needs to be changed. I’ll cover this topic more fully in future blogs, including the next.

For now, let’s put PRACTICE into practice. In a healthy anti-fraud ecosystem, all elements of PRACTICE are working together, deployed together and designed to detect counterfeiting as fast as possible. The world’s hardest-to-reproduce deterrents are often compromised precisely because they are the hardest to figure out by someone wanting to validate, too. The difficulty of reproduction is frequently associated with size, features or effects that are also hard to educate people on. An example when the product relies on uneducated consumers to check product validity is the “variable hologram”. Customers are used to looking at holograms for some striking visual effect, but they have no idea the effect should be different from one package to the next—let alone how. The deterrent used, therefore, must match the training given to the would-be validators. And the only way there is an appropriate “impedance match” between the deterrents and how they are successfully used in the ecosystem is if the planning occurs first, the research second, and the activation third. As with all successful security approaches, security printing will only work if it is built from the ground up.

In my next blog, we talk about one enabling technology that helps make PRACTICE possible. It is dynamic data content. And, in printing, dynamic data content is driven by variable data printing, or VDP. See you then!

-Steve

How Do You Address That?

StevenSimske — Tue, 06 May 2008 00:51:00 GMT

We’ve all been there. Meeting that skinny, medium-height, cropped hair, boyish-faced person named “Chris” or “Pat” at a social gathering. Is it a man or a woman? How do you address that person? Thankfully, “Ms.” has entered the English language, but we’re still waiting for the third person equivalent of “it”.

Contrast this with a red-faced, pudgy, bald man with a bad attitude and a bad comb-over. Maybe he’s not as pulchritudinous or as eloquent as our hermaphroditic new acquaintance of the previous paragraph, but he sure is easier to address. We know, instantly, to call him “bud”, or “bro”, or even “dude”, but never “sister” or “girl” or “chica”.

Classes of counterfeits, like classes of people we meet at social events, include “addressable” or “unaddressable” as an attribute. The differences between addressable and unaddressable counterfeits make all the difference in terms of the strategy a brand owner must support for brand protection. In this blog, I hope to show the difference between these two broad types of counterfeiting, and argue why the strategies must differ. Like every complex issue in life, there will be shades of gray; since I argue for a multi-pronged strategy regardless, these shades of gray need not give you the blues.

In this blog, counterfeiting means any product presented as something other than what it really is. This is an important definition, as will be described in the following paragraphs.

Let’s pick two extremes first to define the Platonic “ideals” for addressable and unaddressable counterfeiting. Addressable counterfeiting is exemplified by a counterfeit parenteral (injectable) pharmaceutical needed to save or prolong the life of a cancer patient. The physician, physician’s aide, or nurse thinks, trusts and intends the pharmaceutical to be the right dose with the right strength at the right time with the right biological activity. If it is counterfeit, any of these “rights” can be wrong. The dose could be wrong, in which case ancillary effects such as pharmacokinetics can be altered. The dose could be the wrong strength, in which case patient non-response—underdose—or overdose—which can include mild responses up to anaphylaxis, shock, convulsions, and/or death—occurs. The active ingredients can be past expiry, which usually corresponds to underdose but is often also associated with contamination and concomitant sepsis or worse. Finally, the dose could have the wrong biological activity—often unintentionally—through the use of improper expedient. Any of these leads to complications for the patient—and since the patient is already weakened, well, this is usually quite serious.

On the other end of the spectrum, we have the Rolex with three “X”’s—the kind of watch sold to Olive the Other Reindeer by her friend Martini the Penguin. Olive, naïve soul that she is, expects the watch to work, but most of us would not. We’re willingly purchasing a Rolex for single or double digit dollars for the kitsch or bemusement or relief from ennui. We know, in other words, it’s a counterfeit. And this is unaddressable counterfeiting—even if faux-Rolex sellers do get jailed from time to time. Why? Because it is not substituting for the sale of a real Rolex—a guy buying a $9 Rolex isn’t likely to cough up $5000 for a real one, and —or if he is, he won’t be put off buying the $5000 real one through the disposal of $9.

Many other forms of counterfeiting are clearly addressable. Fake pharmaceutical tablets, fake automobile and airplane parts, and other fake items in which the person’s safety is at risk because of the necessary (for counterfeiter profit reasons) shortcuts the counterfeiters have taken. Given this perspective, it is clear that counterfeit consumables are addressable: food, mouthwash, toothpaste, nutraceuticals, hygiene items, and in the case of infants, the surface coatings of toys and bedding. Anything for which the loss of quality control increases the risk to the end user unbeknownst to the end user, is addressable counterfeiting.

On the other side, unaddressable counterfeiting includes any product that the purchaser understands is not the real thing, and in most cases certainly not “even better than the real thing”. A refilled ink cartridge selling for 50% the cost of an authentic ink cartridge is one example. If the price is too good to be true, you can bet the product is too bad to be true. In today’s world of cutthroat pricing—where differences of 1-2% are discovered, recognized, and acted upon by buyers both economical and extravagant—cost differences of 20% or higher are hallmarks of counterfeited products.

The approaches we take to counterfeiting depend on the relative mix of addressable and unaddressable counterfeiting occurring in our supply chains. If the counterfeiting is unaddressable, the brand must continue to message the unique qualities offered by their product. Sophisticated target customers may own both a “Rolex” and a “Rolexxx”. If the counterfeiting is addressable, however, then the brand owner must use a multifaceted ecosystem of tactics to prevent, detect and respond to counterfeiting. This includes education of the right people in the supply chain, from manufacturer to consumer. It includes authentication of the individual product, if needed. It includes the investigation plan—how data is collected, retained, analyzed and acted upon. And finally, it includes how that data is used as evidence to take action against the appropriate set of counterfeiters.

The next blog will address these important anti-counterfeiting tactics: education, authentication, investigation and prosecution. For now, thanks for reading.

-Steve