Filed Under: Identification and Authentication, People

The internet of things needs some thinking through

Leave a Comment

[Dave Birch] There was a story in the British newspapers recently about an Italian criminal family (literally, a father and son) who were arrested for selling fake Romanée-Conti wine (a Burgundy that is one of the most expensive in the world at £14,000 a bottle). The police say that the fake labels applied to the bottles of plonk were “near perfect”. Aha. My eyes pricked up at this. A genuine problem, for which there may be a technological solution that some of our clients could benefit from supplying.

The NFC tags are located behind the label on the winery's Vintage 2010 range, with bottles selling at €2,000 to €2,500 each.

[From French winery picks NFC tags for authentication • NFC World]

Setting aside the interesting technical question of whether these tags are actually NFC or not, I have to report that this is not a new use case for contactless. I wrote up the use of RFID in the drinks business in Korea three years ago when we were looking at some identity-related business cases for one of our telecoms clients.

When the whiskey is bottled, the caps have an RFID tag added to them. This is coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When the customer opens the bottle, the tag is broken and can no longer be read.

[From Digital Identity: There's whiskey in the jar-o]

I happened to find myself sitting next to Erik Harvey from iProof, one of the leading companies in this field, at the WIMA NFC event in San Francisco this week, and he made the very sound point to me that to work for all the stakeholders, systems such as these must involve the consumers. If consumers don’t tap on or scan the labels then there’s no data flowing around the system. We need consumers to be an active part of the anti-counterfeiting activity or it won’t work: they have to want to take part. I think, with the appropriate messaging, that they would. After all, who wants to be embarrassed serving a fake wine at dinner and, aside from that, who doesn’t want to learn more about a wine that they try and like? I’ve often seen people use their mobile phones to take the picture of the label on a bottle at a restaurant, presumably because they find the wine delicious and may want to order it again in the future.

This problem of epicurean counterfeiting is not confined the exclusive French vineyards. It’s a problem the world over, although it takes different forms in different cultures.

The bird's nests can be sealed in a box with an RFID tag that contains a microchip embedded with details about the harvest. A handheld scanner emits a radio frequency to unlock that information.

[From BBC News – RFID technology thwarts bird's nest counterfeiters]

Now, as have pointed out more than once in this context, the tag by itself isn't very useful (especially since absolutely no-one bothers implementing the security layer of NFC). The people who steal authentic labels from designer goods factories will steal authentic RFID tags as well. What is critical is the ability to determine provenance and this mean mutual authentication as well as a managed infrastructure.

Without an infrastructure that includes end-to-end digital signatures there's no way round this. The phone needs to know the chip is authentic. The database needs to know who is asking, and the consumer needs to know who is answering.

[From Digital Identity: There's whiskey in the jar-o]

The security of stuff in the internet of things (IoT) is a really, really interesting subject. It has implications that go way beyond protecting connoisseurs from embarrassment.

Rob Wainwright, director of the EU’s crime-fighting agency, said Europe’s black market in counterfeit foodstuffs, pharmaceuticals and machine parts doubled to a value of about €2bn in the early years of the recession.

[From Crime gangs look to clean up as Europe’s black market balloons – FT.com]

The odd couple of billion here or there doesn’t seem like a big deal to me, especially when the same article notes that VAT fraud is at least fifty times bigger, but taking counterfeit medicine or flying in a plane with a counterfeit part does seem like a big deal to me and I’d rather it didn’t happen. I hate  to say it, but perhaps some form of European co-operation might be needed…

One more thing. I don’t see that the security and privacy issues that come along with the IoT have been thought through at all. I tried to make this point a few years ago, using my pants as the target object, when I was looking at the use of RFID in high-value consumer goods. We need to develop an additional layer that delivers both enhanced security and enhanced privacy. It’s one thing for dinner guests to scan my wine bottle to see that it is a real Romanée-Conti and another for them to scan my Rolex to check that it is indeed a first-class far-eastern knock-off, but it’s quite another for them to be able scan my underpants and determine that they date from 1983. How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance? These are difficult questions.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

0 thoughts on “The internet of things needs some thinking through”

Leave a Reply

Your email address will not be published. Required fields are marked *