The principle: no one knows everything

Image of labels on different bottles
(Image: Securikett)

How transparent does scanning commodity codes make you when buying goods? How secure is all this nonsense? You scan a product and then come back to a landing page? Consumers find it difficult to distinguish genuine digitalisations from false digitalisations at first glance. But what can be done about it? Dr Marietta Ulrich-Horn provides information about these developments.

In the world of packaging, the Internet of Things (IoT) means that every product is serialised with a unique code that gives it a unique identity: a unique QR code instead of a unique chip, so to speak. This is a mega-trend for proof of authenticity and product traceability, but it can easily lead to misguided developments. Counterfeiting systems, and duplicate codes. Which means that data protection should be thought through strategically. For many years, Dr Marietta Ulrich-Horn, Managing Director of Securikett Ulrich & Horn GmbH in Austria, has been dealing with interoperable systems in connection with IoT and provides our trade magazine with insights into different approaches to solutions.

Image of a woman
Dr Marietta Ulrich-Horn Managing Director and Owner Securikett Ulrich & Horn GmbH (Image: Securikett)

Why is this issue so close to the heart of you and your company?

We focus on quality and sustainability, also in software development. In our view, producers, trading companies and online shop operators still give too little thought to how far product digitisation and the associated systems have been thought through to the end. Not setting standards from the outset to ensure the security of systems and their users can easily lead to misuse and setbacks. We are of the opinion that IoT does not make everything more complicated, we are absolute advocates and as a company we also offer this as a matter of course: with a cloud solution for track & trace and product verification and with a platform for "UID issuance", i.e. the secure issuance of unique codes. However, where it makes sense, we advocate decentralising the power over the data and advocate interoperable solutions.

How may we understand this?

It is predictable that counterfeiters can not only recreate a hologram, but also a whole digital system including a landing page. Even a customs officer cannot always tell which landing page he is being directed to and whether it is genuine. A small change or one more letter in the URL, and one is stranded on a replicated landing page, a platform operated by counterfeiters. Consumers also often have no way of knowing where they are being led when they want to check the authenticity of a product or retrieve information about a product. We only want to offer things that are truly reliable and future-proof, and have set ourselves the goal of always being two steps ahead of the counterfeiters in our products. We believe that it would be very harmful if digital parallel worlds were to emerge on a larger scale. This would undermine consumer confidence in product digitisation, which brings many benefits. When multiple systems are connected, a counterfeit system cannot easily enter the landscape.

How could this be prevented?

We rely on the principle of separation of powers, as it is already anchored to some extent in the European tobacco regulation. There, the unique codes for tax stamps are issued by a non-governmental and independent institution in order to ensure that no abuse can occur in the allocation of codes and that more codes than desired do not mistakenly come into circulation or are allocated twice. With our in-house developed UID Issuance Platform, for example, we can ensure this independence from the use of codes where desired.
Image of cardboard packaging and labels
Each individual tax stamp contains its own QR code. Paper-based tax stamps are used in Europe to seal cigarette packs. (Image: Securikett)

How does this work in practical implementation?

Let me briefly explain an example of the use of the UID-Issuance platform, detached from tobacco regulation: A group that distributes several brands commissions us to issue codes. These codes are issued to the respective local producers for application in the form of barcodes, QR codes, etc. on the product and for further use such as product tracing, for example. This avoids the need for separate code generation with different providers for each brand. For brand owners, it is a clear advantage to have an independent output entity for these codes that is detached from the company, and local suppliers benefit from the after-sales customer communication that IoT makes possible in the first place. Another example of separation of powers is the use of a Trusted Entry Point, a reliable verification app based on a "chain of trust", a publicly registered trust provider, so to speak. You have to imagine it in the same way as it is already known for digital signatures. Only via the Trusted Entry Point does one obtain access or the digital signature, which is placed around the code. It was our pioneering achievement to realise a project together with ATT, a friendly company, to demonstrate this Trusted Entry Point by means of a control band pilot. Only when a code is verified as genuine by a third party can it be assumed that the UID on the product is real and that the product delivers what it promises. In the pilot project, we were also able to show how important the combination of digital identification with physical authentication is: on the "trusted" landing page, it is explained exactly what to look out for so that the QR code alone cannot be reprinted. Non-copyable security elements are suitable for physical authentication, but detailed explanations would exceed the scope here.

Can you give us another example of interoperability that works?

In the field of rapidly developing traceability systems, unfortunately, people too often do not think far enough. Suppliers think in "silos". This makes it impossible for a third party to take on a monitoring role as an independent party. The separation of powers plays an overriding role for us, for example in deposit systems. It should always be guaranteed that the trademark owner does not have to store private data. This can be achieved by bringing a third party on board, as we were able to show in the field trial with Saubermacher and ARA. Here, it was a matter of consumers disposing of empty bottles and cans not in the shop but directly at the recycling centre or recycling bins provided and the return deposit was credited directly on an app. The codes could only be read once. Our job was to print the labels and verify that the code was genuine. A third party operated an app that provided the bonus. Here, it was important to us that not everyone sees all the data for the deposit. We as a company didn't know how many codes each beverage company that participated in the project received. The data for the return of the deposit, i.e. the data on account details in order to credit the deposit, was stored with the third participant, the app operator. In this way, interoperability ensured that data could not be misused under any circumstances.
Image of a can and a bottle with labels
Digital contribution to the "digi-Cycle" recycling project: return deposit directly via app - three "partners" share "access rights". (Image Securikett)

What is the aim of these solutions?

We want to achieve that private and public systems can work reliably with each other. Otherwise, a landscape of small code systems will develop and no one will know whether these systems are genuine. Government applications alone usually only cover the bare essentials. Therefore, for us, interoperability of systems, public and private, is a good solution.

In your view, what is special about these developments, what sets them apart from others?

We always think one step ahead with all our solutions, and our first priority is consumer safety. In the company itself, we offer a UID issuance platform, have been working continuously on the Codikett traceability platform for over ten years, print tamper-proof labels and understand how to apply IoT to the product. We consider a strict separation of systems, according to need, to be sensible. And if a customer wants a code issue from us, but the code system operators are third-party providers, then the principle of separation of powers is applied. For us, consumer safety has been in the foreground since the company was founded and we do not want to give counterfeiters a playground to undermine meaningful innovations.
Image of two labels
Electronic verification by third-party providers: It is important to combine digital identification with physical authentication. Both tax stamps refer to the app Otentik for code verification. (Image: Advanced Track & Trace)

How important do you consider this development to be as a trend for the packaging industry as a whole?

The number of fake products has risen massively in recent years, not least due to internet trade and parcel shipping, which largely evades customs controls. The worldwide, not only economic, but also health damage caused by counterfeit products cannot be overlooked. Any kind of increased safety for consumers should also be a major concern for the packaging industry. After all, we are all involved in the cycle and are consumers ourselves. We also believe that a brand owner who relies on IoT must also really guarantee that what the customer is buying is genuine. If his security concept is not watertight, then he will have a liability problem. Modern brands should make a very convincing commitment to the security of their brands and visibly convey this, because a disappointed consumer would not be a good figurehead.

More packaging news