The Identity of Things: Products and Provenance

blue and yellow phone modules

If we think about the idea of digital identity in the internet of things then luxury goods such as watches make for an interesting example. How would you tell a fake Rolex from a real one in an always-on, interconnected world? You might say just put a hologram in it, or a chip that can’t be forged or something. And these might be good starting points but it’s a much more complicated problem than it seems at first.

Let’s think about secure microchips. Suppose contactless technology is used to implement some kinds of ID for the Internet of Things (IDIoT) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to wave my mobile phone over it and read the IDIoT. My mobile phone can decode the IDIoT and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the chip in the handbag label is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch of tags might have been taken off of real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need know about the provenance as well as the product. The provenance might be distributed quite widely between different organisations with different drivers (this is why many people are keen on the using the blockchain as a means to co-ordinate and obtain consensus in such an environment). The retailer’s system would know from which distributor the bag came; the distributor’s system would know from which factory the bag came and Gucci’s system would know who stitched and where the components came from, a supplier system would know that the material came from sustainable hippos or whatever else it is they make handbags from. I would need access to these data to get the data I would need to decide whether the bag is real or fake. (Of course, I might want access to other data to give me more information to support my purchases decisions too. Such as ethical data for example: Who guarantees that my new jeans were not made by children and so on?)

This is a critical point. The key to all of this is not the product itself but the provenance. A secure system of provenance (for example) is the core of a system to tell real from fake at scale.

Provenance

Who should control the provenance of a product, and who should have access to the all or part of that provenance, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me anything about the provenance? How would they know whether I am a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops and so on) or a law enforcement officer with a warrant?

This is where the need for a digital identity comes into the picture. A Gucci brand policeman might wave their phone over a bag and fire off a query: the query would have a digital signature attached (from secure hardware in the mobile phone, as in iPhones, for example) and the provenance system could check that signature before processing the query. It could then send a digitally signed and encrypted query to the distributor’s system which would then send back a digitally signed and encrypted response to be passed back to the brand policeman: ‘No we’ve never heard of this bag’ or ‘We shipped this bag to retailer X on this date’ or ‘We’ve just been queried on this bag in Australia’ or something similar.

(And, of course, each time an IDIoT is created, interrogated, amended or removed from the system, the vent will be recorded on a shared ledger to guarantee the integrity.)

The central security issue for brand protection is therefore the protection of (and access to) the provenance data. Who exactly is allowed to scan my pants and under what circumstances? If I give my designer shirt to a charity shop, what information should they learn about the idea? An approach to this issues that uses the right combination of tools (ie, using secure chips to link the provenance on a shared ledger to the physical objects) will deliver a powerful new platform for a wide variety of potential services.

What might these services be? I don’t know, because I’m only a consultant and can’t afford luxury goods but perhaps if such a system adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real.

In fact, such a provenance premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Calvin Klein, don’t you?”. Wouldn’t you pay an extra £5 for the satisfaction of knowing that your snooping guest’s app is steadfastly attesting to all concerned that your jeans, watch and sunglasses are all real? Of course you would.

This international identity day, remember that identity is not just for people. It is for droogs and droids, pants and pets. The digital identity infrastructure that we need for the future is for everything. Everything.

The internet of blockchains, or something

I’ve said a few times that I think the Internet of Things is where mobile was a couple of decades back. Some of us had mobile phones, and we loved them, but we really didn’t see what they were going to turn in to. I mean, I was always bullish about mobile payments, but even so… the iPhone 6s that’s next to me right now playing “Get Out Of Denver” by Eddie & the Hot Rods out through a Bluetooth speaker is far beyond anything that I might have imagined when dreaming of texting a Coke machine to get a drink. We’re in the same position now: some of us have rudimentary Internet of Things bits and bobs, but the Internet of Things itself will be utterly beyond current comprehension.

Specialized elements of hardware and software, connected by wires, radio waves and infrared, will be so ubiquitous that no one will notice their presence

From The Computer for the 21st Century – Scientific American

That was Mark Weiser’s prediction of the Internet of Things from 1991. It seems pretty accurate, and a pretty good description of where we are headed, with computers and communications vanishing from view, embedded in the warp and weft of everyday life. What I’m not sure Mark would have spent much time thinking about is what a total mess it is. Whether it’s wireless kettles or children’s toys, it’s all being hacked. This is a point that was made by Ken Munro during his epic presentation of smart TVs that spy on you, doorbells that give access to your home network and connected vibrators with the default password of “0000”  at Consult Hyperion’s 19th annual Tomorrow’s Transactions Forum back in April. I’d listen to Ken about this sort thing if I were you.

Speaking during a Q&A session for the upcoming CRN Security Summit, Ken Munro, founder of Pen Test Partners, claimed that security standards are being forgotten in the stampede to get IoT devices to market.

From Security standards being forgotten in IoT stampede, says expert | CRN

We’ve gone mad connecting stuff up, just because we can, and we don’t seem concerned about the nightmare in the making. I gave a talk about this at Cards & Payments Australia. The point of my talk was that I’m not sure how financial services can begin to exploit the new technology properly until something gets done about security. There’s no security infrastructure there for us to build on, and until there is I can’t see how financial services organisations can do real business in this new space: allowing my car to buy its own fuel seems a long way away when hackers can p0wn cars through the interweb tubes. I finished my talk with some optimism about new solutions by touching on the world of shared ledgers. I’m not the only one who thinks that there may be a connection between these two categories of new, unexplored and yet to be fully understood technology.

Although I’m a little skeptical of the oft-cited connection between blockchains and the Internet of Things, I think this might be where a strong such synergy lies.

From Four genuine blockchain use cases | MultiChain

The reason for the suspicion that there may be a relationship here is that one of the characteristics of shared ledger technology is that in an interesting way it makes the virtual world more like the mundane world. In the mundane world, there is only one of something. There’s only one of the laptops but I’m writing this post on and there’s only one of the chairs that I’m sitting on and there is only one of the hotel rooms that I’m sitting in. In the mundane world you can’t clone things. But in the virtual world, you can. If you have a virtual object, it’s just some data and you can make as many copies of it as you want. A shared ledger technology, however, can emulate the mundane in the sense that if there is a ledger entry recording that I have some data, then if I transfer the data to you, it’s now yours and no longer mine. The obvious example of this in practice is of course bitcoin where this issue of replication is the “double spending problem” well known to electronic money mavens.

The idea of applying the blockchain technology to the IoT domain has been around for a while. In fact, blockchain seems to be a suitable solution in at least three aspects of the IoT: Big Data management, security and transparency, as well as facilitation of micro-transactions based on the exchange of services between interconnected smart devices.  

From IoT and blockchain: a match made in heaven? | Coinfox

 The idea of shared ledgers as a mechanism to manage the data associated with the thingternet, provide a security infrastructure for the the thingternet and to provide “translucent” access for auditing, regulation, control and inspection of the thingternet strikes me as an idea worth exploring. That’s not to say that I know which shared ledger technology might be best for this job, nor that I have any brilliant insight into the attendant business models. It’s just to say that shared ledgers might prove to be a solution a class of problems a long way away from uncensorable value transfer.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.