Codentify


Codentify is the name of a product serialization system developed and patented back in 2005 by Philip Morris International for tobacco product authenticity,production volume verification and supply chain control. In the production process, each cigarette package is marked with a unique visible code, that allows authenticating the code against a central server.
In November 2010, PMI licensed this technology to is three main competitors, namely British American Tobacco, Imperial Tobacco Group, and Japan Tobacco International, and the four companies together formed the Digital Coding and Tracking Association which works to promote the system in order to replace governmental revenue stamps. Codentify was branded by its inventors as a “track & trace and product authentication technology”.

History

In July 2004, Phillip Morris International and the European Union had settled a 12 year long legal dispute dispute concerning cigarette smuggling allegations. PMI agreed to pay 1.25 Billion USD to the EU budget and its member states. In addition, PMI was legally obligated to mark its products with trackable serial codes. Agreements were subsequently signed with the other three major tobacco companies.
PMI's affiliate company, Philip Morris Products S.A. created and patented the Codentify system in 2005.
In late 2010, PMI licensed Codentify technology to its main competitors BAT, JTI, and ITG free of charge. The four companies, which together account for 71% of global cigarette sales, agreed to use the PMI-developed system on all of their products to ensure “the adoption of a single industry standard, based on Codentify.” The Framework Convention on Tobacco Control immediately voiced concerns that “Codentify should never be used for tracking and tracing purposes as tracking and tracing provisions should be implemented under the strict control and management of governments.”
In 2011, the four companies formed the Digital Coding and Tracking Association to promote international standards and digital technologies to help governments fight smuggling, counterfeiting and tax evasion. The association was officially launched in 2013.
According to the DCTA, around 12% of the global cigarette market is illicit, depriving national governments of more than US$40 billion a year in lost tax revenues and some say this is a serious underestimate. The agreements between the EU and the four major tobacco companies aim to stem the illicit trade of cigarettes, but some academics and the anti-tobacco movement as a wholly inadequate deterrent. The EU has since not renewed this deal after MEPs complained that it was inappropriate for governments and tobacco companies have such a deal.

Inexto

In June 2016 the DCTA announced that it transferred Codentify to Inexto, an affiliate of the French Group Impala. This was criticized by leading industry watchdogs such as the FCTC and academics such as Anna Gilmore, who is the director of the [tobacco control research group at the University of Bath. She said that “Inexto could not be considered sufficiently independent from the tobacco industry". Martyn Day, Scottish National Party Member of Parliament, says while Codentify was sold "the new owner is merely a front company and that the system is still under the effective control of the tobacco firms". Other academics such as Luk Joossens, who is the advocacy officer of the Association of European Cancer Leagues, said the sale was “predictable” and that tobacco companies will now “pretend” that Codentify is no longer part of the tobacco industry. PMI have rebutted that “Inexto is fully independent from the tobacco industry."

Technology

The Codentify system is based on a machine-created, unique, human-readable multi-digit alphanumeric code that is printed directly onto every individual product during the manufacturing process. A double key encryption system, with separate central authority level and factory level encryption keys are stored on a respective server,allows for factory line production of a pre-defined number of Codentify codes that have been authorized by a central server.
The system generated 12 digit variant of the code is described as pseudo-random, offering 3412 possible combinations. Data which is unique and attributed to each discreet item is encrypted into the code such as the date and exact time of manufacture, machine count of the item, specific machine line of manufacture, brand, variant, pack size, pack type, destination market, and price.
Critics of this system have argued that this approach only allows for the verification of the code itself and not of the product the code is printed on; thereby leaving the potential for copying. A European Commission Assessment Report into Tracking and Tracing notes in section 5.1.2 that in addition to the Codentify code being easily copied, it also fails to link the cigarette packets to the master cases.
However, this critique omits to recognize that the system does allow for recognition of copied codes when an illegitimate copy is queried.  The system logic leverages geo-positioning data and will recognize if a code has been previously querried to highlight and notify that the item is suspect. Illegitimate products are invariably developed and replicated in significant numbers from a legitimate example.  Once the system logic recognizes illegitimate code, it is able to notify the system authority that this code has been compromised and is no longer valid. Due to the pseudo-random encrypted design of Codentify, illegitimate parties cannot predict codes and therefore can either default to replication of one legitimate code, which the system will logically identify from duplicate queries and provide notification, or the generation of random illegitimate codes, which the system will immediately recognize. Given the geo-positioning data at the time of query, both illegitimate approaches provide legitimate authorities important data on the suspect illegitimate supply chain.
Furthermore, when the Codentify technology is coupled with aggregated data and supply chain event tracking, the ability of the system to identify a suspect query is thereafter immediate. In essence, supply chain event tracking along the legitimate supply chain generates additional data encompassing that legitimate product’s specific provenance. Provenance that the illicit supply chain cannot replicate.

Criticism

Codentify has been the subject of harsh criticism as a tobacco industry promoted system which is aimed at undermining public health efforts and not capable of curbing the illicit trade of cigarettes. This criticism has come from academics and pro-health groups as well as government agencies, including the WHO.
The WHO FCTC Protocol on the Elimination of the Illicit Trade in Tobacco products states in article 8, section 12 that tobacco tracking and regulation “shall not be performed by or delegated to the tobacco industry”.
Critics of the tobacco industry say Codentify is simply not good enough, “because it focuses too much on production and does not store product codes or track them.”
Heavy criticism has also been launched at the factory-level keys the system uses to provide unique verification codes for the product. Since these secret keys are stored on company and government servers, abuse of privileges on this level would allow criminals to generate additional codes, which would appear to be genuine to the system.
The decentralized nature of the system also allows for a variety of other counterfeiting efforts critics say, such as “code recycling”, using codes of products rejected in quality control, “code cloning”, printing the same code on multiple products, and “code migration”, reprinting codes used in one country elsewhere, allowing the reuse of genuine codes multiple times.
Additionally, Action on Smoking and Health described the system as a black box created by the tobacco industry that uses unsecured equipment that is vulnerable to code recycling.