If we think about the idea of digital identity in the Internet of Things (IoT), then luxury goods such as watches make for an interesting example. How would you tell a fake Rolex from a real one in an always-on, interconnected world? You might say just put a hologram in it, or a chip that can’t be forged or something. And these might be good starting points. But it’s a much more complicated problem than it seems at first.
Let’s think about secure microchips. Suppose contactless technology is used to implement some kinds of ID for the Internet of Things (IDIoT) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to wave my mobile phone over it and read the IDIoT. My mobile phone can decode the IDIoT and then tell me that the handbag is Gucci product 999, serial number 888.
This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more. I may know that the chip in the handbag label is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch of tags might have been taken off of real products and attached to fake products.
To know if something is real or not, I need more data. If I want to know if the handbag is real or fake, then I need know about the provenance as well as the product.
Prevalence of provenance data
The provenance might be distributed quite widely between different organisations with different drivers (this is why many people are keen on the using the blockchain as a means to co-ordinate and obtain consensus in such an environment). The retailer’s system would know from which distributor the bag came. The distributor’s system would know from which factory the bag came. Gucci’s system would know who stitched it together and where the components came from. A supplier system would know that the material came from sustainable hippos or whatever else it is they make handbags from.
I would need access to these data to get the data I would need to decide whether the bag is real or fake. (Of course, I might want access to other data to give me more information to support my purchases decisions too. For example, ethical data: Who guarantees that my new jeans were not made by children, etc?)
This is a critical point. The key to all of this is not the product itself but the provenance. A secure system of provenance (for example) is the core of a system to tell real from fake at scale.
Who should control the provenance of a product, and who should have access to all or part of that provenance, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me anything about the provenance? How would they know whether I am a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops) or a law enforcement officer with a warrant?
What all this has to do with digital identity
This is where the need for a digital identity comes into the picture.
A Gucci brand policeman might wave their phone over a bag and fire off a query. The query would have a digital signature attached (from secure hardware in the mobile phone, as in iPhones, for example); the provenance system could check that signature before processing the query. It could then send a digitally signed and encrypted query to the distributor’s system, which would then send back a digitally signed and encrypted response to be passed on to the brand policeman: “No we’ve never heard of this bag” or “We shipped this bag to retailer X on this date” or “We’ve just been queried on this bag in Australia” or something similar.
(And, of course, each time an IDIoT is created, interrogated, amended or removed from the system, the event will be recorded on a shared ledger to guarantee integrity.)
The central security issue for brand protection is therefore the protection of (and access to) the provenance data. Who exactly is allowed to scan my pants and under what circumstances? If I give my designer shirt to a charity shop, what information should they learn about it?
A wide variety of potential services
An approach to these issues that uses the right combination of tools (i.e. using secure chips to link the provenance on a shared ledger to the physical objects) will deliver a powerful new platform for a wide variety of potential services.
What might these services be? I don’t know, because I’m only a consultant and can’t afford luxury goods. But perhaps if such a system adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove it is genuine.
In fact, such a provenance premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says, “You know those jeans aren’t real Calvin Klein, don’t you?” Wouldn’t you pay an extra £5 for the satisfaction of knowing that your snooping guest’s app is steadfastly attesting to all concerned that your jeans, watch and sunglasses are all real? Of course you would.
As the discussion continues about digital identity, remember that identity is not just for people. It is for droogs and droids, pants and pets. The digital identity infrastructure that we need for the future is for everything. Everything.