Today (May 31st) is World No Tobacco Day. The theme for this year is “Stop Illicit Tobacco Trade”

Sun, 2015-05-31 07:45 — editor

By Manjari Peiris

The illicit trade in tobacco products is a threat both to government finances and to public health.

Illicit tobacco trade;

a)Deprives governments of much needed revenues;

b)Undermines efforts to reduce tobacco consumption, particularly through the imposition of high levels of tobacco taxation.

Although by definition the global illicit trade in tobacco products is hard to measure with accuracy, it is known to be very substantial. A 2009 study estimated that 11.6 percent of the global cigarette market was illicit. This is equivalent to 657 billion cigarettes a year, and means a loss of tax revenues of about US$40.5 billion.

What is Codentify?

Codentify is a coding system that the tobacco industry wants governments to adopt as a solution to their obligations to fight the illicit tobacco trade, under the WHO Protocol to Eliminate Illicit Trade in Tobacco Products (commonly known as the Illicit Trade Protocol, or ITP) and in the European Union under the revised EU Tobacco Products Directive.

Both the Protocol and Directive require a “tracking and tracing” system for tobacco products, which should help law enforcement agencies identify illicit products in their countries.

Codentify is a system based on alphanumeric codes, which are visibly printed on tobacco packaging. Each Codentify code is a unique, unpredictable set of 12 letters or numbers. According to tobacco indusrty, “Codentify avoids the requirement to store the codes by encrypting the information contained within them prior to printing through a patented combination of multiple keys and digital signatures”. The system is based on machine-generated codes created at factory level and printed on packaging. Factory level “secret keys” are stored on company (or third party) computer servers. Each key allows the production of a specified number of Codentify codes.

The codes may contain the following information:

• Date and time of manufacture

• Machine of manufacture

• Brand and brand variant

• Pack type, size, destination market and price.

Anyone who does not have access to secret keys to encrypt the information cannot generate original valid codes. Codes could be checked for validity through call centers, applications on mobile devices and through other means.
The tobacco industry has at least one global database. If a law enforcement officer enters a code through the DCTA portal, it can be checked for validity, and the decrypted code can be referred to the global database of the relevant firm to provide tracking and tracing information.

Possible Security Problems

The Codentify system uses relatively unsecured commercially available equipment on sites where operators may have a vested interest in misusing it. The system does not appear to prevent valid codes from being used twice. Therefore, counterfeiters and other illicit manufacturers could simply copy codes (sometimes called “code cloning”). Since Codentify codes are visible, it could be easy to collect a large number of such codes. If the same code is scanned twice on different packs it appears to be impossible to tell which is illicit.

Codentify also seems vulnerable to “code recycling”, to print valid codes on illicit products, for example by using codes originally printed on tobacco products that have been rejected and destroyed (which isn’t unusual during the production process). Particularly if these codes are placed on tobacco products sold in the same market as the legitimate products whose codes have been copied, it may be impossible for enforcement authorities to identify them as illicit.

The system of secret keys may be usable to generate apparently genuine tobacco products in factories “after hours”. For example, factories could use unused codes from a production run to produce additional products that are intended for illicit trade but may appear valid if the code is traced.

There may also be a weakness around “code migration”; where codes printed in one country can be reprinted in another, creating apparently legal products that enforcement agencies could not effectively trace.

Codes produced using inkjet printers may be easily erased or altered, and would therefore not be “securely affixed”, as required by the Protocol and Directive. Although the industry has marketed Codentify as a tax verification system, this does not appear to be the case for the reasons given above. This is why many countries where it is used also have a tax stamp system, for example in the European Union.

Other Issues

When enforcement agencies use Codentify codes in their investigations, the enquiries could be transparent to the industry, allowing it to manipulate replies and hide key data. The tobacco industry’s secretive behaviour means that there has been no full independent assessment of the security of the Codentify system. Without such an assessment, governments could be opting for a “black box” system, with features and possible weaknesses that only the tobacco industry is aware of.

Some information required under the Protocol and Directive will not be known at the time of production, when Codentify codes would be printed. This includes shipment routes from manufacturing to first retailer, the identity of all purchasers from manufacturing to first retail outlet, and the invoices, order numbers and payments of all purchasers from manufacturing to first retailers. It is not clear how this information will be associated with Codentify codes.

It is unacceptable that any government or international agency should adopt the Codentify system without having set proper standards for its tracking and tracing regime, and having assessed properly whether Codentify meets them. This is particularly dangerous in countries with very limited enforcement resources.

The following questions must therefore be asked and answered before any government considers Codentify as a solution to its obligations under the Illicit Trade Protocol and the EU Products Directive.

a. Can Codentify codes be copied or diverted for use on tobacco products that are not tax paid, in order for them to appear as not illicit when examined by enforcement officers?

b. Does Codentify provide an adequate guarantee that tobacco products are being sold in their stated target market and are tax paid?

If it does, why do many European countries using Codentify also require tax stamps on tobacco products?

c. Would the use of Codentify by enforcement agencies, and access to any related database, be transparent to the tobacco industry, making available information about investigations that should be kept confidential?

d. Is Codentify and the accompanying handling and storage of data by the tobacco industry compliant with Article 8.8 of the Protocol, which requires the establishment of an independent “global focal point” through which governments and enforcement agencies can access the information required under Article 5?

e. Will the industry undertake to make available to governments, the European Commission or their designated agents, information about the source code and algorithms behind Codentify, so that it can be independently assessed?

f. Do individual Codentify codes include a product description, as required under Article 8.4.1(g) of the Protocol and Article 15.2(e) of the Directive?

g. Does the information encoded under Codentify include all the information required in Article 15 of the Directive, including “the actual shipment route from manufacturing to the first retail outlet … the identity of all purchasers from manufacturing to the first retail outlet” … and the invoice, order number and payment records of all purchasers from manufacturing to the first retail outlet”?

It should be noted that some of this information might not be known at the time of manufacture. There are many competing tracking and tracing systems provided by companies unrelated to the tobacco industry that could be used on tobacco packaging, for example 2d bar codes.

These should certainly be preferred, if there are no satisfactory answers to the key questions about Codentify

(Courtesy: Framework Convention Alliance (FCA)

- Asian Tribune -