Connections between DG SANTE, PWC and PMI.

logos

On June 22nd the EU Commission Tobacco working-group’s  Subcommittee on Tracibility and Security Features convened a meeting in which DG SANTE informed the committee that they have subcontracted consulting work to two firms to conduct both a feasibility and implementation study of potential track and trace solutions to be implemented across the EU. The question is: are these third party firms truly independent of tobacco industry influence.

proof of contract.jpg
Screenshot from DC SANTE document citing PWC and Everis as consultants on tractability solutions.

The Tobacco industry has produced and promoted a system called Codentify which they have begun implementing across Europe in an attempt to create an unavoidable reality in which their system must be chosen by default. In actuality this system may not even track or trace products and as the health conscious community raised concerns about the systems capabilities the tobacco industry sold the system off to a, so called, “Third Party” company named Inexto in an attempt to distance the product from themselves. This story I proudly broke to the EU observer some months ago.

The World Health Organization’s (WHO) Framework Convention on Tobacco Control (FCTC) has explicitly stated that Codentify does not meet their standard for a solid track and trace solution for the industry.

The two company’s assigned the consulting task by DG SANTE  are PWC and Everis. The hiring of such firms came as some surprise to those watching this committee closely and when the firms names where announced it was important to explore if these firms have an intrinsic interest in supporting a tobacco industry produced solution.

After just an initial search it is clear that PWC has strong ties to the tobacco industry which put their objectivity in inherent question. PWC are the primary auditors for Philip Moris International (PMI) and have in the past done auditing work for British American Tobacco (BAT) as well.

pwc
Proof from PMI’s website of an existing relationship with PWC.

Although this is just preliminary information I will continue to delve deeper into this issue and publish as more information comes to light.

 

Initially  DG SANTE refused to respond to requests for clarity on these matters but in recent days have responded. I will be including their full response in a follow up article.

The Counterfeiting Problem

cigarette_packs_by_nickrizo

Here goes my second post.
I’m going to elaborate on Codentify’s methods of counterfeit avoidance, or the lack there of.

Before I get started it is important for me to note that I have received encouragements by leading anti-tobacco activists after my first post. To those who wrote me; thank you for your support!

Allegedly, making a hard time for counterfeiters should be one of the tobacco industry’s main goals. Although, when this interest conflicts with simplifying the production process and increasing revenues, it seems tobacco companies prefer to cut counterfeiters some slack…

I’ll remind you how Codentify’s product authentication works:

Let’s suppose your cigarette tastes funny and you want to confirm they are an authentic product and not counterfeit. You can submit the Codentify 12-digit code printed on the pack via SMS / Call to the hotline. The system then checks if your code has been verified before. If it has not then the system will derive what factory the pack came from, that is it! The system can easily produce a false positive. It has no way of confirming that my cigarette is genuine only that the code number has never been checked before. On the other hand it can also produce a false negative. Let’s say someone has already received confirmation that their code is genuine on a counterfeit pack and I then check the code on my real pack, the system will respond by telling me mine is in fact the fraudulent pack as the code was already submitted by someone else.

This procedure might be sufficient to catch counterfeiters that copy a single code to a large amount of packages, so that if for example there are thousands of packs with the same code, it would be checked more than once, and therefore mark it as suspicious product.

Although, if a counterfeiter copies let’s say a thousand codes only once or twice, the probability the same pack would be checked twice decreases significantly, and the probability it would be checked enough times to raise a flag and get someone to investigate it drops nearly to zero.

When you think about it, a thousand packs of cigarettes is not so expensive to legally buy. Nevertheless, if you’re a shop-owner, or better, a part of tobacco product distribution – copying a couple of thousands of different packs from various brands is no big deal.

I have been asking myself, why the companies implemented such weak measures to protect its own brand. I mean, if you’ve invested time and money into developing your own cryptography patent, why not securing it a bit more. Examples for solutions off the top of my head:

• Not using a 12-digit number that is printed on the outside of a packet as your security mechanism. That’s just lame.

• If so, at least provide the consumer some basic info when he checks the product, so he would know he holds a pack in London that was intended for Paris and produced more than a year ago.

• Checking the codes throughout the delivery process, and informing the consumer it was checked at the key-points of the supply chain. Now I’m not saying they should store all they’re codes into a DB as it is (that would be an obvious security breach), but saving some altered versions of it in order to perform these checks may do the trick.

But then it hit me… what if they’re purpose was not to secure their brand. When producing billions of packs a month, you don’t really care about small scale counterfeiters no matter how dangerous their product might be. All they ever cared about was making the printers go faster, while giving a simple barcode a name that sounds “high-tech-security”, and getting governmental authorities off their back.

I would also like to note that as I mentioned in my first post I had managed to reach out and connect with an insider in the industry. I have since met with him and video recorded our meeting where he explains in depth just how much of a ruse Codentify is. I have a friend currently editing the video and I hope to have it up by the end of next week. I think it is very hard hitting material so stay tuned.