BREAKING: SEC Investigating PMI and Inexto for Corruption in Argentina

chart
Diagram by Argentinian Authorities explaining conspiracy between Inexto and PMI

It has recently come to light that Phillip Morris International ( PMI) and Inexto are facing criminal investigation charges in Argentina. The tobacco conglomerate is under investigation for charges of corruption, collusion, bribery and conspiracy. In an article released the Spanish language magazine, the Tribuna de Periodistas, lawyer Jay Clayton has been cited as leading the investigation.

Clayton, for those who may be unfamiliar, is the head of the Securities and Exchange Commission. The SEC has been investigating PMI for some time on suspicion of illegal trade practices and falsifying records. The company’s are suspected of being falsified to show losses that have not been incurred in order to” manipulate the company’s control system [using] sophisticated methodologies and defraud its shareholders with fraudulent practices, and may even include money laundering.” The case is of interest to shareholders who purchase stocks of PMI publicly and would risk loosing a great deal of money if the company were to be served a lawsuit of the size hinted at.

Clayton received a letter from lawyer Alejandro Sánchez Kalbermatten informing him of the development in the PMI lawsuit. In the letter to Clayton Kalbermatten wrote, “It is necessary to reveal the macabre and repudiate practices of the dishonest leaders of the PMI company in the Argentine Republic, and possibly in the rest of the world where it interacts by itself or by subsidiaries, affiliates or controlling companies.” The judicial file Kalbermatten refers too is CFP 17766/2016, titled in court as “Costa Marcelo et al. unlawful association” Costa, the subsidiaries of PMI and Phillip Morris Products South America are all named in the suit. Interestingly, PoliticaJudicial.com sites the leadership of Inexto including Philippe Chatelain, Patrick Chanez and Erwan Fredat. as many of the accused. These three individuals are really the men behind Codentify, who originally developed the system for PMI and moved with the technology to Inexto when it was sold.

PMI is being accused of manipulation of the market under the guise of another independent party, Inexto. Inexto and their Codentify technology are supposedly monitoring the production and supply of tobacco and tobacco products in Argentina. However if in fact Codentify is being used as cover for Phillip Morris International then the reliability of their reports would be undeniably low.

The repercussions of this investigation can not be ignored. If PMI and Inexto are implementing practices like this in Argentina the threat of them transplanting their tactics to Europe is just a matter of time. The Codentify technology would not be trusthworthy and in fact meerly a puppet for PMI. The attack against PMI includes an attack on Argentinain offiicals who would have accepted bribes in order to allow these practices to continue undetected. “The big tobacco companies devised and planned a strategy to install this pseudo control system,” Kalbermatten claims in his letter to Clayton, “ in this particular case the Argentine Republic and the public officials of the AFIP and INTI, even appear to act encouraged by fees paid by the tobacco giant.”

Connections between DG SANTE, PWC and PMI.

logos

On June 22nd the EU Commission Tobacco working-group’s  Subcommittee on Tracibility and Security Features convened a meeting in which DG SANTE informed the committee that they have subcontracted consulting work to two firms to conduct both a feasibility and implementation study of potential track and trace solutions to be implemented across the EU. The question is: are these third party firms truly independent of tobacco industry influence.

proof of contract.jpg
Screenshot from DC SANTE document citing PWC and Everis as consultants on tractability solutions.

The Tobacco industry has produced and promoted a system called Codentify which they have begun implementing across Europe in an attempt to create an unavoidable reality in which their system must be chosen by default. In actuality this system may not even track or trace products and as the health conscious community raised concerns about the systems capabilities the tobacco industry sold the system off to a, so called, “Third Party” company named Inexto in an attempt to distance the product from themselves. This story I proudly broke to the EU observer some months ago.

The World Health Organization’s (WHO) Framework Convention on Tobacco Control (FCTC) has explicitly stated that Codentify does not meet their standard for a solid track and trace solution for the industry.

The two company’s assigned the consulting task by DG SANTE  are PWC and Everis. The hiring of such firms came as some surprise to those watching this committee closely and when the firms names where announced it was important to explore if these firms have an intrinsic interest in supporting a tobacco industry produced solution.

After just an initial search it is clear that PWC has strong ties to the tobacco industry which put their objectivity in inherent question. PWC are the primary auditors for Philip Moris International (PMI) and have in the past done auditing work for British American Tobacco (BAT) as well.

pwc
Proof from PMI’s website of an existing relationship with PWC.

Although this is just preliminary information I will continue to delve deeper into this issue and publish as more information comes to light.

 

Initially  DG SANTE refused to respond to requests for clarity on these matters but in recent days have responded. I will be including their full response in a follow up article.

The Hidden Agendas behind Codentify

hidden_agendaToday I would like to tell you a story about the real uses of the Codentify system in the hands of the major tobacco companies to promote their strategic campaigns against public health legislation. One of the most interesting examples I’ve found is the lobbying effort against plain tobacco packaging in the UK.

First thing’s first, to those who don’t know what plain packaging legislation is – it’s a law that forces tobacco companies to sell their products in standardized packaging, with no brand-logo or any other information other than bold health warnings. This is already mandatory in Australia, and it is being introduced in some countries such as the UK and Ireland, so by the end of 2017 it will be compulsory there as well.

There is an ongoing worldwide debate on whether these laws are helpful, and I don’t want to elaborate on that matter. If you’re interested in more information I would start from the links submitted to the following Wikipedia page: https://en.wikipedia.org/wiki/Plain_tobacco_packaging

What is undebatable is the large efforts the tobacco industry invests to undermine these laws. Unlike fighting illicit trade, they find fighting plain packs a SERIOUS BUSINESS. They took it seriously enough to cynically use Codentify as their number 1 excuse claimed by their lobbyists to block these laws:

Meet MP Michael Morris (AKA Lord Naseby), the noble Lord is a consistent supporter of the Codentify system, and in recent debates on the topic of plain packaging, he attacked the plain packs law from an original point of view – the reason he opposes this law is not that it would reduce tobacco industry’s revenue, but that it would ban Codentify from being printed on the packs and therefore boost illicit trade!

The full protocol can be found in the link bellow.
http://www.theyworkforyou.com/lords/?id=2015-03-16a.936.4

Oh, one thing Lord Naseby has forgotten to mention, he is on a recent list of parliament members that accepted gifts from the tobacco industry! The Lord himself was invited to an Eagles concert by JIT! Now lobbying for JIT alongside MP Ian Paisley Jr. for example, who has penned an open letter including 51 other MPs against plain packs (while JIT owns one of the largest factories in Ballymena, the area he represents). I urge you to read the Telegraph’s article on that topic.
http://www.telegraph.co.uk/news/politics/9361730/MP-opponents-of-plain-packaging-for-cigarettes-accepted-hospitality-from-tobacco-giant.html

I’ll conclude with the answer of Lord Faulkner from the protocol mentioned earlier:
“In his amendment, and in his speech just now, the noble Lord, Lord Naseby, referred to the security system “Codentify”. This is a tobacco industry controlled system which the World Health Organization has concluded does not meet the requirements of the WHO Framework Convention on Tobacco Control anti-smuggling treaty that tracking and tracing systems have to be controlled by Governments, not by the tobacco industry. There is already a marking system on packs in the UK which enables enforcement officers to determine whether cigarettes are counterfeit. The tobacco industry opposes standard packaging for one reason only, and that is because it works.”

Now as I said earlier, I don’t know if plain packaging “works”, I only know what WORKS against it.

Dear John Smith AKA Whatever Your Name is.

jon smith commentHey everyone, So the tobacco industry has been causing me a lot of problems lately. They have now decided to comment on one of my posts under the name John Smith. The following post is response to whoever John really is.

Dear John,

First of all, I am glad we are finally im touch and you have decided to try and respond to my research. I must begin with it being truly a shame that what you wrote in your comment is not something you are willing to say to the general public using your real name, or whoever you are.

In all of my posts, I didn’t say shipping cases were not tracked by the industry, I’m sure it is selectively tracking some of it’s merchandise, for commercial reasons… What I continue to say is that when I buy a Codentify certified pack, I canot be sure that the product is genuine and that all taxes were paid to the right authorities.

Moreover, the additional information you’ve submitted (storage of 50 bundles X 10 pack Codentify codes) is NOT MENTIONED in the OFFICIAL site you’ve mentioned yourself (that basically has only commercial brochoures with no technical data). Storage of these codes raises other security issues, and the industry itself was damn proud they’re not storing codes anywhere in their previous presentations…

Don’t get me wrong, I would enjoy receiving actual, formal and official technical information.

Keep in touch.

Oscar.

The Track & Trace Problem

main_track_and_traceHey there! I have to admit, when writing my last post, I thought I was finished with describing Codentify’s technological disadvantages… It seemed to me I’ve told everything there is to say about how the tobacco industry’s promoting a quite lousy digital tax verification (DTV) solution to self-regulate its product. But then I recalled the tobacco companies don’t only promote it as DTV, but also as Track and Trace (T&T). The absurd thing about that, is that Codentify simply isn’t a Track & Trace technology at all. They might as well call it a nuclear reactor, it would not change the fact that Codentify doesn’t track nor trace cigarette packs.

I actually double checked myself by reading the Wikipedia article, to make sure it’s not my misunderstanding of what track & trace means, and I’m pretty sure I’m not the one who’s confused:
http://en.wikipedia.org/wiki/Track_and_trace

I quote: “Track and trace or tracking and tracing, concerns a process of determining the current and past locations (and other information) of a unique item or property.”

Well, as a smoker that bought a Codentify branded product, checking the code definitely doesn’t provide me any way to determine how the product got to my hands, but moreover, the customs, or any other governmental authority or even the tobacco company itself wont learn anything from checking the code, besides the “endpoints” of the supply chain (where it was produced, and to which market was it intended). This is a REALLY obscure way to interpret the track & trace term.

Theoretically speaking, there are two basic approaches to “follow” the product. One of them I’ve described as a possible solution to prevent counterfeiting, which is to verify the Codentify codes at multiple points throughout the supply chain. So if a product was “diverted” to illicit paths, there would be oversight what was the last “legitimate” point it checked in. Another method, is to digitally link (in the code generating process) each Codentify code to pallet-box-container codes, so when a consumer checks the code printed on his pack, he would know in retrospect how it arrived to the point of sale.

Within the industry, Codentify’s well-known flaw is that this linkage between the codes printed to the packs and the codes of cigarette pallets/boxes/containers doesn’t exist.

Therefore, checking a Codentify code reveals only the production information, such as the factory’s name and place, time of production, etc… calling it “track & trace” is a double-insult, for both consumers and industries that do use track & trace solutions to ensure their product was delivered in the proper way. Otherwise, we could call any product mentioning its production place, a “tracked and traced” product (and because stating the production place is obligatory in most countries, it means EVERY product can claim it has implemented a track & trace system when it comes to Codentify’s standards).

In conclusion, when it comes to Digital Tax Verification, even if Codentify’s solution is intentionally weaker than what it is supposed to be, the tobacco companies can at least pretend to try solving the problem. But when it comes to Track & Trace, they simply use technical terminology that has nothing to do with their solution, making-up a name for a feature that doesn’t exist. At all. I would find it quite funny if the joke was not on us.

The Production Fraud Problem

minsk_gear_factory_by_deaddietrich-d58sesqNow that the buzz surrounding my video I would like to get back to dissecting the problems of Codentify. After meeting the industry insider, I also have a far deeper understanding of the system.

To remind everyone in my last post I discussed how easy it is for factory employees, especially in IT management positions to obtain a large batch of genuine Codentify codes. This is made possible by Codentify system’s design that does not demand any confirmation of the produced volume reported back by the local manufacturers.

Today I’m going to address this fundamental issue from another point of view: How could the government be certain the volume reported by the manufacturers is correct? How will it be able to identify tax avoiding factories? To make a long story short, with Codentify replacing the tax-stamps system – It simply can’t.

Each week, the factory reports back to the governmental central server the amount of produced packs via an automatic SQL query from Codentify’s software installed on the code generator. With a little help from a computer programmer, this query can send practically any number. So let’s say a factory reports 90% of its REAL produced volume – it just scored 10% tax-free. Easy money. In fact, it is even easier than that: as I mentioned in the previous post, the electronic key sent by central server to the local manufacturer, allows it to print a large batch of, let’s say 5 million packs. But every time a new key arrives, there is still an excess of codes left on the code generator, simply needed to be printed elsewhere. So in fact, this 10% discount I was talking about earlier, might happen even without “fixing” the reported production numbers.

But why the small thinking? If a factory has found a way to over-produce packs in an undeclared production line, it might as well just duplicate the signal going from a code generator to the production line printer onto another ILLEGAL production line. This case is probably a “perfect crime”: Each pack, with its genuine Codentify code is produced twice. Statistically speaking, there is almost no way a code would be checked more than once to raise any flags. But even if a miracle happens and the same code is checked twice, consumer reports on that matter would be totally random with no pattern to trace or investigate.

Actually, I’ve been describing in detail all of these complicated scenarios when the point is quite simple, almost a trivial one – you shouldn’t let a corporation, ANY COPRORATION, self-regulate its taxes. Definitely not a corporation who’s tax-regulation policy is in the middle of constant debate.

Every year, more states decide to raise taxes for industries whose products are considered harmful for public health (such as tobacco and alcohol). Moreover, more and more states earmark the taxes they collect from these industries to fund anti-smoking, anti-drinking, and anti-drugs education programs and rehab center. In all of these cases, the industry tries to fight back, through massive lobbying and campaigning against these reforms.

Hence, with Codentify replacing tax-stamps, the industry is pretending to help solve the problem of illicit trade (and I’ve already explained why their solution is far from being sufficient), in the meanwhile gaining ammunition against governmental reforms by practically taking charge of their own tax collection. I guess when you have the tobacco industry’s resources – even if the government raises your taxes, you can still make sure it will not have the necessary means to enforce any of these decisions.

EXPOSED: Interview with a Codentify Insider

After much work to disguise his identity, I am finally posting the video interview with a former IT manager who worked with the Codentify system in a tobacco factory in the EU. After speaking with multiple experts in the anti-tobacco world, I am confident this is the most damning evidence against Codentify’s claims to being a viable tax code and track and trace solution for the industry.

See for yourself.

(Use the subtitle feature to better understand what is being said)

TEASER: Conversation with a Codentify Insider

man in suit insider

I am still working out how to post the video featuring the Codentify insider I interviewed while keeping his identity safe. In the mean time I wanted to share just a short part of out conversation.

Me: What was physical security like inside the factory?

Insider: In my factory, if you were wearing a buttoned shirt, workers would think; “he’s probably someone important” and gain you access practically anywhere.

More to come.

The Code Trading Problem

url

After discussing the low security standards of the Codentify system when it comes to preventing counterfeiters to get away with copying Codentify codes, today I’ll explain a field where this technology has almost no security standards at all – preventing fraud by tobacco industry’s employees.

Short reminder from my first post about how the system works within a local tobacco factory:

Each production line has a Codentify certified printer (e.g. Domino, VideoJet, etc.), which is connected to a code generator computer. This code generator receives an electronic “license” key from the central server that allows it to generate and immediately print unique genuine Codentify codes. Later, this code generator reports back to the central server only the number of the produced volume. And when I say “Later”, is in some cases is much later (i.e. a week later, millions of packs later…).
So if a factory uses the good old tax-stamps, it has two parallel “counters”, one is the balance of previously bought tax-stamps, and the other is the counter on each production line printer. In this case, if somehow both counters are not even, the government is fairly “protected”: if there are packs that got produced without a stamp – it’s very distinctive, and if stamps got lost in the process – it’s the factory’s loss. Codentify basically annihilates the first counter, leaving only the printer-counter and the government/consumers to weather the damages.

Because industry’s primary objective is to boost its production volume and avoid pausing the production process at any cost, a code generator is designed to continue producing Codentify codes even when it has “connection problems” to the central server. In other words, a disconnected code generator can generate millions of codes before reporting back.
Therefore, an IT manager of a local factory is capable of stealing millions of codes in the following ways (You’re more than welcome to add methods my “creative mind” hasn’t thought of yet.)

• When a new key arrives from the central server, the code generator probably still has an excess of codes it is technically able to print. All the fraudster needs to do is printing them to a file.
• Using a software interceptor: duplicating each code sent by the code generator to the printer into a file. This can be done by installing some kind of a Trojan horse on the code generator computer, duplicating its printer output signal.

• Using a hardware interceptor: same as the software option, but for low-tech fraudsters that prefer to physically connect a “black box” to the cable in between the code generator and the printer.

• Duplicating the code generator – Installing the code generator as a VM (Virtual Machine), duplicating it each time a key arrives from the central server.
Now you might say every technological system is vulnerable to these kinds of attacks, especially by highly capable employees such as IT and production managers, but in Codentify’s case, the tobacco industry as their employer is not the one to take the hit! We are! And of course we are supposed to just trust the industry’s managers to trust its employees not to be tempted with committing fraud, that their bosses have no grave interest to avoid. I personally find this issue both suspicious and concerning.

info1v2

As I mentioned last week, I have a video interview with a Codentify insider, I have still not released it as I have been warned by experts to be concerned for the source’s personal safety. I am in the process of sorting out how to release the information and protect him at the same time. More soon.

The Counterfeiting Problem

cigarette_packs_by_nickrizo

Here goes my second post.
I’m going to elaborate on Codentify’s methods of counterfeit avoidance, or the lack there of.

Before I get started it is important for me to note that I have received encouragements by leading anti-tobacco activists after my first post. To those who wrote me; thank you for your support!

Allegedly, making a hard time for counterfeiters should be one of the tobacco industry’s main goals. Although, when this interest conflicts with simplifying the production process and increasing revenues, it seems tobacco companies prefer to cut counterfeiters some slack…

I’ll remind you how Codentify’s product authentication works:

Let’s suppose your cigarette tastes funny and you want to confirm they are an authentic product and not counterfeit. You can submit the Codentify 12-digit code printed on the pack via SMS / Call to the hotline. The system then checks if your code has been verified before. If it has not then the system will derive what factory the pack came from, that is it! The system can easily produce a false positive. It has no way of confirming that my cigarette is genuine only that the code number has never been checked before. On the other hand it can also produce a false negative. Let’s say someone has already received confirmation that their code is genuine on a counterfeit pack and I then check the code on my real pack, the system will respond by telling me mine is in fact the fraudulent pack as the code was already submitted by someone else.

This procedure might be sufficient to catch counterfeiters that copy a single code to a large amount of packages, so that if for example there are thousands of packs with the same code, it would be checked more than once, and therefore mark it as suspicious product.

Although, if a counterfeiter copies let’s say a thousand codes only once or twice, the probability the same pack would be checked twice decreases significantly, and the probability it would be checked enough times to raise a flag and get someone to investigate it drops nearly to zero.

When you think about it, a thousand packs of cigarettes is not so expensive to legally buy. Nevertheless, if you’re a shop-owner, or better, a part of tobacco product distribution – copying a couple of thousands of different packs from various brands is no big deal.

I have been asking myself, why the companies implemented such weak measures to protect its own brand. I mean, if you’ve invested time and money into developing your own cryptography patent, why not securing it a bit more. Examples for solutions off the top of my head:

• Not using a 12-digit number that is printed on the outside of a packet as your security mechanism. That’s just lame.

• If so, at least provide the consumer some basic info when he checks the product, so he would know he holds a pack in London that was intended for Paris and produced more than a year ago.

• Checking the codes throughout the delivery process, and informing the consumer it was checked at the key-points of the supply chain. Now I’m not saying they should store all they’re codes into a DB as it is (that would be an obvious security breach), but saving some altered versions of it in order to perform these checks may do the trick.

But then it hit me… what if they’re purpose was not to secure their brand. When producing billions of packs a month, you don’t really care about small scale counterfeiters no matter how dangerous their product might be. All they ever cared about was making the printers go faster, while giving a simple barcode a name that sounds “high-tech-security”, and getting governmental authorities off their back.

I would also like to note that as I mentioned in my first post I had managed to reach out and connect with an insider in the industry. I have since met with him and video recorded our meeting where he explains in depth just how much of a ruse Codentify is. I have a friend currently editing the video and I hope to have it up by the end of next week. I think it is very hard hitting material so stay tuned.