Background In anticipation of the Protocol to Eliminate Illicit Trade in Tobacco Products (ITP) entering into force in 2018, there is a growing demand for information on track and trace (T&T) solutions for tobacco products. This article contrasts the efficacy of Codentify from the perspective of authentication with that of material-based multilayered security technologies.
Method To calculate the probability of detecting one fraudulent pack under Codentify, we relied on a modified Bernoulli trial experiment with independent repeated sampling without replenishment. The probability is calculated using a multinomial distribution formula adjusted for the fact that both legitimate and non-legitimate packs may be sold in the market.
Results In a relatively small market, a law enforcement authority would have to inspect over 27 000 (almost 31 000) packs per week to have a 90% (95%) certainty that it did not miss a fraudulent pack under the Codentify system. A material based T&T solution would require only 45 (59) pack inspections a week to have the same level of confidence.
Conclusions This study demonstrates the inefficiency of Codentify compared to other solutions that incorporate material-based security features. Signatories to the ITP should reject Codentify due to both its low efficacy and its clear violation of the ITP’s requirement that T&T shall not be performed by or delegated to the tobacco industry or its front groups.
- illicit trade protocol
- track and trade
Statistics from Altmetric.com
Global trade in illicit tobacco products deprives governments of important tax revenue and undermines their efforts to protect public health by making cheaper cigarettes available. Today, illicit cigarettes account for about 11.6% of the global cigarette market resulting in approximately US$40.5 billion tax revenue lost per year.1 The importance of addressing the illicit trade in tobacco products is evident from the fact that the parties to the first international treaty on public health, the WHO Framework Convention on Tobacco Control (FCTC), decided to negotiate a separate protocol for the WHO FCTC dealing with this subject. The Protocol to Eliminate Illicit Trade in Tobacco Products (ITP) was adopted at the fifth Conference of the Parties in November 2012. As of July 2017, it needed only 12 additional countries to ratify it before it becomes a new international treaty, legally linked to FCTC Article 15.
The ITP highlights the need for policy changes and technological solutions to reduce the illicit trade in tobacco products. It also points to the need for international cooperation such as information sharing, collaborative investigation and prosecution of offences, which would be essential in addressing cross-border illicit cigarette trade.
As the number of countries ratifying the ITP increases, there is a growing demand for information on track and trace solutions for tobacco products, covered in Article 8 of the Protocol, because each Party will be obligated to implement a tracking and tracing system within 5 years of the Protocol’s entry into force, which is expected to occur in 2018.
Even though the ITP specifically rejects any involvement of the tobacco industry in providing the track and trace solution, the tobacco industry heavily promotes its own control system, known as Codentify. Codentify is being offered as both a stand-alone ‘industry solution’ and a hybrid solution that combines features of Codentify with secured packaging material to purportedly create a solution to combat the illicit trade in tobacco products.
Codentify (rebranded as Inexto and/or sold to other third parties2) was originally developed and patented by Phillip Morris International (PMI), which licenses it free of charge to its three major competitors. It is a digital marking system that uses an encrypted 12-character code that is visibly printed onto tobacco packs and cartons to identify and verify each unit package. The code is human readable and does not incorporate any physical security features3; thus, it is easy to compromise.4 5 The way to verify the validity of the code is to link to an online network, therefore requiring a phone call, an SMS, a dedicated mobile application or access to a website. However, this verification pertains only to the legitimacy of the printed code, not the legitimacy of the product itself. This means that if a code is stolen or copied from a server or from products already in the distribution chain, and then applied to a product that was not declared for tax purposes (genuine or counterfeit), then that product would pass Codentify’s basic verification test. In this scenario, the code would authenticate as being genuine but there is no guarantee that the product is.
In fact, the only way to raise a suspicion about the legitimacy of a product within a Codentify system is to find a duplicate code somewhere along the supply chain. For example, even if two identical products are detected, it would still not be clear if either of the two products is legitimate (ie, tax paid, from a Codentify enabled production line). At that point, the only way to determine the legitimacy of a product is to rely on the tobacco industry’s forensic analysis, which is based on frequently changing tobacco ‘DNA’ or packaging features, which are only known to the industry itself. These weaknesses make Codentify less reliable and secure compared with material based, multilayered, advanced security solutions, which enable all stakeholders (distributors, retailers, customers and Customs/Excise agents) to readily identify non-compliant products.6
In addition, Codentify has been criticised due to its inability to track products, thus not being compliant with major ITP requirements for track and trace.7 8 Over time, the system evolved and, according to the Inexto website, is now capable to track and trace products.
This study takes a pure statistical approach to test Codentify’s authentication efficacy for accurate, reliable and efficient enforcement by tax and customs authorities who are typically on the front line in the fight against illicit trade. Therefore, we estimate the resources required by those authorities to comply with the ITP when a Codentify-based solution is employed. As a comparison, we contrast those resources with requirements under an alternative track and trace solution using widely available multilayered security technologies for authentication.
We calculate the probability of detecting one fraudulent pack under Codentify and a material-based security system using statistical analysis. Such probability depends on the size of the overall market, that is, the number of products in circulation at any given point in time, the share of illegal products and the number of products inspected.
In case of Codentify, one needs to consider the number of legitimate codes that were ‘harvested’ and applied to illegal products. The harvesting of codes could be done in various ways including: data breaches into a Codentify server or Codentify controllers on the production lines, obtaining codes from distribution and warehousing facilities or simply copying the codes directly from the retail market. In addition, the holder of the legitimate codes could use them multiple times to reduce its tax liability.
To demonstrate the practical implication of this calculation, the probability question is transposed into estimating the number of products that would need to be inspected to achieve reasonable certainty (eg, 90%) that a particular batch of products is not contaminated with illicit products using duplicate harvested codes.
An inspection of a cigarette pack can result in four outcomes.
A pack has a Codentify code that has not been previously detected (ie, the pack may be legitimate).
A pack has a Codentify code that matches a code on n other products checked previously (ie, n−1 packs are illegal).
A pack has a code, but it is not a legitimate Codentify code (ie, the pack is illegal).
A pack does not have a code (ie, the pack is illegal).
To model the probability of detection of an illegal pack with a legal Codentify code (outcome number 2), we employed a modified Bernoulli trial experiment, with independent repeated sampling without replenishment of which there are exactly two possible outcomes (‘duplicate detected’ and ‘no duplicate detected’). While a Bernoulli trial requires that the probability of success is the same every time the experiment is conducted, in the case of an inspector sampling digital codes, the probability of success increases with each additional pack being checked as a result of the additional codes that are added to the repository of ‘checked’ items. The model further takes into account the size of the ‘harvest’ of legitimate codes and the number of times that they have been replicated, as these have a direct impact on the probability of detecting a duplicate.
On the other hand, the probability of not finding an illegal pack in a random sample of packs using a material-based security solution, or the probability of outcome number 3 or 4, are based on the hypergeometric distribution. See Appendix in the online Supplementary file 1 for technical details.
Supplementary file 1
We assessed the performance of Codentify in a relatively small market where approximately 1 billion cigarette packs are sold in a year. This means that about 19.23 million cigarette packs are sold each week. Given that cigarettes generally have a high retail turnover, we added 25% to the sales to account for products moving through distribution channels. Therefore, an estimated 24 million packs are available for inspection by authorities each week.
The model is based on a market where 10% of packs are illicit in one form or another. Of these illicit packs, it is assumed that half of them (5% of the market) would be fraudulently using (or hijacking) the Codentify solution, while the remaining illegal packs would represent other forms of illicit trade (eg, diverted products or smuggled contraband with no codes or no legitimate codes).
To demonstrate the vulnerability of the Codentify system, we focus on 1.2 million illicit packs with the hijacked Codentify code that appear on the market each week. Let us assume that the producer of these illegal packs obtained 600 000 legitimate Codentify codes from the declared production that has been taxed. In order to mark all its illegal products, the producer will use each harvested code twice, reprinting these codes onto the undeclared cigarettes.
Both licit and illicit packs are now mixed together and the market is offering 5% of the packs with replicated codes, 5% of illegal packs without replicated codes and 90% (or 21.6 million) legal packs. However, 600 000 legitimate packs with the stolen Codentify codes also enter into the equation since they cannot be distinguished from the packs with stolen codes. This adds another 2.5% packs to the ‘illicit’ pool.
Table 1 shows the number of inspections that would be required by government authorities to reach a level of certainty of detecting one fraudulent pack within the Codentify system—that is, find a match within one of the 7.5% packs (see formula A in the Appendix in the online Supplementary file 1). We disregard the other 5% illegal packs for the moment as these are addressed in table 2.
In order for a law enforcement authority to have a 90% (95%) certainty that it did not miss a duplicate, it would have to inspect over 27 000 (almost 31 000) individual packs in a week (table 1), the window period that each batch of illicit products is in the market. This means that a minimum of 11% (13%) packs in distribution would need to be inspected every week. Insufficient inspections by authorities can return a false confirmation that the market does not carry any illegitimate Codentify codes.
Given that most cigarettes are sold within a week or so, the manufacturer/distributor that possesses both legitimate and illegitimate codes can substantially reduce the probability of the legitimate and the illicit products with the same code appearing at the market simultaneously by delaying the distribution of products with duplicate codes. This would make detecting a duplicate almost impossible.
In comparison, multilayered, material-based security systems would require far fewer inspections to detect illicit trade. The reason lies in fundamental differences in the verification and authentication approaches. Each pack would have multiple levels of security features (overt, covert and forensic), which would enable authentication in addition to code verification. Thus, the first scan of an illegal pack would immediately detect a fraud without the necessity to look for a duplicate code. Since the Codentify system does not have an authentication feature, the first scan of a copied/fake code would not result in the detection of a fraud.
In our market scenario where 5% of packs are illicit without legitimate Codentify codes, table 2 shows the number of inspections required to reach a certain probability of detecting one fraudulent pack (see formula B in the Appendix in the online Supplementary file 1). In this case, the probability of finding a pack without a Codentify code equals the probability of detecting a fraud using a material-based solution—the moment a pack is inspected, it is clear that it does not comply.
Application of the model shows that inspectors would need to inspect only 45 (59) packs a week to have 90% (95%) confidence that the market contains only legal products.
A comparison of tables 1 and 2 reveals that in order to achieve a 95% certainty of not missing an illegal pack, the Codentify system would require 525-times more inspections compared with the material-based authentication method.
This study demonstrates the resources needed to combat illicit trade in tobacco products given the available technologies. Specifically, we contrast the tobacco industry’s Codentify system with material-based solutions.
The Codentify system has been marketed as the answer for combatting illicit trade. In reality, it is anything but that, because enforcement officers in a country with a Codentify system would have little chance of detecting large-scale fraud committed under the guise of control.
Even if a legitimate manufacturer is compliant and codes are stolen from the distribution system, Codentify is still grossly inefficient because it requires a much larger enforcement capacity to achieve the same detection rates as other available material-based technologies.
Tobacco industry-independent solutions combining material-based features with information-based security and robust information technology infrastructure are already proven and have been demonstrated to successfully combat illicit tobacco trade while supporting government’s public policy objectives with respect to regulatory compliance, revenue collection and public health. Using material-based solutions would reduce the cost of compliance and detection and the overall costs of enforcement by providing government with a robust method for combatting illicit trade. Empirical evidence shows that the cost of implementing these solutions is low in comparison to the net revenue gains and social benefits of lower tobacco use.9
In conclusion, the Codentify and its derivatives should be rejected by signatories to the ITP for the reasons set out in this paper as well as because its links to the tobacco industry and, therefore, in violation of the terms of the ITP. There are many technology and solution providers far better suited to building and potentially operating secure track and trace systems with robust authentication features for governments as envisaged by the ITP.
What this paper adds
The Illicit Trade Protocol calls for establishing a track and trace system for tobacco products. Such system needs to be controlled by the Party and adhere to the available best practice. The Codentify system developed by the tobacco industry fails to meet both of those criteria.
This article demonstrates the inefficiency of the Codentify system in terms of enforcement resources needed to assure compliance. We calculated the number of inspections needed to verify the efficacy of Codentify and contrast it with the required enforcement resources if widely available multilayered security technologies are employed. We demonstrate that Codentify is a grossly inefficient system, because it requires much larger enforcement capacity to achieve the same detection rates compared with other available solutions. Enforcement officers in a country with a Codentify system have little chance to detect large-scale fraud, but will have the illusion of control.
We would like to thank Professor Francois Steffens from the University of Pretoria and Associate Professor Malcolm Keswell from the University of Cape Town for their assistance with the calculations.
Contributors HR wrote the article and verified the calculations. ME and MY conceived the idea, provided the calculations and contributed to the writing of the article.
Funding African Capacity Building Foundation.
Competing interests None declared.
Provenance and peer review Not commissioned; externally peer reviewed.
Correction notice This article has been corrected since it published Online First. The online Appendix has been updated as previously “1/a” was not placed in the formula.
If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.