Objects-as-a-Service (OaaS) and why things need identities

Ann Cairns, Executive Vice Chair at MasterCard, said back in 2018 that it could be the year when (thanks to the incredible speed with which new technologies are adopted) physical wallets could soon be a thing of the past as the world wakes up to wearables. Ann said, correctly, that wearable devices are getting a “new lease of life by becoming payment enabled” and noted forecasts predicting that two-thirds of wearables would have payment functionality by 2020. This didn’t quite happen, for reasons I will return to shortly, but as a baseline note her point that five years ago the global sales of smart wearables were already at $416 billion.

In 2019, Mastercard highlighted that wearables are about fashion as well as function. They pointed out that as the technology that powers wearables gets smarter, fashion brands rather than technologists (or payments geeks) are driving the evolution of the market. Even then, one in five adults in the USA were already wearing a smart watch or fitness strap and they expected the wearable tech market to reach something like $30 billion in 2020.

Wearables Market 2020

Global wearables markets 2020 (Source: IDG, 12/20).

In 2020, as these figures from IDG show, the wearables market (dominated by Apple) continued to grow and is expected to maintain a double-digit rate of growth through 2024. In the US, the wearable device most frequently used for payments is the smartwatch (more than mobile phones or contactless cards). Interestingly, recent research shows that college graduates are more frequent users of smart watches for payments than non-college graduates and that they use their wearables to pay more than 200 times a year, almost double the usage of mobile phones and 50% more than cards.

The market for wearables that can do interesting things (eg, payments) is going to grow more than that though, because the growth of cheap passive wearables (ie, wearables that don’t need batteries, just as contactless cards don’t need batteries) will grow faster because of the new, smaller and more cost-effective chips arriving from suppliers such as Infineon. I wasn’t surprised, therefore, to see an excellent presentation from Discover at the Women in Payments 2021 summit saying that…

Discover Wearables

So what has prevented this market from developing even faster? Well, the process of taking an “empty” microchip and loading secure credentials into it so that it can be used for payments, identity, provenance and other high value applications (the process of what card people call “personalisation”) is complex and costly. Imagine that you are running a pop festival and you want to provide rings or wristbands or badges or whatever than can be used to gain entry, to pay for drinks, to identify someone in an emergency. Taking 20,000 wristbands and loading credentials into them and then making sure each wristband gets to the right person is a logistical challenge hence the technology tends to be applied at the high end of the market. There are companies that make some beautiful wearables that can be used in this way. I love the stuff that Tovi Sorga has and I think this illustrates that Mastercard point about the role of fashion. Amex, to give another example, have just released a Prada leather bracelet with a contactless chip in it for their Centurion cardholders.

Getting the right bracelet with the right payment card into the hand of the right cardholder is complicated though. The logistics are a challenge because the devices must be “personalised” when they are ordered and then correct distributed. As a way of reducing the logistics costs, though, suppose there was a decentralised way to do the personalisation needed to turn nice wearables into secure, smart objects? Imagine that the pop festival organiser sends you a wristband and then you use your own mobile phone to load one of your payment cards into the wristband? Or you use the (eg) Discover app on your phone to create a prepaid card valid for a week and load $100 onto so that you can leave your phone in your pocket while you enjoy the show? Well, this is what Digiseq, a UK start up has done. And this is only one of the reasons why I was flattered to be asked to become their Non-Executive Chair as they go into their next fund-raising round. Amongst their achievements already is the launch of KBC wearables in Belgium, including the Rosan Diamond key fobs that proved popular last year, creating a Lucozade bottle that you could use to pay for travel in London and putting chips into the Golden Globe awards so that their authenticity and provenance could be validated.

Provenance is Forever

Provenance is important. I wrote about it more than a decade ago using the example of luxury goods such as watches and asking how you would tell a fake Rolex from a real one. It’s a much more complicated problem than it seems at first. Suppose an RFID chip is used to implement an ID in luxury goods, authentic parts, original art and so on. If I see a Gucci handbag on sale in a shop, I will be able to wave my phone over it and obtain the ID.  My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the tag is ‘valid’, but that doesn’t tell me much about the bag. For all I know, a bunch of tags might have been taken off real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need to obtain its provenance as well as its product details. The provenance might be distributed quite widely. The retailer’s database would know from which distributor the bag came; the distributor’s database would know from which factory the bag came and Gucci’s database should know all of this. I would need access to these data to get the data I would need to decide whether the bag is real or fake.

The key to the business model is not the product itself but the provenance, so delivering a service means linking the personalisation and the provenance under the control of the brands. This is where Digiseq is going. In January, one of the world’s leading chip manufacturers Infineon Technologies AG announced that they will be working Digiseq on their  SECORA™ Blockchain NFC technology to deliver secured identity data. This is an advanced solution that connects the digital data recorded on blockchain to physical items, allowing for just this comprehensive verification of the identity of items, thereby eliminating the challenge of product substitution and heightening supply chain transparency.

cheap chips can turn almost anything into a smart object and with the right provenance service in place turn those smart objects into objects-as-a-service (OaaS). Click To Tweet

The ability for brands to choose whether to give customers high end wearables for select markets or to push into the mass market with wearables that customers can personalise themselves, using the mobile phones to add/remove payment cards, access codes or identities at any time, is a game changer. But it is only the beginning. The secure microchips that are inside the Prada bracelet or the Golden Globes can be inside everything from smart watches to luxury handbags, from aircraft parts to bottles of whiskey. These inexpensive RFID chips turn almost anything into a smart object, and with the appropriate back-end provenance system in place, they can turn those smart objects into objects-as-a-service (OaaS).

Objects-as-a-Service are going to be… well, huge. If you want to learn a little more about this incredible new market and the opportunities that it presents, come and join me at the Digiseq webinar on 22nd April 2021 at 9am UK time. Sign up here.

Posh and Blocks

While flicking through British Vogue magazine for some moisturising tips, I came across a mention of digital identity! I was surprised and delighted that (just as has happened another of my obsessions, Dungeons and Dragons) what was once the province of nerds and outsiders has become fashionable and cool. Hurrah! Vogue says that secure digital identities for luxury goods are crucial, which is great! I could not agree more. Digital identities are not only for people! I have been writing about the need for digital identities for things for many years, and not only for high fashion (a field where, oddly, I have some experience in the use of NFC applications. On mobile phones to scan designer clothes – but that’s another story).

LFW

 

Some years ago I asked if “the blockchain” (put to one side what this might mean for a moment) might be a way to tackle the issue of “ID for the Internet of Things” (#IDIoT). I said at the the time that I had a suspicion that despite some of the nonsense going on, there might be something there. My reason for thinking that is that there is a relationship between blockchain technology and IoT technology, because we need a means to ensure that virtual representations of things in the mundane cannot be duplicated in the virtual. As I saw it, there were three ways to do this: a database, tamper-resistant hardware or blockchain.

If we look at the database idea first, I explored this more than a decade ago using the example of luxury goods such as watches and asking how would you tell a fake Rolex from a real one. It’s a much more complicated problem than it seems at first. For example: why would Rolex care? I can’t afford a Rolex, so if I buy one at a car boot sale or in China, Rolex isn’t losing a sale. But by wearing the fake, I’m presumably advertising the desirability of a Rolex. So surely they should be happy that people want to wear fakes or not? And if I did have a real Rolex, would I want to wear it in dangerous places where expensive watches get stolen in broad daylight by muggers (eg, London, London or London) or where I might just lose it?

Anyway, regardless of the reasons for it, let’s think about how to tell the real thing from the fake thing using technology. Suppose RFID is used to implement Electronic Product Codes (EPCs) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to point my Bluetooth EPC-reading pen at it and read the EPC, which is just a number. My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the tag is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch tags might have been taken off of real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need to obtain its provenance as well as its product details. The provenance might be distributed quite widely. The retailer’s database would know from which distributor the bag came; the distributor’s database would know from which factory the bag came and Gucci’s database should know all of this. I would need access to these data to get the data I would need to decide whether the bag is real or fake.

This is a critical point. The key to all of this is not the product itself but the provenance. A database of provenance (for example) is the core of a system to tell real from fake at scale.

Who should control this database, and who should have access to it, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me any about the provenance? How would they know whether I were a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops and so on) or a law enforcement officer with a warrant?

This is where the need for a digital identity comes into the picture. A Gucci brand policeman might have a Bluetooth pen tag reader connected to a mobile. They could then point the pen at a bag and fire off a query: the query would have a digital signature attached (from the SIM or SE) and the Gucci savant could check that signature before processing the query. Gucci could then send a digitally signed and encrypted query to the distributor’s savant which would then send back a digitally signed and encrypted response to be passed back to the brand policeman: ‘No we’ve never heard of this bag’ or ‘We shipped this bag to retailer X on this date’ or ‘We’ve just been queried on this bag in Australia’ or something similar.

The central security issue for brand protection is therefore the protection of (and access to) the provenance data, and this needs a digital identity infrastructure to work properly. If it adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real.

A small brand premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Gucci, don’t you?”. Wouldn’t you pay £20 for the satisfaction of knowing that your snooping guest’s Bluetooth pen is steadfastly attesting to all concerned that your Marlboro, Paracetamol and Police sunglasses are all real? Of course you would.

For some goods, we might want to add tamper resistant hardware to the product. I have long been interested in the use of low-cost RFID chips in this context. An example I looked at some years ago was the problem in Korea with the production of counterfeit whiskey. The authentic whiskey producers decided to add an RFID chip to the bottle caps. This chip was coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When a customer opens the bottle, the tag is broken and can no longer be read. That seems to be a cost-effective solution, although it again relies on the provenance database to make it work (otherwise the counterfeiters would just find a way steal the chips).

The mass market IoT, however, amplifier that problem of permission. I have always tried to illustrate this for people in a fun way by using the case study of underwear. It’s one thing for dinner guests to scan my wine bottle to see that it is a real Romanée-Conti and another for them to scan my Rolex to check that it is indeed a first-class far-eastern knock-off, but it’s quite another for them to be able scan my underpants and determine that they date from 1983. How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance? Once again, we must conclude that not simply digital identity but a full digital infrastructure is needed.

The third approach that I thought worth exploring was that of some form of blockchain. It seemed to me that by using the blockchain to maintain uniqueness, we might find a way to make the IoT a transactional environment. Just as you can’t copy the physical object, but you can transfer it from one owner to another, so you can’t copy a token on a shared ledger, only transfer it from one owner to another. Thus, if you can bind a token to a physical object, you can greatly reduce the cost of managing that object. Hence I was rather interested to read in that Vogue article that Luis Vuitton, Microsoft and Consensus have developed a platform called “Aura” to manage provenance to provide proof of origin and prevent counterfeits using a blockchain. The basic idea is to represent luxury goods as ERC-721 tokens on a private permissioned Quorum blockchain.

Obviously, I don’t have any details about how this will actually work, but LVMH seem to imply that at the time of purchase of one of their brands’ product, the customer can use the brand’s application to receive an “AURA certificate” containing all product information. I assume that if you sell your handbag (or whatever) to a charity shop, you can transfer the certificate to the charity shop’s application. Underlying all of this, there is the token on the blockchain moving from the retailer’s wallet, to your wallet, to the charity shop wallet.

If this works, and it’s simple and convenient for consumers, some sort of app presumably, it will generate an amazing amount of valuable data for brand owners. They will know exactly who has their stuff and how much of it they’ve got. If the app records “fails” as well, then they’ll also know who has the knock-offs too.