In March 2023, ID & Secure Document News™ (IDN) carried an article on the opportunities for new projects stemming from research collaborations, using the UK SPRITE+ network as an example 1.
At one of these network meetings, a group of academics and an industry partner came together to propose a scoping study on a topic pertaining to digital ID. The proposal was successful and the resultant DigiProPass project was described in the September 2023 edition of IDN.
This short study examines the potential for a digital product passport to inadvertently disclose personal ID information, by conducting in-depth interviews with experts and stakeholders, and reviewing relevant academic literature and web resources.
The results are at present being collated and the aim is to produce a peer-reviewed journal paper from these. This article presents a short overview of the findings as an initial output from the process and, as you will see below, a conference presentation has been proposed.
It was noted in Tax Stamp & Traceability News™ (a sister publication to IDN), in January 2023, that the driver behind the digital product passport (DPP) initiative was forthcoming regulations on sustainability and the circular economy. To this end, the DPP aims to contain component data on a product across its complete lifecycle to facilitate a circular economy.
Whilst the exact technology of DPPs is still uncertain, one potential carrier is a QR code linked to an online database. There is also the potential for the QR code to additionally act as an anti- counterfeiting device, which was explored in Authentication & Brand News™ (another sister publication to IDN), in February 2023.
The DigiProPass project looks in a different direction – the potential for a DPP to inadvertently disclose personal ID information. The premise explored is that seemingly ‘non-personal’ or ‘product’ data can reveal personal data about users. For example, data from electric vehicle batteries can already reveal some information about the habits and characteristics of the drivers.
The potential issue is that anonymised data can be linked to digital ID by combining it with other datasets. It is this potential for the inadvertent profiling of personal information linked to product data that was the focus of this scoping study. The long-term aim remains to inform adaptive solutions that prioritise privacy and security alongside sustainability, mitigating potential harm whilst working to ensure DPPs can function for their intended purposes.
The interviewees for the study were selected on the basis that they are actively involved in the creation and manufacturing of relevant passport technology, have demonstrated knowledge of DPPs and/or have relevant expertise in privacy, security and legal aspects of technology. A total of 10 interviews, with interviewees based in UK, Europe and Asia, were conducted via a virtual meeting platform.
Overall, the interviewees demonstrated a general high-level knowledge of DPPs, reflecting the published literature on the topic. They recognised that the aim of DPPs is to contain data pertaining to end-of-life recycling of the product, such as carbon footprint, product health, degradation, repair/damage, warranty, security, tracking, and usage. Examples of potential products mentioned were vehicle batteries, consumer electronics, and plastics.
There was a uniform awareness that the intention behind the introduction of DPPs was the drive towards sustainability goals, circular economy, ecodesign, net zero and Scope 3 (indirect) emissions. The potential that data recombination from other sources had the potential to reveal personal data was discussed at this point.
It is this potential to inadvertently reveal personal data that raises an important question: are current legal frameworks fit for purpose in the face of this and other similar initiatives? The key piece of legislation in terms of personal ID (at least in a European context) is GDPR (General Data Protection Regulation). Feelings on the capabilities of this legislation in the face of the DPP initiative were mixed.
Some felt that GDPR was sufficient but recognised a grey area for this data. That is, it might not be obvious that the product data gathered as part of a DPP initiative could constitute personal data. One respondent noted that the Ecodesign for Sustainable Products Regulation (ESPR) does not seem to assume private/user data will be collected. Others felt that GDPR is either insufficient or lacking enforcement in the face of such challenges. This may be one area in need of attention.
The comments from the respondents suggest that thoughts on responsibility and liability for this data is again mixed. Some say ultimate responsibility lies with the organisations collecting the data, while others say it lies with those who create the standards. Most people feel responsibility is shared across the board – between regulators, government, tech providers, and standards.
The main area of disagreement amongst interviewees was the involvement of consumers. Some feel it is of utmost importance to create an educated and informed user body with the capacity to make good decisions about privacy and security in these spaces, including ownership of one’s own data, whilst others suggest bypassing users in the decision- making process. These responses underline the complexity of this issue.
It was noted that this issue is different to data posted by consumers on social media platforms, in that the consumer is not purposefully making the data available. In terms of data provision, it is not the consumer that is the data provider and that is presumed to change accountability and responsibility.
The September article in IDN noted that this would be an interesting topic to debate at the next Optical & Digital Document Security™ (ODDS) 2 conference in Lisbon, Portugal, from 8-10 April 2024. An abstract on this project has been submitted and hopefully this will be included when the programme is released in January 2024. Submissions for this ODDS are of the highest quality so selecting those for the conference programme has proved to be a challenge, but we look forward to discussing this topic with you in Lisbon.
