Digital Product Passports – Unintended Consequences for Digital ID?
In March 2023 IDN carried an article on the opportunities for new projects that stem from research collaborations, using the UK SPRITE+ network as an example. It was noted that a group of academics plus an industry partner had come together at a SPRITE+ meeting to propose a scoping study for funding on a topic relating to digital ID. The proposal was funded and the aim of this article is to provide the ID and secure document community with an outline of the DigiProPass project.
The debate on the implications of the emergence of Digital Product Passports has already started within the Reconnaissance community. It emerged first at the Tax Stamp and Traceability Forum™ meeting 2022 in the context of a German battery passport initiative. It was noted at that meeting that the concept was applicable to a wider range of products and was part of a much wider agenda.
This was explored further in Tax Stamp & Traceability News™ January 2023. The wider range of products made up the concept of the Digital Product Passport and the driver behind the initiative was forthcoming regulations on sustainability. It was noted that to facilitate a circular economy the Digital Product Passport aims to contain component data on the product across the complete product life cycle.
One potential carrier for this is the QR code linked to an online database, where businesses, product owners and regulators can potentially access information on the composition of a product to facilitate recycling. This, together with the potential for the QR code to additionally act as an anti-counterfeiting device was explored in Authentication & Brand News™ in February 2023.
The scoping study outlined in this article looks in a different direction – the potential for a Digital Product Passport to inadvertently disclose personal ID information.
The DigiProPass project
The DigiProPass (from Digital Product Passport) project came about as a scoping study to investigate this potential. These Digital Product Passports will be digital records for physical products, designed to track how and where products are used as they move through the economy and look set to include electric vehicle batteries and consumer electronics. As noted above, this initiative is driven by sustainability efforts and the desire to facilitate circular economies (sharing, reusing, and recycling products) through regulations.
From a regional perspective these look set to become legislated in the EU. There are also similar initiatives underway in India. In both cases the potential for unintended security and ethical implications does not seem to be accounted for and is the focus for the DigiProPass study.
The premise is that seemingly ‘non-personal’ or ‘product’ data can reveal personal data about users. For example, data from electric vehicles batteries can already reveal some information about the habits and characteristics of drivers.
Digital Product Passports have the potential to capture a new and broad spectrum of data with consequences for digital ID. In the UK, GDPR provides extensive guidance for the collection and storage of personal data, but there is a grey area here regarding the management of ‘product data’.
This project will scope out the potential for unintended consequences of forthcoming Digital Product Passports for digital ID, pinpoint where the most important gaps may lie and begin to investigate promising routes forward in consultation with stakeholders. The long-term aim is to inform adaptive solutions that prioritise privacy and security alongside sustainability, mitigating potential harm whilst working to ensure Digital Product Passports can function for their intended purposes. This short study is only the start of the journey.
We welcome contributions from the IDN community by email through the project web page link at the end of this article. The project participants cover expertise in psychology, behavioural science, engineering, intellectual property, criminology and secure documents.
The potential for inadvertent data disclosure
The implementation route for Digital Product Passports may depend on application. For example, the data required and/or collected will probably be different between an electrical vehicle battery and an item of consumer electronics such as a smartphone. The key issue to be considered here is that the Digital Product Passport may contain variable, in addition to fixed, data.
Even the fixed QR code solution may pose inadvertent data disclosure implications if businesses link that item with a database containing personal information. Taking the smartphone as an example, that link between the individual smartphone and user information has existed for some time. What is of interest for this project is the potential for the inadvertent disclosure of data linked to digital ID.
Consider for example an electrical vehicle battery. For recycling purposes, it could be useful to collect data on the charging / discharging cycles of the component cells, which can either be stored internal to the battery, within the vehicle or indeed on cloud storage. However, this data could inadvertently reveal behavioural data linked to a personal ID or indeed be utilised illicitly in the wrong hands.
The anticipated danger here is that anonymised data can be linked to digital ID by combining it with other datasets. It is this potential for inadvertent profiling of personal information linked to product data that is the focus of this scoping study. The project team will be gathering data by short interviews and if you have a perspective that you feel should be included feel free to contact one of the project team using the link at the end of this article.
Ethical implications
We have all become familiar with the fact that digital technologies evolve over ever shorter cycle times. Business innovations that exploit this can find themselves using data in a way that regulators have either not caught up with or never envisaged. Artificial intelligence is one example currently being discussed in the popular press.
Digital Product Passport initiatives are being driven by regulations on sustainability. Instinct suggests that this is an ethical path but the danger here is that this could facilitate the leakage of personal data.
The Call for Papers is now open for the next Optical & Digital Document Security conference – this would be an interesting topic to debate in Lisbon 2024.
Subscriber content
Read the full article
Full access to ID & Secure Document News articles, newsletters and archives.