The New York Times and others have been running articles on RFID’s proposed role in detection of counterfeit drugs:
Radio labels fight counterfeiting by providing a unique identifier that is
almost impossible to copy. When pharmacists receive delivery, they should
be able to pass a wand over the bottles and, through an online database,
check the history of each.
Any bottles that have been reported missing or previously sold, have an
unusual delivery history or are not recognized by the system will be
flagged as suspicious.
This is the theory; I think RFID tagging as a counterfeit detection scheme is fraught with potential problems.
Firstly, to correct the above, the unique identifier won’t be impossible to copy, it’ll be trivially reproducible… certainly if the cost is going to get driven down to the point where tags are affordable. Simple RFID tags will just be mass-produced passive circuits capable of spitting out a short string of bits when stimulated by a reader.
The magic is all in that second para: one detects a counterfeit product (or, recognizes that the product is questionable) by fetching the supply chain history–the object’s pedigree–associated with the Electronic Product Code (EPC) value it claims to have. If one retrieves that history, and it says, “This bottle was sold in a retail store in Kuala Lumpur yesterday,” then something’s wrong. It could be that the bottle in your hand is a fake, though it could also be real (and a fake one was sold in KL). NB that it could be that any history one retrieves is sparse… only when parties in supply chain read tags and report those events (acquired a case of product, passed it on to the next stage in supply chain, etc.) are those data available to compile a pedigree. (Left unmentioned in the article is the question of just which parties accumulate, retain and dispense this information.)
So, there’s a couple of chinks in the armor already: one could either sell a counterfeit product to a buyer who can’t or won’t check its pedigree, or one could tag a counterfeit product with an invented tag that’ll pass a potentially easy test.
There’s also issues over access to the lookup capability… who should be able to query, on what, and how often? If anyone is permitted to verify any drug, then anyone could easily conduct competitive intelligence on drug manufacturers and their supply-chain partners, e.g., inventing and extrapolating plausible RFID tag numbers, and asking about them. A statistical survey of the competition’s supply chain would provide nice insights into the business. If the tagging as at an aggregate level (i.e., isn’t on end-consumer-bound bottles) one doesn’t run into too many personal privacy issues, but the corporate-level, competitive intelligence issues alone could be a show-stopper.