AI and Machine Learning deserve to be on the list of top areas for supply chain in 2018, as they are becoming incredibly prevalent and important for supply chains. But that topic will have to wait for another issue. Here we focus on blockchain, Identity Management, and Corporate Social Responsibility (a timeless subject that has taken on added meaning).
Supply Chain Use Cases for Blockchain
I know we’re all getting inundated with articles about blockchain from every corner. Here I hope to provide a few different perspectives and tidbits that help to make sense of it all. Blockchains can be useful in supply chain use cases with the following characteristics:
- Lack of trust — Wherever there are unknown suppliers, customers, or service providers, blockchains can help entities transact with greater assurance; Where disputes are common and their resolution expensive; Where proof of authenticity and ownership is desired.
- Many parties who need a single version of the truth — Where coordination of multiple parties, processes, and assets is needed.
- Where multiple serial steps of paperwork slow things down — Such as in global trade documentation, supply chain finance, and so forth.
- Where reliable visibility of events across multiple parties has high value — Such as supply chains that need chain-of-custody tracking, provenance, traceability, faster and more reliable recalls, etc.
- Where auditability is important — Highly regulated supply chains; Socially responsible supply chains
- Where fraud and data tampering is a problem — Fraud-prevalent supply chains and information chains
We are seeing many trials, pilots, and applications of blockchain in supply chain. Major use cases include:
- Chain-of-custody tracking, traceability, anticounterfeiting, provenance — IBM/Walmart, Context Labs, Mojix, Chronicled, Microsoft, bext360, Everledger; Often combined with IoT
- Global trade enablement — Workflows, documentation, tendering, port coordination (ocean carriers, drayage), container no-shows, customs clearance, shipment tracking; IBM/Maersk, 300cubits, Wave
- Supply Chain Finance/Trade Finance — IBM, Microsoft/BoA Standby Letter of Credit, Sweetbridge Foundation, Dubai, Natixis/Trafigura
- Spot markets & marketplaces, shared resources — Rating for transportation; Trucks, chassis, containers
- Sustainability, Socially Responsible Supply Chains — Factory audits, Carbon emissions tracking, Fair trade, conflict minerals and diamonds
- Cargo security, anti-theft, personnel background check/verification — IBM, T-mining
- Asset management and tracking
- Contract management, Dispute resolution
- Client ID/KYC (Know Your Customer)
We believe that the hype of 2017 will turn into real and bigger blockchain projects in 2018.
Permissioned Blockchain for Supply Chain
There are raging debates (amongst purists who care) about what should and shouldn’t be called blockchain. The design of the original bitcoin blockchain supports an inherent distrust of central authority. So, the idea of diluting the decentralization of blockchain architectures is anathema to the sensibilities of bitcoin blockchain purists. However, from a practical point of view, there are many different flavors of blockchains with different characteristics being implemented today. It is somewhat academic to argue about what to call them — these different approaches are being experimented with and moving forward regardless. Some terms used to describe these include public, private, permissioned, and consortium blockchains. The precise definitions of these terms are currently up for dispute,1 but the table below shows the characteristics of public vs. permissioned blockchain we have been coalescing on recently at ChainLink.
For most transactions in a supply chain, a permissioned model will be used. For starters, parties cannot be pseudonymous — there is a need for ongoing communications about orders, logistics, quality, acceptance test results, and resolution of issues. Therefore, the identity of the transacting participants needs to be known and verified. Furthermore, the data about orders, prices, transactions, shipments, and so forth needs to be kept private to the parties involved. For competitive and security reasons, these data cannot be made available to the general public.
A scalable consensus algorithm is needed as well. Since participants have been identified and vetted, the heavyweight consensus approach of bitcoin or other public blockchains is not needed. Instead, digital signatures verifying acceptance of data by a few key stakeholder and knowledge-holder participants is sufficient. For example, an RFID reader may indicate receipt of specific items, cases or pallets, this may be confirmed by an ASN from the sender system, and there may be a signoff by the receiving clerk and/or buyer’s QA inspector. That could constitute consensus to write data onto a blockchain about receipt of goods, triggering a smart contract and payment. When the parties are known and strongly identified, consensus may be met with a much smaller number of validating nodes per transaction.
On-Chain vs. Off-Chain Data and Execution
A blockchain may contain smart contracts2 that trigger and execute at key handoffs and decision points throughout the end-to-end supply chain. These can be used to automate key transactions and decisions. However, it is important to understand that storing data and running smart contracts on a blockchain is many orders of magnitude more expensive than using conventional computing resources.3 Therefore, business applications will usually store most of the data and automation off-chain, using the blockchain only where it makes sense. Smart contracts will typically be used to encode mutually-agreed, high-level business rules and transactions, where multiple parties want full visibility and the ability to mutually validate the execution of transactions. Lower-level or ‘behind-the-scenes’ automation and algorithms will be executed off-chain. As we are in the early days of development and deployment of full scale blockchain applications in the supply chain, people are still experimenting and discovering what data and logic belongs on the blockchain vs. off-chain. The picture will become much clearer over time.
Identity Management — Are We on the Verge of a Sea Change?
One would hope the May 2017 Equifax breach would be a wakeup call that it’s about time we change how we manage personal data and identities. History tells us change doesn’t happen so easily or quickly. But, it is not for lack of technology. Identity management technology exists that can obviate the need for passwords or storing personal information in servers all over the place. The FIDO Alliance is promoting the use of more secure technology (based on locally stored private keys) to enable passwordless authentication, as well as easy-to-use two factor authentication. If all sites used these, it could eliminate the need for storing passwords on servers. It is starting to get traction (my bank uses it), but not enough people are aware of it.
This approach has been supported by advances in hardware on two fronts. First, the biometrics on mobile devices (fingerprint readers, iris scan, facial recognition, eye vein, voice recognition, etc.) has become more and more accurate and usable. Figure 2 below shows the extremely low false reject and accept rates achieved by some of these technologies in dedicated systems. Mobile devices have not achieved the same level as dedicated systems, but have seen remarkable improvements; good enough to provide strong authentication, and they just keep getting better. The second development is the inclusion of TEEs (Trusted Execution Environment) on mobile devices that can store private keys very securely on those devices. Together these make possible strong passwordless security, based on possession of the device and the right biometrics.
Federated Identity, Verifiable Claims
There has also been a movement to try and give individuals a single, universal digital identity. It remains to be seen whether this is feasible or even a good idea. Federated Identity has been made to work well within a corporation, giving employees a single identity across all of the company’s applications and infrastructure. As well, social login (a form of Federated ID) is starting to become more widespread. Increasingly sites will let you use your social networking credentials (Facebook, Google, LinkedIn) to login. But where stronger authentication is needed — such as making withdrawals from a bank account or a passport to cross a border — there is no single accepted ID.
The single universal ID debate would take a whole other article, but there has been a lot of progress made in the area of ‘verifiable claims,’ with standards being developed by the W3C Verifiable Claims Working Group. Those will make it easier to express, exchange and verify claims such as “I own this banking account” or “I have such and such degree from this university” or “I am over 18”. This approach uses digital signatures and certificates for an authorized third party (such as the university that you are claiming to have a degree from) to verify the claim instantly over the internet. This will also be based on possession of the private keys for those signed certificates.
Self-Sovereign ID, Classification of Everyday Life
Another movement to keep your eye on is Self-Sovereign Identity and the idea that you should control access to your own personal data. A self-sovereign ID is owned by the individual (not by their employer, or bank, or government). These are being implemented using blockchain technology by organizations such as Sovrin and uPort. The ideals of ownership and control of personal data have been described in the Attribute Economy published by Meeco, who has been advocating an Immutable Me blockchain, a collection of attributes about a person under their control. DIACC (Digital ID & Authentication Council of Canada) is also promoting more personal control over identity.
Finally, the COEL (classification of everyday life) is an OASIS standard, created by Coelition, for recording any type of human behavior and a data format to exchange that information. This foundation will become increasingly important as IoT devices peppered throughout our homes, vehicles, cities, and workplaces records more and more data about us. These devices are becoming increasingly invasive, as described in Trends, Threats and Opportunities. Vigorous efforts and unity of purpose will be required to protect personal privacy.
The Age of Corporate Social Responsibility
In the US, we are witnessing a time where regulations and regulatory resources are being rolled back and curtailed. A whole discussion could be had about the merits and pitfalls of regulation. I believe it is incredibly difficult to craft good regulations — i.e. laws and regulations that actually accomplish the goals they are trying to, that are hard for businesses to game the system, and that are economical to enforce and comply with. So, we end up with regulations that range from fair to horrible. On the other hand, do we really want to go back to life without regulations, where company owners have a free hand to abuse employees severely, where there are no safety standards, where anyone can pollute the environment and not be held responsible, where bribery and corruption are rampant? I don’t think so.
So, with regulations on the wane (for now) as an inhibitor of bad behavior, it is heartening to see business leaders stepping up to the plate to try and create cultures and actions of corporate responsibility. Highly respected business thought leaders have shown how that is good for business, such as Michael Porter and Mark Kramer’s seminal 2006 article Strategy and Society: The Link Between Competitive Advantage and Corporate Social Responsibility. We see increasing participation in transparent reporting initiatives, such as the Global Reporting Initiative (GRI), Carbon Disclosure Project (CDP), Dow Jones Sustainability Indices (DJSI), the Global Real Estate Sustainability Benchmark (GRESB), and the Sustainability Accounting Standards Board (SASB).
We are advocating and rooting for this movement, and hope it continues to gain momentum and strength and that enterprises and supply chains increasingly become the world’s champions for improving the human condition. That may sound idealistic, and of course we have a long way to go, with too many dire situations, but we are encouraged by the tremendous progress we’ve witnessed on these fronts over the last couple of decades. Let’s hope it continues and we all do our best to support it.
Wishing you a healthy, prosperous, and fulfilling 2018!
1 There is currently a lack of broad consensus on precise definitions for these terms (including also the terms ‘private’ and ‘consortium’ blockchains). That is not surprising given the early stage of discovery and experimentation we are at in deploying various flavors of blockchain, beyond cryptocurrencies. We expect that lack of consensus to diminish over the next year or two, as people start to settle on specific definitions. We saw a similar pattern when the term ‘cloud’ first started becoming popular. At first there was a lot of handwaving and no universally accepted definition of what cloud meant. Within a couple of years, reasonably precise definitions coalesced and became widely accepted for specific categories of cloud services, such as IaaS, PaaS, and SaaS. — Return to article text above
2 Smart contracts are logic on a blockchain that can execute automatically when triggered by specific events. The contracts may transfer value (in fiat currency or cryptocurrency) between trading partners. — Return to article text above
3 The cost of storing data and executing smart contracts on a public blockchain like bitcoin can be thousands of times more than what it costs to store and execute the same data and logic on a regular computer, largely due to the highly redundant nature of the execution and storage, but also to the amount of encryption logic being executed. A permissioned supply chain can reduce those costs by orders of magnitude, and eventually may get to within an order of magnitude or so of the cost of running on a single machine. — Return to article text above
4 Note, Figure 1 shows the false reject and accept rates for dedicated biometric systems, not for the rates for a mobile device. Nevertheless, these numbers have been improving on mobile system as well and have become good enough for strong 2-factor authentication. — Return to article text above
To view other articles from this issue of the brief, click here.