#SSI201: Upgrading products with intelligent serial numbers and DIDs

How smart can an object’s identifier be? How can it enable cradle-to-grave traceability and other innovative capabilities?

Carsten Stöcker
Nov 26, 2019 · 14 min read


The history of modern retail is also the history of identity systems: tracking and managing global supply chains has brought us intelligent “serial number” systems more advanced and fine-tuned than lay consumers ever realize. After overviewing today’s systems, we delve into some decades-old design problems (leakage, nesting, binding) before turning to how Spherity’s solution for W3C decentralized identifiers (DIDs) and digital twins can be used as the “intelligent serial numbers” of tomorrow, with an eye to the future of retail: product marketing, on-demand manufacturing, and true circular economics. We believe that every thing will soon be “serialized”.

What’s in a name? And what’s in a serial number?

When we introduced identifiers in the #SSI101 series, we divided them into two subcategories: identifiers for unique types of things, and identifiers for specific, individual things: in the terms of Carl Linneaus’ “taxonomy” for the entire natural world, species and specimen. This analogy actually gets you quite far towards organizing the fractal universe of identifiers, since the distinction can be made throughout all the categories and subcategories of identifiers.

In manufacturing, for example, there are model or part numbers and item numbers. In commerce, global logistics, and other supply chains, there are product codes (often called “SKUs”) for types of product (species) and unique identifiers for individual products (specimen). In this article, we’ll overview some of today’s and tomorrow’s commerce identifiers and how richer identity will terraform commerce and marketing. Along the way, you’ll see how tracking high-tech manufactured goods gets us from the lowly serial number to the space-age digital twin in just a few hops.

In large part, global logistics and commerce worldwide have actually been standardized quite successfully since the 1960s, when today’s product-driven commerce would have seemed outlandish science fiction. The International Standards Organization (ISO), which harmonizes the business processes of manufacturing and commerce worldwide, is something of a household name familiar to most businesspeople, but less widely known is Global Standard One (GS1), a global not-for-profit organization focused more specifically on products themselves, in every field.

GS1 has influenced and harmonized more than any other actor the ways that the identities of species of product get registered uniquely in their global database, and by extension, how batches of individual products (specimen) get tracked around the world through logistics, wholesale and retail systems. The importance of identity in GS1’s work cannot be overstated: they have imposed a still-growing series of data standards on commerce worldwide by harmonizing the theory and practice of product identity.

Think, for example, of the most ubiquitous form of serial number in the world, the “bar codes” printed on almost all commercial packaging on earth. The core technology was patented in 1951 by two American inventors, but barcoding wasn’t put into generalized (and coordinated, nationwide) practice in the US until GS1 convened industry in 1973; a year later, the first barcode was scanned “in the wild” (a packet of bubble gum at a grocery store), and the practice quickly went on to transform commerce worldwide.

One common form of bar code is called a “Stock Keeping Unit” (SKU): these are simple serial numbers assigned to batches, lots, or other units by wholesalers or logistics forwarders. They are quick and easy to assign or read, as their utility and scope are limited to one “siloed” stock-keeping system; SKU labels are often ignored, canceled, or covered over when lots or batches change hands and enter new stock-keeping systems, organized by different numbering systems. Most commercial items do not need to be individually identified, except locally in batches, lots, pallets, containers, and truckloads; these are overwhelmingly formatted as low-complexity, low-security SKUs.

A more ambitious and consequential bar code communicates a product’s GS1-managed Universal Product Code (UPC), a number that is unique worldwide. To register such a unique number to your product, you have to first register your company (or other legal person) to GS1, and then pay GS1 per product. This payment entails both an initial registration fee and subscription fee to keep publishing the corresponding information to manufacturers of commodity hardware and software used in retail worldwide. The vast majority of products sold internationally are registered with GS1.

UPCs are a good example of how most serial numbers have worked for decades: they are a numeric string of fixed length, that are parsed into a few shorter pieces to be read and written systematically by software and/or hardware systems. Each UPC contains a company prefix, an item reference number, and a “check digit” that contains no information but helps to verify the validity of the preceding number mathematically. (This last operation requires no internet connection or “callbacks” to registries; it is sometimes called the “Sudoku digit” because its value is determined by running the rest of the string thru fixed arithmetic formulas.) Both the company prefixes and the item reference numbers are “serialized” (sequential), meaning that the lower the number, the longer it’s been registered, and if two companies or items are registered immediately after the other, one will be 1 higher than the other.

Data Leakage and Correlation

Since all UPCs in history are formatted the same way, a savvy consumer can ignore the check digit and parse the rest of the UPC of any product. By holding up two products registered by the same company, that consumer could easily tell which was registered earlier just by comparing the UPCs. This is what’s called data leakage in the context of serial numbers — for better or for worse, anyone who knows about the formatting of UPC serial numbers can deduce information from the numbers themselves.

By definition, serial numbers cannot be “opaque” (i.e, non-leaking) identifiers since the sequence that makes them serial numbers is always leaking some amount of information just by being sequential. Similarly, GS1 UPCs necessarily communicate whether or not two products are made by the same or different companies by the company code at the beginning of the products’ serial numbers. Given the intended purpose, this is entirely appropriate to a universal product code in world commerce; the only corner-case where it might be an issue is if separate brands owned by the same parent company share a company code to cut costs! Binding all product identifiers to corporate identifiers on a finite, stable registry makes sense, if harmonizing world commerce is the goal.

How those “company code” identifiers relate to real-life companies, and to government registries of legal entities, is a much more complicated matter to be discussed in a future article, but I would like to devote one quick paragraph to the topic here. The registry of UPC company codes published by GS1 may be the closest the world has to a universal registry of commercially-active legal persons, which explains how and why GS1 (and not a United Nations agency or Interpol) is leading the Global Legal Entity Identifier Foundation, which is actively researching integration with nascent decentralized identifier systems. Correlating GS1 company codes to real companies (and on to real companies’ legal entities or subsidiaries, and financial instruments, etc) makes clear how any global, public registry of identifiers like GS1’s UPC registry necessitates complexity and redirection to manage the “correlation risk” of leaking information. Any identity system always has to balance utility against opacity, not just for individuals and companies, but sometimes even for the products themselves.

Nested identities and machine serial numbers

How can product identities leak consequential information about their manufacturing and design history, you might be asking? Not all products are sold to consumers, of course; some products, such as military equipment, are sold to armies and states, often exclusively to one army for their whole life-cycle, and must nevertheless minimize correlation and data leakage.

The classic example used to teach engineers and systems designers to consider correlation risks (and unintended or malicious readers of serial numbers) is the so-called “German tank problem.” To make a long story short, the Allied forces hired mathematicians to make probabilistic guesses about where and when tanks were being manufactured just from the serial numbers they found inside of captured tanks, with disastrous results for the Axis land forces.

Tanks, like cars or computers, both of which we’ll address in future 201 articles, are complex design items made up of hundreds of components and subsystems designed in parallel by independent teams of engineers, usually spanning many corporations, countries, and continents. Managing the dependencies and interactions of all these identities and components as they get iterated and upgraded on their own timelines is actually the original use-case that produced the term “digital twin”! Modeling and testing advanced pieces of hardware like tanks, trains, or planes requires granular versioning and specifications to be gathered across subsystems and components: all the parts, from engines to widgets and messaging systems, have their own species histories and specimen variations, for instance, tailoring a given component to different markets (or, in the case of tanks, to different theaters of war).

Intelligent Packaging, Good leakage, and Fast-Moving Consumer Goods (FMCG)

Leaking data isn’t always a bad thing, however — in many contexts, manufacturers might even want serial numbers to be effective and unambiguous in displaying manufacturing information to end-consumers or middlemen along the way. Some serial numbers replace a secret country, company, or factory prefix with letters, and use recognizable abbreviations (USA, JAP, FAC5, etc) rather than opaque, sequential numbers. This allows human-readable (or at least, human-decodable and human-guessable) origin information to facilitate tracking, self-installation, customer service, product recalls, etc. These kinds of deliberately-legible serial numbers are sometimes called “intelligent serial numbers,” because they provide, rather than obfuscate, additional, multi-dimensional information to the holder of the product beyond its uniqueness and authenticity.

Indeed, in today’s rapidly-changing consumer environment, there is increasingly a move to make many products and/or their packaging more “intelligent”, a tendency being pioneered by the purveyors of so-called “fast-moving consumer goods,” a retail category including consumables (food and drink) but also toiletries, personal care products, and non-prescription medicines. There are many use-cases in this category where producers are increasingly demanding supply chain information at point of sale, for many reasons:

  • to prove authenticity of origin or tamperproofing since origin (wine, luxury purse, limited-edition sneakers);
  • to prove compliance with fair-trade, labor standards, or other supply chain conditions (coffee, chocolate);
  • to attest to ecologically sustainable production and processing methods (UTZ-certified foods)
  • to track and trace raw materials such as bio-sourced plastics in supply chains
  • to facilitate safety, expiration, and tracking information or trustworthy returns (non-prescription drugs).

It is growing increasingly common for these kinds of supply chain information to be provided to discriminating end-consumers, propelled by many cultural and economic drivers from cultural shifts to competition from direct-to-consumer to dizzying variety. The kinds of products listed above increasingly display unique and intelligent serial numbers to their intended consumers, or even QR codes 2D data matrices or other “deep-link” encodings designed to be easily scannable with a mobile phone camera.

If this information was accurately registered at the origins and manufacturing gateways of the product, and linked to serial numbers or other tracking bound reliably to the actual product, then this information resides in a “digital twin” for the product, and that intelligent serial number is the identity token making that information accessible to anyone holding it. And if an online portal returns information about the origins, transformations, and routes taken by that product to anyone who queries it using that token, then these products can rightly be called intelligent! They are paving the way towards a smarter, more data-rich form of future retail, where verified information about products can be queried by an empowered consumer.

The smartest serial number: a DID cyber-physically linked to a product

Digital twins and smart identifiers aren’t science fiction; they are Spherity’s bread and butter. The smartest serial numbers, we feel, are decentralized identifiers (“DIDs”) registered according to the World Wide Web Consortium’s open standards (W3C), our implementation of which is outlined in our #SSI101 series. These can be configured to “leak” or partially disclose different subsets of the digital twin’s data to different parties, or even made more or less discreet over time, even years after a product is sold and discontinued. A DID-powered intelligent serial number can be smart in that they are:

  • persistent (in layman’s terms, permanent): they never need to change over the life-cycle of an object
  • resolvable (in layman’s terms, findable): a “service endpoint” URL can be used to find and interact with the credential store of the object’s digital twin
  • cryptographically verifiable (in layman’s terms, independently reliable): any given supply chain actor can prove ownership and present life-cycle credentials to anyone else using cryptography, with no need to “phone home”.

Of course, these properties of DIDs don’t transfer to the products they track until you can ensure a secure “cyber-physical link” between the object and the DID, ensuring bad actors, counterfeiters, or contrabandists don’t sell a fraudulent product sold with a stolen or misdirected DID. This cyber-physical link can be established with the following recipe:

  1. An Original Equipment Manufacturer (“OEM”) creates a DID for a manufactured product (or a batch), as soon as a manufacturing order is triggered, such that the entire life-cycle story of the object can be accessed via the digital twin before any manufacturing begins.
  2. All along the production process, the OEM and/or its contractors and subcontractors issues source and process credentials about the manufacturing of the future product (the “subject” of that DID) that get stored in the digital twin.
  3. Along the supply chain, these credentials can be verified by any (permissioned) supply chain actor, such as subcontractor who finds this more efficient than asking counterparties up- or down-stream, a customs inspector, etc.
  4. The OEM either tags the manufactured product with the DID or with a “credential offer” (a link directly to a public verified credential) so that any given supply chain actor holding the physical object can use the tag to resolve the link and start interacting with the digital twin.
  5. The OEM might decide to use a physical unclonable function (PUF) or other “trust anchor” to establish a “proof of uniqueness” and thus protect the manufactured object against counterfeiting or unauthorized sale. The OEM can either encode the DID in the PUF (e.g. secure QR code, laser engraving), embed a secure element into the product, or create a verifiable credential in the digital twin linking the product’s PUF identifier to its DID.

Spherity’s DID-powered digital twins enable you to set up intelligent serial numbers with your identity SaaS solution, which integrates with existing ERP and tracking systems via easy to use APIs that can populate a product’s digital twin with relevant credentials at gateway points in its production and sales channels.

Retail futures: object marketing, products-on-demand, and post-product circularity

Empowering end-consumers with access to (and verification of) the history of the specific product they’re holding (say, a bag of coffee) is just one way in which digital twins will change the nature of retail. The digital twins of today are mostly centralized, meaning they are used only in sectors where the global brand selling the data-rich object has deep access into the manufacturing process and can bind the twin to a unique identifier at all points of origin and transformation within its organizational boundaries. But as we have seen throughout the 101 and 201 series, a decentralized identifier can do everything a centrally-administered one can, and at least one or two more things as well. Decentralized identifiers make possible even more powerful forms of product tracking and data-sharing between manufacturers and end-consumers.

Object marketing traditionally refers to the marketing channel opened up between brand and consumer once the consumer has already bought and owned the product. Up until now, this term has applied to warranty information or “post-purchase registration,” but because of the weak consent signals (and the low quality of engagement), this has not been a driving factor in the marketing strategies of many major OEMs or consumer brands. But as Spherity has been arguing for years now, SSI enables a higher-trust, higher-quality opt-in for manufacturer-consumer communications, as well as a simple, un-siloed way for digital twins to persistent long after the sale of the product. This would enable a more trust-inspiring and GDPR-compliant way for consumers to opt in to higher-value communications with a manufacturer about a product, but it also enables a manufacturer to push updated maintenance, end-of-life, recycling, or recall information to the digital twins of an entire batch or product, years after the last one has been sold, or re-sold. It allows a refurbisher to access verified information or establish secure communications with a manufacturer around the world.

On-demand manufacturing (aka “Batch size: one” manufacturing) is the final frontier in “direct to consumer” products, and SSI-powered digital twins enable a form of “object marketing” even without a physical object existing! If, for example, a manufacturer were to sell a licensed product which can be made in any 3-D printer, they could simply sell the intelligent serial number (and the digital twin it controls of a not-yet-printed object!) to a buyer, in the way that software licenses are increasing being sold today to be downloaded or cloud-accessed later. This buyer could then download the relevant 3-D printer files contained in the digital twin and send them to a local printer, who would then add to the digital twin by providing manufacturing information about the materials used, diagnostics, and relevant personnel data or licenses, in the case of regulated products. We could call this “digital-first object marketing,” since the sale and the valuable, trust-rich relationship to the manufacturer that designed the product would predate the physical product.

Post-Production Circularity refers to the future economic state in which circularity or global-scale/altruistic efficiency will necessarily be a higher priority in the planning, making, selling, and using of products than maximizing profits by dodging or socializing raw-material costs and end-of-life costs. Increasingly, cars, computer hardware, carbon-intensive services like air-travel, and anything with high-performance batteries or motors are being regulated in this direction, forcing manufacturers to pass costs for disposal or recycling of certain materials onto end-consumers rather than onto government or the commons. Many ecologists and physicists (including myself working as a physicist at Spherity) think this tendency will continue as all raw materials, and manufacturing itself, grows more expensive in the coming decades. To better account for the pre-production costs of gathering finite raw materials, and the post-product life of recycling or disposal, digital twins needs to predate and outlive their products, so that information about materials and production methods would be persistently available to recyclers, re-furbishers, and disposal specialists. In this way, digital twins can not only predate their physical forms if manufactured on demand, they need to outlive their physical forms to ensure they can always be safely recycled or disposed on demand as well.

All three of these future topics will be covered in detail in future articles; stay tuned and subscribe to our newsletter and our Medium feed to be updated as they are published.

The shift from tracking to twinning is already underway

The cultural and process shift from serial numbers being tracked through databases to digital twins that change hands when their physical twins do might sound distant or esoteric, but it is actually quite simple, and within your reach.

Our cloud-edge infrastructure is up and running today, with a test-bed that allows designers and businesses to experiment hands-on with the technology to spur their imaginations of new processes and products. Companies can quickly make agile prototypes and co-development of their propositions with Spherity, starting today.

Reach out!


Boost Your Compliance and Security with Digital Identities.