Summary

This project arises in response to forthcoming digital product passports (DPPs). DPPs will be digital records for physical products, designed to track how and where products are used as they move through the economy (including electric vehicle batteries and consumer electronics). This is driven by sustainability efforts and the desire to regulate circular economies (sharing, reusing, and recycling products). Passports are being discussed in recent reports and look to become legislated in the EU.

The potential for unintended security and ethical implications does not seem to be accounted for. Seemingly “non-personal” or “product” data can reveal personal data about users (e.g., data from electric vehicles batteries can already reveal some information about the habits and characteristics of drivers). DPPs are likely to capture a new and broad spectrum of data with new consequences for human digital identity.

This project will scope the potential unintended consequences of forthcoming DPPs for human digital identities, pinpoint where the most important gaps may lie, and begin to investigate promising routes forward in consultation with stakeholders. The long-term aim is to inform adaptive solutions that prioritise privacy and security alongside sustainability, mitigating potential harm whilst working to ensure DPPs can function for their intended purposes.

Objectives

From analysis of the available literature relating to DPPs, and interviews with relevant stakeholders and experts, we scope current considerations in relation to:

• novel privacy concerns

• the extent to which existing technologies and legislation are capable of mitigating concerns

• barriers for safe regulation

• incentives for safe regulation

We flag potential risks at this early stage of development in time for proactive solutions to be implemented, identify harms that may be posed to users if these risks are not better understood and mitigated proactively, and propose recommendations for next steps. 

Changes: We had hoped for more involvement from the manufacturing and development side and made invitations through direct connections regarding participation in the study but found a general reluctance to participate in an interview on this topic.

Activities

Literature review: An examination of scholarly works and research articles relevant to the emerging theme of Digital Product Passports.

10x interviews: Two participants were directly involved in the development and manufacture of DPP software or technology, including the founder and CEO of one organisation and project manager of DPP development at another. We also interviewed an expert in sustainability and eco design working on DPPs. Other participants were a professional from the authentication and secure ID community, a policy advisor with relevant responsibilities, two legal experts with dual roles (both directing centres at the tech-legal boundary, and working in academia), and three academics from engineering and/or computer science with specialisation in aspects of data privacy and security.

Outputs

Since the project was proposed, three articles have been published about the project in ID & Secure Document News, a monthly magazine/newsletter targeted to those in the authentication and secure document industry. The audience includes government, law enforcement, suppliers and manufacturers, analysts, and consultants. This was to get the word out about the project, invite participation and/or advice, and disseminate some initial conclusions. Two of the three articles are available as open access (without a subscription to the newsletter):

• Open access article in ID and Secure Document News on Opportunities From the SPRITE+ Network, April 2023.

• Article in ID and Secure Document News on Digital Product Passports – Unintended Consequences for Digital ID?, October 2023.

• Open access article in ID and Secure Document News on Digital Product Passports – the Potential for Unintended Consequences, December 2023.

Presentation on the DigiProPass project from the SPRITE+ Conference, June 2023.

Presentation at the SPRITE+ 2024 Showcase:

Impact

The main contribution of this scoping study is to flag a potential risk in time to enable a proactive solution to be implemented. We have been unable to find evidence that privacy and security are being appropriately prioritised in the development, governance, and planned implementation of digital product passports to date. Of course, this won’t have an impact unless we now use this evidence to increase awareness and inform proactive implementation of appropriate measures.

We have gained the interest of the ICO who are interested in our findings and hoping to include DPPs in their next horizon scanning exercise after engaging with us further. We are finalising the draft report and will look to share this with them.

Future work

According to our research project, one of the barriers to ensuring privacy and security in the DPP system is a lack of concrete understanding about potential risks and boundaries of the technology. The most common suggestions for next steps were future-focused assessments to better understand the potential impacts, including privacy assessments under GDPR, and the use of sandbox exercises and foresight techniques.

The Information Commissioner’s Office (ICO) sandbox initiative was suggested as a helpful programme that would see the novel processing of personal data worked through with in-house experts. The Futures Toolkit (Government Office for Science) was suggested as a useful means to conduct foresight exercises across different stakeholder groups, working backwards from a future point to identify and mitigate foreseeable issues.

The use of these techniques could help to reveal worst-case (and best-case) scenarios along with their likelihood (if the worst-case scenario is phenomenally unlikely, the risk is less). These scenarios could help us to understand the possibility that something could go wrong int he implementation of DPPs, and if completed at an early stage in development, could ensure that safeguards are built into DPPs proactively, rather than reactively. We strongly recommend this as a route forward.

We have gained interest from some interviewees along the way who are keen to engage further with the subject and advise us going forward. However, we do not yet have concrete plans to fund these exercises.