0

My scenario is like this. I work for a government agency that specialize in the Environment and Natural Resources. We want to make fool-proof functional system (software, hardware, people-ware, policy) that would:

prevent the reuse of a permit issued for transporting wildlife live species.

We have implemented a QR URL Code embedded in all permit to authenticate the validity of the local transport permit on every airports, checkpoints, sea ports in the my country so that black marketing of wildlife species (vulnerable and near-threatened) would be limited and also prevent invasive species from spreading.

An example of scenario would be:

A permit holder was granted a local transport permit to bring ten (10) lovebirds to point A to point B for 10 days. In reality the holder has 100 lovebirds at hand, and was planning to reuse the permit transport all lovebirds 10 pieces. at a time (meaning by batch).

(For as we know its really hard to distinguish healthy lovebirds for they look the same in all angles).

The evaluator will base the validity of the permit depending on the distance, mode of travel (air,sea,land). The system users that tasked to evaluate the wildlife will have the authority set the number days (usually 1 to 3 months upon the issuance of the permit.

There will be inspectors of wildlife on the Airport, Seaport and Trains, but what about the private vehicle. Although there are strategic road checkpoints scattered throughout the country. The road checkpoints isn't as thorough as the airport, seaport, or trains.

If I set the validity too low the client might complain. If I set too high the loop-hole can occur.

Is there any technology, methodology, or policy that is somehow related from what is my dilemma here? e.g. tracking system.

Christophe
  • 74,672
  • 10
  • 115
  • 187
Sam Mamuric
  • 21
  • 2
  • Someone voted to close this as being unclear what you are asking. I'm not actually sure this is unclear. You want to prevent the permit from being reused. – Greg Burghardt Jul 21 '18 at 23:17
  • How will the permits be checked? E.g. if I travel by train the ticket inspector will stamp my ticket with the current date and time. If I'm checked again the inspector will notice the existing stamp and can try to determine whether I'm still on the same journey or whether I'm defrauding the train company. The digital equivalent would be to record the permit ID in a central database upon inspection, and check for permit reuse. – amon Jul 22 '18 at 09:11
  • @amon - They will be thoroughly inspected by presenting the permit issued in the train stations, airports and seaports by using the QR URL Code embedded to the permit the inspector will use a QR Scanner and will be redirected to the permit status to verify if it is certificated or not, but what if he/she is traveling by a private vehicle? – Sam Mamuric Jul 23 '18 at 01:06
  • @GregBurghardt - That is exactly my point. – Sam Mamuric Jul 23 '18 at 01:07
  • "software, hardware, people-ware, policy" - that is too broad. I think you have the base idea down: 1) have QR Codes, unique for each permit (you subcontract for that), 2) Have a server where you can query the status of each permit by that code, 3) a QR scanner software reads the permits and does the query. If you want a run of the mill QR scanner, the code is an URl, and the server is a web server, with some database, that they need to be able to update. Don't forget access control. – Theraot Jul 23 '18 at 02:08
  • Make a prototype, mesure how much storage you need per permit, figure out how long does it take to complete a request on a test enviroment, estimate how much load will have the server (how many requests will it get per day), and with that you can get an estimate of the requirements on the server. Compare licenses and serives, create a budget for deployment. Iterate. Figure out what is the minimun you need to make it work, document it, implement it, test it. Figure out what else you need. Repeat. Learn about web security, OWASP is a good start. – Theraot Jul 23 '18 at 02:10
  • I do not know how big is your country, I do dot know how many people ask for these permits - I do not care, to be honest, I do not know how much money do you have to do this, or how much time. Bigger team? Expensive tools? I do not know if that is viable, or needed. I do not know the laws of your country. Speaking of laws, have a look at what they say about handling personal information. Go pick a project life cycle, start. Bring a narrower question. Yes, I know that administration may want estimates before you have started... shame on them. You have some research to do before that. – Theraot Jul 23 '18 at 02:23
  • I think you really should consider bringing blockchain technology into this. For a change it wouldn't be just for the buzzword but because the tech is actually perfect for this. You could have an immutable record of your permit and when and where it was used. In your example, every time the permit is checked between point A and B you record that on the blockchain, if it is used again 3 days later, at point A again you know there is something fishy. There are several supply chain tracking solutions you may wont to look into, or build you own dApp on one of the chains. – TommyF Jul 23 '18 at 05:57
  • @Theraot - 1) Unique Permit - Done. 2) Test Server - Done 3) QR App - Done4) Access Control - Done – Sam Mamuric Jul 23 '18 at 09:01
  • Is there a central database of the permits? Do the inspectors have the ability to connect with the internet, perhaps intermittently e.g. daily? – JimmyJames Jul 28 '21 at 15:58

1 Answers1

2

Tech is not the solution to everything. This is an example that needs to be addressed through some policy. Tech can only help enforce that policy.

In the context of moving physical goods around, information technology cannot prevent that the goods are moved without a valid permit. What tech can do:

  • create tamper-proof permits with public key cryptography
  • organize information on permits and inspections into a database

That's it. For example, this would allow an inspector to determine whether a permit is valid, and to detect whether a permit was previously seen in another inspection (i.e. whether a permit reuse was detected).

Additionally, it may be possible to use the database to try to suggest where inspections might be most useful, however such “predictive policing” approaches have dubious value and could reinforce bias that could be used by malicious actors to evade inspections.

Of course the only way to be sure is to inspect any transportation that might need a permit. This is usually not possible.

Another approach that might be feasible is bookkeeping of permits. Instead of (or in addition to) auditing the transportation, it might be possible to audit the locations to which the lovebirds are transported. E.g. if there's a permit to transport 10 lovebirds to B, and a permit to transport 6 lovebirds from B to C, there should be 4 lovebirds still at B – or a really good reason why not. This doesn't prevent illegal transports, but makes it more difficult to do them without detection. A central database of permits allows you to more easily calculate the expected number of lovebirds at a location.

Note that the suggestion in the comments of using a blockchain is not going to help here. A blockchain allows multiple distrusting parties to keep immutable records. But this is basically a majority vote: as soon as one participant is able to contribute > 50% of the blockchain capacity they could manipulate the records (though manipulation will be detectable by other participants). For the internal database of some agency, there's only one participant (the agency itself) so a blockchain is pointless.

amon
  • 132,749
  • 27
  • 279
  • 375
  • Thanks for the answer @amon. We conducted a dialogue with the end users of the system to a specific control on the validity of the permit (expressed in days). All of your suggestion are well accounted for and some are already integrated with the system. They have agreed to interview the client about how long would it take to travel the said wildlife. I am grateful for this discussion. That one loop-hole had made me go nuts. At least for now that I will always remind myself that we can't have it all and no system is perfect. – Sam Mamuric Jul 24 '18 at 07:56