The CSIRO has duped one of the world's biggest pharmaceutical companies into buying anti-counterfeit technology which could be easily compromised - passing off cheap chemicals it had bought from China as a ''trade secret'' formula.
The Swiss-based multinational Novartis signed up two years ago to use a CSIRO invention it was told would protect its vials of injectible Voltaren from being copied, filled with a placebo and sold by crime syndicates.
I'm sure you'll appreciate the importance of secrecy.
Police and drug companies are battling counterfeiters who are selling fake medicines that have killed hundreds of people. Last year Interpol seized 3.75 million units of fake drugs and arrested 80 people.
DataDot Technology: The joint venture between DataTrace DNA and CSIRO which convinced Novatiris to buy an easily compromised product.
The invention sold to Novartis to protect against such counterfeit attacks - a microscopic chemical powder painted on the neck of its Voltaren ampoules - was being marketed by DataTrace DNA, a joint venture of CSIRO and DataDot Technology, a publicly listed company.
But a Fairfax investigation has established that CSIRO officials and Datadot executives misled Novartis about the technology in order to close the deal, after receiving explicit internal warnings the Novartis code could be easily duplicated.
Now, hundreds of millions of Voltaren ampoules across the world could carry the easily compromised DataTrace product. The injectible version of the drug is not approved for use in Australia.
Driving force behind the deal: DataTrace manager Greg Twemlow. Photo: Supplied
Three months before the deal was signed, the scientist working on the technology, Gerry Swiegers, issued a last caution against proceeding. ''The code which has been offered to Novartis may not be fit for purpose … because the code material is commercially available from a variety of vendors,'' Dr Swiegers wrote to DataTrace in March 2010. ''If there is a serious counterfeiting threat to the Novartis ampoules, then this code risks being quickly and easily cracked in a counterfeiting attack. Serious questions could then be raised, especially if the successful counterfeiting attack resulted in injury or death.''
But the deal went ahead anyway in July 2010. And despite having promised to supply a unique tracer code, DataTrace issued Novartis cheap tracer it had bought in bulk from a Chinese distributor.
The bulk tracer had been earmarked for low-risk applications with no real security concerns. But when DataTrace sold it to Novartis, it said the formula was a trade secret, and Novartis is believed to have been contractually forbidden from trying to identify its make-up.
Asked in general about industry practice, Jeff Conroy, the chief technology officer of Authentix, a rival company, said it was common ''to require either a non-disclosure agreement and/or a non-reverse engineering clause when supplying a security material''. It would be ''very typical'' to not disclose the precise material used in the tracer.
Had Novartis reverse-engineered the tracer potentially in breach of its contract, it would have been able to identify its components and check whether the phosphor formula was available elsewhere. In fact, at least two firms were selling the identical material to hundreds of firms around the world.
Damning internal documents seen by Fairfax show DataTrace and some of the most senior officials at the CSIRO knew that Novartis was being misled in a deal believed to be worth $2.5 million.
On August 7, 2009, Greg Twemlow, the DataTrace manager who engineered the deal with Novartis, emailed CSIRO managers Peter Osvath and Geoff Houston with this subject line: ''Proposed answer to the question, 'is our Tracer code commercially available'.''
''This is how we propose to answer the question if it's posed. We want everyone answering consistently. Answer: The CSIRO will
make your Novartis codes using their Trade Secret methods and I'm sure you'll appreciate the importance of secrecy for Novartis and all of our clients. Having said that there may well be a possibility that aspects of the code could be simulated with commercially available products.''
But it was much more than a possibility. Mr Twemlow himself confirmed this was the case in a ''highly confidential'' paper he prepared for a January 2010 DataTrace meeting attended by CSIRO officials. ''We currently source end-product, ie we deploy the product as purchased by us for our clients,'' it said.
A leaked email list from one of the potential suppliers of the phosphor, a British company called Phosphor Tech, ''indicates that many hundreds of companies could be buying the same materials we use for Tracers''.
''The key question from our clients has generally been, 'Do we make our own Tracers?' Our answer has always been that CSIRO handles this.''
Mr Twemlow himself understood the risks, according to internal company correspondence. ''Greg, when we talked just before Xmas  you indicated that if we used Chinese lamp phosphors in high security applications, then it would be 'only a matter of time' (your words, not mine) before the system would be copied and compromised,'' Dr Swiegers wrote in January 2010.
''The lamp phosphors were meant for bulk applications, not high security ones. This is especially significant in pharmaceutical applications where counterfeit pharmaceuticals could have serious safety implications (life-and-death implications).''
Mr Twemlow said on Wednesday he was bound by confidentiality agreements but that ''it was a detailed and complex proposal to a large company … I was the sales guy.'' He said the final decision on the transaction was taken by others.'' Dr Swiegers, who was retrenched from CSIRO after a bitter falling-out, has since been agitating for reform of the peak scientific body.
Counterfeiting was such a serious commercial and public health risk that Novartis went to extraordinary lengths to ensure DataTrace and CSIRO had security measures in place to prevent the code from being cracked.
In April 2010, Dr Osvath completed a Novartis questionnaire guaranteeing the ''protocols'' CSIRO would employ ''for secure freight logistics … with appropriate security measures''.
The next month he sent an email to Mr Twemlow and others regarding an $8000 quote to create a ''secure lab'' at the organisation's Clayton campus in Melbourne. The money was spent installing a wall and security access readers on the lab doors - features which may have assisted in convincing Novartis that its tracer code could not be compromised.
''I was wondering whether it would also suit DataTrace's purposes, to have signage on the door, identifying the area as a 'DataTrace Lab','' he wrote. ''While it will be used for other purposes … it might be useful for you, and not stretching the reality too far.''
In fact, a team of auditors from Novartis had already visited Australia to check on the company's claims. In August 2009, the team visited CSIRO's Clayton campus and was given a series of presentations by the company, including one by Dr Osvath on ''CSIRO: secure supply and support for DataTrace DNA/Novartis project''.
In July 2010 DataTrace announced a five-year deal with an unnamed pharmaceutical company to the stock exchange.
Just three months after the deal was announced to the market, CSIRO sold its 50 per cent stake of the company, worth $1.3 million, for 8.93 per cent of DataTrace's parent company, DataDot Technology.
Do you know more? email@example.com