Technical Field

The present disclosure relates to a tamper detection system and, in particular, to an attachment device, such as a sticker or tag, which may be attached to a container and may be configured to resist opening of the container. When the container is used to transport an item, such as a purchased consumer good, the tamper detection system can be used to confirm that it has reached its intended destination with the container integrity intact. The tamper detection system may provide an indication of whether or not the system has been tampered with while the item has been sealed in the container to which the attachment device is attached. The attachment device may also be attached directly to the item and resist removal from the item.

Background

Secure transport of items is an increasingly important aspect of modern life, as growing numbers of consumer commodities are transported, often internationally. In many cases, couriers are utilised. Basic tracking information is widely available, but is generally limited to specific milestones, such as indications that an item has been dispatched, is in transit or has been received by a recipient. Such tracking systems generally rely on a barcode of a container such as a package being scanned at various locations, such as when leaving a factory or arriving at a distribution depot. This tracking information is limited and provides no security against tampering. There is thus a need for systems and methods that provide improved tamper-detection, location and reporting functionality when transporting items.

Another issue concerning the secure transport of goods relates to the fact that, as international travel increases, more people purchase items while they are abroad in countries where they do not live. For example, tourists may purchase many items while on holiday in a foreign country. In many cases, the purchasers in these cases pay sales taxes, such as Value Added Tax (VAT). The purchasers are often entitled to a refund of these sales taxes, but the process is often arduous and complex. Customs regulators require proof that the purchased item has been removed from the country of purchase, before sales taxes can be refunded. This requires manual inspection of goods by customs personnel and manual completion of forms by the purchaser (usually one form per shop visited) and manual processing of refund forms by refund agents. There is therefore a need for improved systems and methods for tracking purchased goods during transport.

A further problem relating to the secure transport of goods arises from the fact that existing container integrity indicators provide only limited functionality. For example, existing tamper-detection devices generally rely on visual verification that tampering has occurred, for example that a tamper tag has been cut or otherwise removed or a tamper evident sticker has been removed to leave behind text or sections of the sticker. These existing devices are unreliable, easy to falsify and generally require verification of tampering by an authorized person at the receiving end who must inspect the package to confirm the status of the tamper stickers or tags previously applied. Other systems such as passive RFID security tags also have significant shortcomings, because they do not actively monitor the integrity of the container they are attached to. Rather, such devices only respond upon being challenged by a reader, such as an RFID reader device. This brief interaction between the reader and the tag momentarily powers up the RFID tag’s microprocessor, providing just enough time for the processor to perform its function before powering down again. This is problematic because, as the tags will spend most of their time away from a reader, the tags will spend most of their time in a de-activated state, during which time the integrity of the container and tag is not being monitored. A breach of the container or RFID tag and subsequent replacement or repair of the tag after access to or tampering with the container or item could therefore go undetected.

It would be advantageous to provide systems or methods which address one or more of the above-described problems, in isolation or in combination.

Summary

Aspects and features of the present disclosure are set forth below. The present disclosure provides an improved attachment device for use in securely transporting items and detecting tampering or damage to the attachment device during transit. The present disclosure also provides methods for improved detection and reporting of tampering using the disclosed system. Methods for using geo-location information to determine whether a package containing an item or the item itself has been moved to or removed from a particular location are also provided.

The present disclosure relates generally to a system for detecting tampering with an attachment device. The attachment device is a device which can be attached to a container or item. Before attachment (i.e. when not in use) the attachment device and container/item are separate. Once attached to the container/item, the attachment device may be configured to resist removal from the container/item and/or resist opening of the container. The attachment device may, for example, be a sticker or a tag. The disclosure also relates to methods for securely transporting an item, for example to a known or desired location or within an allocated period of time, using the attachment device.

An item, such as a consumer good, may be placed into a container and the container may be sealed. The attachment device may then be attached to the container and may resist opening of the container. This can be achieved by, for example, placing the attachment device over a seal of the container. For example, the attachment device may be a sticker which is placed over the seal boundary between two portions of a sealed container, such as the lid and body of a box, such that opening the container requires the seal to be broken, and thus requires the attachment device to be broken or removed. Alternatively, the attachment device may be a tag which is wound around part of a container, such as the handles of a bag, such that opening the container requires the attachment device to be broken or removed.

In another arrangement, the attachment device may be attached directly to a purchased item. The attachment device then resists removal from the item in the same way as the attachment device resists removal from the container and resists opening of the container in the above-described arrangement. In such implementations the item may be transported without a container, as is described in relation to Figure 15. The details, functionality and features of the apparatus and methods described in relation to implementations where the attachment device is attached to a container or resists opening of a container apply equally to the implementation where the attachment device is attached directly to an item.

As will be seen in the following, the attachment device being broken, removed or otherwise tampered with causes a detection means, such as a conductive element, to be broken, deformed or otherwise interfered with. This causes a discontinuity which can be detected, saved and reported. The system may thereby comprise mechanisms for detecting, saving and reporting tampering with the attachment device. The indication of tampering can be saved either locally at the system (for example in non-volatile memory at a detection module of the device) or remotely, at a mobile device or a remote server.

Tampering may comprise breaking or removing all or part of the attachment device without authorisation, or before an approved time for doing so, for example in an attempt to open the container, or detach the attachment device from the container or item. Tampering may also comprise damaging the attachment device, for example through neglect or malicious intent.

In accordance with an aspect of the present disclosure, there is provided a system for detecting tampering with an attachment device, the system comprising an attachment device. The attachment device may be suitable for attaching to a container or an item, in other words may be configured to be attachable to a container or an item. The attachment device may be configured to resist removal from a container when attached thereto and/or resist removal from an item when attached thereto and/or resist the opening of a container when attached thereto. The attachment device may be a sticker, a tag or any other device which is operable to resist and/or prevent opening of a container, removal from a container or removal from an item. The container may comprise an envelope, bag, box, suitcase, briefcase, other packaging or any other vessel into which items, such as consumer goods being delivered by a courier or purchased by a shopper at an airport, may be placed.

The system may comprise a detection means for detecting tampering with the attachment device. The detection means may comprise one or more conductive elements such as insulated or uninsulated wire, printed conductive ink or conductive foil and may be configured to carry a current. The detection means may pass at least partly through, or at least partly across a surface of, the attachment device. The detection means may be advantageously contained at least partly within the walls of the attachment device, in order to provide structural rigidity and to conceal the detection means. For example, the detection means may be intermediate two layers of the walls of the attachment device. The detection means may be arranged in a mesh or wave configuration and may be advantageously distributed throughout substantially all areas of the attachment device so that substantially all areas of the attachment device have tamper-detection functionality. Alternatively, the detection means may be distributed throughout or pass at least partly through or at least partly across a surface of: substantially all areas of the attachment device; a majority of the attachment device; or a portion of the attachment device. The detection means may advantageously be provided such that a break and or/deformation in/of the attachment device causes a discontinuity in the detection means. A break may comprise a tear, puncture, intrusion or other damage. A deformation may comprise a bending, denting, impact or other damage.

The discontinuity in the detection means may comprise a break or severing in the detection means, such that the attachment device is secured against tampering such as cutting, heating or tearing. The discontinuity may alternatively comprise a bend or deformation in/of the detection means, such that the attachment device is secured against damage that bends or impacts the attachment device. If current flows through the detection means, the discontinuity in the detection means may comprise and/or cause a change in the current flowing through the detection means. The discontinuity may comprise a change in the resistance of the detection means.

The system may comprise a power source configured to deliver current to the detection means. The power source may be a battery, which may be rechargeable and/or replaceable.

The system may comprise an electronic sensor module configured to monitor the detection means and thereby indirectly monitor the integrity of the attachment device and container.“Monitor” is here to be understood in an active sense, in that the monitoring occurs continuously or regularly after activation of the electronic sensor module, and without any need for power to be provided or a challenge or status request to be sent by a device external to the system. The monitoring may be considered as sensing, and as such the system may be considered to provide active or continuous sensing functionality. By providing this monitoring/sensing functionality, the presently disclosed system is operable to detect and report tampering as soon as it occurs, rather than merely reporting a status when challenged or powered up. This distinguishes the presently disclosed system from existing systems, such as passive RFID tag type systems, which do not monitor the detection means or sense for discontinuities but rather merely report back a status indication when momentarily powered up and challenged by a reader. Problematically, this powering up and status report may be long after the tampering has actually occurred. Known systems of this sort therefore introduce a problematic potential delay between tampering occurring and being reported. Furthermore, as described above, known passive tamper detection devices are also open to tampering and repair or replacement in between readings. Active monitoring of the sort provided by the present disclosure overcomes these problems. The presently disclosed system is therefore more secure than existing tamper detection devices.

The electronic sensor module may comprise a continuity sensor configured to detect a discontinuity in the detection means, the discontinuity being indicative that the attachment device has been tampered with. The electronic sensor module may comprise a single or multi-channel continuity and/or resistance sensor.

It will be apparent that the type of continuity sensor used will be determined by the detection means used. For example, if the detection means is a wire carrying a current, the continuity sensor may be a current or resistance sensor configured to monitor the current flowing through the wire and/or the total resistance of the wire. In alternative implementations other detection means may be used and therefore other continuity sensors may be used. For example, in some implementations the detection means may comprise insulated magnet wire, transformer wire, uninsulated or insulated foil. In such implementations the continuity sensor may detect discontinuities in either the conductivity or the resistance in the conductive element used to create a circuit. To make it more difficult to tamper with the invention, fixed resistance or fixed length wire may be used with the addition of micro resistors in series in the circuit. These may be placed at random positions, ensuring that each tamper detection circuit is unique and has a different resistance figure, making the system more sensitive to tampering. This advantageously also makes it more difficult to hack the system by attempting to bypass or short circuiting the electronic sensor as a change in resistance will be sensed. Alternatively or additionally wire conductor that has a random or varying resistance or length may be used. At initial power up the electronic sensor module will sense and save the overall system resistance value. Once activated the resistance will constantly be sensed by the electronic sensor and can be compared with the initial figure. The resistance reading capability may be sensitive enough such that a sudden increase or decrease in resistance will trigger an alert. This prevents measurement of the system resistance using an electrical multi meter with the aim to short circuit the electronic sensor module with a conductor of similar resistance and therefore bypass the integrity sensing function to allow the attachment device to be removed from the item undetected.

The system may comprise a transmitter, for example a wireless transmitter. The transmitter may be configured to transmit a signal indicative of whether or not the continuity sensor has detected a discontinuity in the detection means. The transmitter may transmit this signal continuously or regularly after activation, and without any need for power to be provided or a challenge or status request to be sent by a device external to the system. The transmitting may therefore be considered to be active, in the same way as the“monitoring” described above in relation to the electronic sensor is active. This again distinguishes the presently disclosed system from known systems, such as RFID tag type systems, which only passively transmit a status report when challenged or queried by a reader. In some implementations, the tamper detection status of the system may be determined and saved, for example in non-volatile memory of the electronic sensor module, and transmitted at a later time.

Optionally, the system may be configured to only communicate with (e.g. transmit signals to or act on signals received from) one or more particular mobile devices, for example mobile devices with which the system is paired (matched or associated). Such mobile devices may be considered“approved” mobile devices. In other words, the transmitter may be configured to only transmit the signal indicative of whether or not the continuity sensor has detected a discontinuity in the detection means to one or more approved mobile devices.

An approved mobile device may be one that was originally paired with the system upon initial start-up or activation of the system, or at some later time. This pairing may be achieved by sharing one or more encrypted keys between the mobile device and the system. For example, an encrypted key may be provided by the mobile device to the detection module (via the transmitter) or vice versa or both (i.e. keys may be exchanged in both directions during pairing). Pairing may then occur if the decrypted encrypted keys match, or satisfy some other pre-defined criteria. The encrypted key(s), and means for decrypting them, may be pre-loaded in memory in the detection module (for example the memory of the sensor module) before activation, for example during assembly of the system. A mobile device which is to be paired with the system may then be given access to corresponding encrypted key(s), or a means of decrypting relevant encrypted key(s), to facilitate the pairing. The system and mobile device may interrogate one another (or the interrogation may be one-way) at regular intervals, or each time communication between them is initiated, in order to determine whether the system and mobile device have been and/or remain paired. Interrogation may involve the transmittal of the same encrypted keys that were used during initial pairing, or it may involve the transmittal of other encrypted keys. Interrogation may thereby verify that a particular mobile device is approved to receive tamper detection information from the system. It will be apparent that this method ensures that only approved devices are able to obtain the tamper detection status of the system, thereby preventing non-authorised parties from obtaining this data and maintaining system security and integrity as the same mobile reader must be used throughout the transaction.

In some arrangements the mobile device may forward the tamper detection information on to a remote server. Optionally, this may only be possible if the mobile device is an approved mobile device.

The transmitter may be configured to transmit a signal indicating that the continuity sensor has detected a discontinuity after a pre-determined period of time has elapsed, irrespective of whether or not the continuity sensor has actually detected a discontinuity. This provides an expiry deadline for the system after which non-tampering can no longer be proved. The inclusion of an expiry deadline improves the security of the system because the power supply of the system may have a limited lifespan. As the power supply reaches the end of its lifespan, functionality may become unpredictable and security of the system may be degraded through sub-optimal tamper-detection resulting from reduced power levels. At some point, tamper-detection functionality may cease altogether, for example if the power supply’s power levels are so low, or run out altogether, that this functionality can no longer be supported. A malicious actor may desire to exploit such potential lapses in security, for example by simply waiting until the power supply of the system expires or reaches such a low level that tampering will no longer be detected and/or reported. Providing a pre-defined deadline for the system prevents such security flaws from being exploited. The existence of a finite expiry time can also have safety advantages, for example if delivery of an item to a particular location is required by a specific deadline, such as in the case of perishable or otherwise sensitive goods. Other advantages, such as commercial advantages, resulting from having a fixed expiry deadline for the system will be apparent.

In some arrangements, the transmitter may be configured to transmit a signal indicating that the continuity sensor has detected a discontinuity when instructed to do so, for example by a remote server and/or a mobile device. Similarly to the functionality just described, this enables a finite expiry deadline for the system to be implemented, after which non-tampering can no longer be proved. However, in this arrangement the expiry deadline is a result of remote instruction rather than a result of a pre-defined time period being set.

The transmitter may be configured to transmit a signal until the continuity sensor detects a discontinuity in the detection means. Alternatively, the transmitter may be configured to not transmit a signal, for a pre-determined amount of time or until reset, responsive to the continuity sensor detecting a discontinuity in the detection means.

In a preferred arrangement, the various elements described above form a circuit. In other words, the tamper detection system comprises an attachment device and a tamper detection circuit, the circuit passing at least partly through or at least partly across a surface of the attachment device. The tamper detection circuit in this arrangement comprises the detection means, the power source, the electronic sensor module and the transmitter. In this arrangement the power source delivers current to all elements of the circuit. As the elements in combination comprise a circuit, tampering or removing any of the elements will break the circuit and cause a discontinuity which can be detected as an indication of tampering. It will be apparent that other elements can be added to this circuit, while some elements, such as the transmitter, may be separate from the circuit.

More particularly, the detection means may advantageously pass around, above and/or below one or more elements or modules of the system, such as the detection module, electronic sensor module and/or the transmitter. The detection means may also or alternatively be provided adjacent to, in contact with and/or be attached to said one or more elements or modules of the system. Such arrangements may ensure that attempted removal of or tampering with these element(s) or module(s) causes a discontinuity in the detection means. The terms“around”,“above” and“below” are to be understood within the reference frame of the attachment device and its constituent parts in their ordinary working orientations and/or positions and are not intended to indicate absolute positions or orientations.

In a preferred implementation, the transmitter may be configured to transmit a first type of signal responsive to the continuity sensor not detecting a discontinuity in the detection means and to transmit a second type of signal responsive to the continuity sensor detecting a discontinuity in the detection means. The transmitter may be advantageously configured to continuously transmit the signal indicative of whether or not the continuity sensor has detected a discontinuity in the detection means. Thus, the transmitter may be configured to continuously transmit either the first type of signal or the second type of signal, such that the status of the detection means (and therefore the tamper-related status of the system as a whole) can be determined at any time by a device receiving the transmitted signals. In other implementations the signals may be transmitted at a pre determined time, for a pre-determined amount of time or upon request from another device.

The transmitted signals may comprise encrypted signals. For example, in implementations comprising first and second types of signals, the first type of signal may comprise a first series of encrypted keys and the second type of signal may comprise a second series of encrypted keys. The use of encrypted keys secures the transmitted signal against tampering or alteration. Advantageously, the string of encrypted keys may be in a pre determined or expected order which matches a database of keys on the remote server. This prevents simple copying of the key or encrypted message and forwarding to a mobile reader, thereby preventing relay fraud whereby a single encrypted message could be read, saved and transmitted to the server to make it appear that continuity is maintained (i.e. that no tampering has occurred) when in reality the system has been compromised.

The encrypted keys to be transmitted may be randomly selected from a pre-determined key registry or generated by an algorithm.

In implementations wherein the first and/or second signal comprises a first and/or second series of encrypted keys, the first and/or second series of encrypted keys may correspond with or match a database of keys. The database of keys may be used to de-encrypt the encrypted series of keys. The database may be used to identify that the first series of encrypted keys indicates that the continuity sensor has not detected a discontinuity in the detection means and/or that the second series of encrypted keys indicates that the continuity sensor has detected a discontinuity in the detection means. The database may be stored locally at a device associated with the system, such as a mobile device. Alternatively, the database may advantageously be stored at a remote device or server, further improving the security of the system by ensuring that decryption and analysis of the transmitted signals is performed at a remote device which may be under the control of a central or trusted authority rather than an individual delivery person or purchaser.

The attachment device may comprise one or more incisions, and the one or more incisions may be configured such that the application of a force to open the container or remove the attachment device from the container breaks the attachment device or causes the attachment device to separate at the one or more incisions and thereby creates a discontinuity in the detection means by creating a tension or shear force in/on the detection means. The incisions may advantageously intersect with the detection means to more effectively transfer the shear forces and/or tension to the detection means.

The incisions may be considered structural weaknesses, weak regions, weak lines, weak points, failure regions, failure lines or failure points in the attachment device. As an example, the one or more incisions may be slits, scores, gouges, notches or cuts in the attachment device. The incisions may be complete cuts which pass all the way through the attachment device. Alternatively, the incisions may be shallower cuts which only partly cut into the attachment device. The incisions may be perforations, and may be a row of perforations, such as a row of holes, slits or recesses. The attachment device breaking at the one or more incisions may comprise the attachment device coming apart, tearing, being severed or being bisected at or along the incisions.

In a first implementation the attachment device is an adhesive label.“Label” will herein be taken to mean a generally planar piece of material that can be attached to the container by means of an adhesive provided on the base of the label, wherein the base of the adhesive label is the surface of the label which is to be in contact with the container. An example of an adhesive label is a sticker. The adhesive label may be placed over a join or seal of the container, such that opening the container breaks the label or requires the label to be removed. Alternatively, the adhesive label may be attached to a surface of an item, as described in reference to Figure 15. Removal of the label would then either require the label to be removed from the item, which would be detected as tampering, or would require the item to be disassembled and the part of the item attached to the label to be separated from the remainder of the item, which would clearly damage the item or render it incomplete. The adhesive label may be partially adhesive, such that it can be peeled off the container or item without breaking the label itself. In such arrangements it is advantageous if a first portion of the detection means is attached to the base of the adhesive label by a first adhesive element and a second portion of the detection means is configured to be attached to the container or item by a second adhesive element such that removal of the adhesive label from the container or item causes a discontinuity in the detection means. In particular, a discontinuity will be created because, upon removal of the label from the container or item, the first portion of the detection means will resist removal from the label and the second portion of the detection means will resist removal from the container or item. This will create a tension between the first and second portions. When this tension reaches a threshold the detection means will break, as the first and second portions come apart. This arrangement is described in more detail in relation to Figures 4a and 4b.

In other arrangements, the adhesive label may be fully adhesive, which is to say that the adherence between the label and the container or item, in use, is strong enough such that removal of the label from the container or item breaks the label. For example, the label may be configured such that, in use, the adhesion of the label to the container or item is greater than the cohesion of the label.

In a particular arrangement, the adhesive label comprises a first portion and a third adhesive element configured to adhere the first portion to the container or item; a second portion and a fourth adhesive element configured to adhere the second portion to the container or item. The adhesive label may further comprise an incision along at least part of the boundary between the first and second portions, where the incision has the same functionality as described above. The adhesion to the container or item provided by the third adhesive element is greater than the adhesion to the container or item provided by the fourth adhesive element such that the application of a force to remove the adhesive label from the container or item breaks the adhesive label at the incision along the at least part of the boundary between the first and second portion and thereby creates a discontinuity in the detection means. This arrangement is described in more detail in relation to Figures 7b and 7c.

As an example, the various adhesive elements are adhesive layers, for example of glue, applied to the base of the sticker.

In a second implementation the attachment device is a tag.“Tag” will herein be taken to mean a piece of material operable to be tied, wound or fastened around something, such as the handles of a container. Alternatively, the tag may be attached (for example tied, wound or fastened around) to an item, as described in reference to Figure 15. Removal of the tag would then either require the tag to be removed from the item, which would be detected as tampering, or would require the item to be disassembled and the part of the item attached to the tag to be separated from the remainder of the item, which would clearly damage the item or render it incomplete.

Examples of tags include luggage tags, fasteners, cable ties, adhesive tags, ID tags and tags incorporated into merchants’ price or barcode tags and the like. Suitable materials for the tags include metal, paper and plastic. The tag can comprise any combination of the features described above, including those described in relation to the first implementation. In general, the tags are single use and must be cut, torn or otherwise dismantled to be removed from the container or item. In other arrangements, however, the tags may be reusable after deactivation by an authorised person.

The tag may comprise a body and a tail portion. The tag may comprise a plurality of panels which can be assembled, optionally by folding the panels, to form the tag body. The tail may be configured to be attached, during the assembly process, to the body of the tag. The tail may be configured to be wound round part or all of the container or item and then connected to the tag body.

The present disclosure further relates generally to a method for detecting tampering with a tamper detection system and for securely transporting an item, optionally in a container attached to the system, for example to an expected or known location and/or recipient. The method may comprise sealing an item a container and attaching an attachment device of the present disclosure to the container. The method may also comprise attaching the attachment device directly to the item. The method may further comprise transmitting, by a transmitter of the system, signals indicative of whether or not tampering with the system has been detected. The transmitted signals may be analysed in order to identify whether or not tampering has been detected. The method may comprise reporting a result such as a“pass” or“fail” result, based on the analysis of the transmitted signals. The method may further comprise determining a location of the system.

In accordance with a further aspect of the present disclosure, there is provided a method for securely transporting an item using a system such as that described in any of the implementations or arrangements of the present disclosure.

In a preferred implementation, the method may comprise transmitting a signal indicative of whether or not the continuity sensor has detected a discontinuity in the detection means. The method may comprise transmitting a first type of signal responsive to a detection means of the system not detecting tampering. The method may comprise transmitting a second type of signal responsive to the detection means detecting tampering. The method may alternatively comprise not transmitting any signal for a pre-determined amount of time responsive to detecting tampering. Alternatively, the method may comprise transmitting a signal until tampering is detected.

The method may comprise sending the signal to a remote device or server. The method may comprise determining, based on the transmitted signal, whether or not the system has detected tampering. The determining may comprise comparing the transmitted signal to data stored in a database.

The method may further comprise reporting, responsive to determining that the system has not detected tampering, a first type of result. The method may comprise reporting, responsive to determining that the system has detected tampering, a second type of result. The first type of result may be a“pass” result and the second type of result may be a“fail” result. The“pass” and“fail” results may comprise the end points of system flows and may cause particular information to be transmitted to a user or owner of the container, item or tamper detection system.

The method may comprise receiving geo-location information indicating a location of the system. The geo-location may be approximate and may be received by another device, such as a mobile device associated with the system. The geo-location information may advantageously be received via any known geo-location technology, such as from a local mobile network (e.g. GSM network) or via GPS. Such mobile network, GPS or similarly provided geo-location information is independently provided and is therefore harder to hack or falsify than geo-location information provided manually by individuals or by companies such as courier services.

The geo-location information may be gathered continuously or at regular intervals in order to provide tracking information for the system. The geo-location may advantageously be combined or reported alongside tamper-related information for the system to provide improved and increased information about the movement and security of a package at various stages during transit or on arrival of the system at a destination. If the system is paired with a single approved mobile device in the manner described above, then any geo-location information reported alongside tamper-related information will be highly reliable because it is coming from an approved device (non-approved devices attempting to send false geo-location information would not be able to simultaneously report tamper- related information, because they would not be able to access this tamper-related information).

The geo-location information indicating the location of the system may be compared to a database of locations to determine whether the system is in an allowable location. An allowable location may comprise a location stored in a list of allowable locations at the database or elsewhere. The geo-information may indicate that the system has been moved into or out of a particular country. The database of locations may comprise a list of countries and/or regions and allowable locations may comprise a subset of the list of countries and/or regions. An allowable location may comprise the system being inside or outside of a particular pre-determined country, region or geographical area.

More than one form of geo-location information for the system may be determined, and one or more of these multiple forms of geo-location can be compared to determine accuracy and veracity of the information. For example, a GPS-based geo-location information may be compared with geo-location determined from mobile network tower locations or triangulation.

The method may comprise reporting, responsive to determining that the system has not detected tampering and receiving geo-location information indicating that the location of the system is an allowable location, a first type of result.

The method may comprise reporting, responsive to determining that the system has detected tampering or receiving geo-location information indicating that the location of the system is an un-allowable location, a second type of result. The geo-location information may be received from a mobile network.

The first type of result may be a“pass” result. The second type of result may be a“fail” result. Reporting of the result may to a user of a mobile device. The reporting may be by a server or the mobile device. The“pass” and“fail” results may comprise the end points of system flows and may cause particular information to be transmitted to a user or owner of the container, item or tamper detection system.

The signal indicative of whether or not the continuity sensor has detected a discontinuity in the detection means may be an encrypted signal. The first type of signal may comprise a first series of encrypted keys. The second type of signal may comprise a second series of encrypted keys. The method may comprise decrypting the series of keys in order to determine whether or not the system has detected tampering. Decryption may be performed by a mobile device associated with the system. Alternatively, decryption may be advantageously performed by a remote device or server, which improves security by ensuring that the decrypted message is harder to falsify or alter.

In accordance with a further aspect of the present disclosure, there is provided a security device comprising an attachment device. The attachment device may be configured to resist removal from an item when attached thereto and/or resist removal from a container when attached thereto and/or resist the opening of a container when attached thereto. The attachment device may comprise a detection means which passes at least partly through, or at least partly across a surface of, the attachment device. The attachment device may comprise a power source configured to deliver current to the detection means. The detection means may be a conductive element such as a wire carrying a current in use. The attachment device may comprise an electronic sensor module configured to monitor the detection means and thereby indirectly monitor the integrity of the attachment device and container or item, the electronic sensor module comprising a continuity and/or resistance sensor configured to detect a discontinuity in the detection means, the discontinuity being indicative that the attachment device has been removed or otherwise tampered with. The attachment device may comprise a transmitter configured to transmit a signal indicative of whether or not the continuity sensor has detected a discontinuity in the detection means.

Accordingly, it will be appreciated that an improved system and method for securely transporting an item are provided. Tampering with and/or damage to the container or attachment device containing or attached to the item can be detected and reported and the location of the system, and thus the container and/or item, can be determined. Security and transparency can be improved by outsourcing generation of the geo-location information and/or decryption of signals relating to detection of tampering to a remote server or device not associated with the system or a person transporting the system.

Brief Description of the Figures

Exemplary arrangements of the disclosure shall now be described with reference to the drawings in which:

Figures 1a and 1b show an example attachment device according to a first implementation wherein the attachment device comprises an adhesive label;

Figure 1c shows an example attachment device according to a second implementation wherein the attachment device comprises a tag;

Figure 2 shows a schematic arrangement of a detection module comprising an electronic sensor module and a transmitter module configured to detect tampering and transmit signals responsive to the detection respectively;

Figures 3a and 3b show a simplified view of a first arrangement of the attachment device of the first implementation comprising a straight incision configured to facilitate the creation of a discontinuity in a detection means when the attachment device is tampered with;

Figures 4a and 4b show a simplified view of a second arrangement of the attachment device of the first implementation wherein adhesive is applied to first and second portions of the detection means to facilitate the creation of a discontinuity in the detection means upon tampering with the attachment device;

Figures 5a and 5b show a simplified view of a third arrangement of the attachment device of the first implementation comprising two shaped incisions configured to facilitate the creation of a discontinuity in a detection means when the attachment device is tampered with;

Fig 6 shows a more complete fourth arrangement of the attachment device of the first implementation comprising a detection means, an electronic sensor circuit and a plurality of incisions of the sort described in relation to Figures 3a, 3b, 5a and 5b;

Figure 7a shows a section of a fifth arrangement of the attachment device of the first implementation comprising a plurality of incisions configured to facilitate the creation of a discontinuity in the detection means when the attachment device is tampered with;

Figures 7b and 7c show sections of a sixth arrangement of the attachment device of the first implementation comprising portions of differing adherence to the container configured to facilitate the creation of a discontinuity in the detection means when the attachment device is tampered with;

Figures 8a-e show a first arrangement of the attachment device of the second implementation at various stages of assembly;

Figure 9 shows an arrangement of the tamper detection means for use with the attachment device of either the first or second implementations;

Figure 10 shows an exploded view of an example arrangement of the tamper detection means of Figure 9, wherein the tamper detection means is intermediate two layers of the walls of the attachment device;

Figure 11 shows a flow diagram depicting a method for detecting and reporting tampering with a system of the present disclosure;

Figure 12 shows a flow diagram of a method for determining and reporting tampering with a system of the present disclosure, comprising a remote device;

Figure 13 shows a flow diagram of a method for determining and reporting tampering with and a location of a system of the present disclosure, comprising a remote device;

Figure 14 shows a flow diagram of a first example method of use of the system of the present disclosure;

Figure 15 shows a flow diagram of a second example method of use of the system of the present disclosure in use; and

Figure 16 shows a schematic arrangement of data being transmitted between the tamper detection system, a mobile device and a remote device such as a server in order to determine: i) whether or not tampering has occurred with the system and ii) whether or not the system is in an allowable geographical location.

Throughout the description and the drawings, like reference numerals refer to like parts.

Detailed Description

The following detailed description describes a number of example implementations of the system to which the present disclosure relates, as well as to a number of example methods and circumstances in which the system may be used.

The basic principles of the disclosed system will be described in relation to Figures 1-2. A first implementation, relating to an adhesive label attachment device will be described in relation to Figures 3-7. A second implementation, relating to a tag attachment device will be described in relation to Figure 8. It will be apparent that the features and considerations described in relation to the first implementation may be applied to and incorporated into the second implementation, even if not explicitly described in relation to the second implementation. Similarly, any features or considerations of the second implementation may be applied to and incorporated into the first implementation, even if not explicitly described in relation to the first implementation. An arrangement of the detection means of the tamper detection system which can be used with the attachment device of either the first or second implementations is described in relation to Figures 9 and 10.

Example methods for using the system will be described in relation to Figures 11-16. It will be apparent that the order in which steps of these methods and implementations occur may change, depending on the requirements or preferences relevant to any particular implementation or situation. Not all of the steps of the described methods need to be followed in all implementations, and in some implementations various described steps may be left out altogether.

In an example arrangement, the system to which the present disclosure relates comprises an attachment device, such as an adhesive label or tag, for attaching to a container, such as a bag, box or packaging, which may be used to transport an item, such as a consumer good purchased at an online store or in an airport shop. It will be apparent that in some circumstances the attachment device may also be attached directly to the consumer good, as described in relation to Figure 15. Example consumer goods include electronic devices, clothing, food and drink, household goods and such like. The system is configured to detect and report tampering with the system, if it occurs. Tampering may generally be considered to be any attempt to damage or remove the attachment device, or to open the container, without authorisation or before the sender, owner or recipient of the container wishes the attachment device to be removed or the container to be opened. Tampering may also be considered to be any attempt to disable the tamper-detection mechanisms of the system. The system may therefore be considered as a tamper-proof system, a tamper-prevention system, a tamper-detection system or a safety system.

It will be apparent that such a system will have many potential uses, for example as an integral part of a secure courier service that may deliver goods to customers. When the attachment device is attached to a container containing an item, the system may be used to prove that an item, such as a purchased good, placed and sealed inside the container, has not been removed from the container during a period of time. This functionality can enable a courier to prove that they have delivered an item honestly and diligently, without attempting to remove, change, damage or otherwise tamper with the item or attachment device. Alternatively, and as will be described in further detail in the following description, a purchaser of a good may place the good in the container, seal the container with the attachment device attached and transport the container, with the good inside, to a new location, for example to a new country. Alternatively, the attachment device may be attached directly to an item, and the item be transported to a new location, for example a new country, as described in relation to Figure 15. The arrival of the system at a new location may be evidenced by geo-location information associated with the system, optionally received by a mobile device such as a smartphone that is in communication with or in proximity to the system. The purchaser can then prove to an authority, such as a customs regulator, that they have removed the purchased good from a particular country, thereby qualifying for a sales tax (e.g. VAT) refund.

Referring to Figures 1a and 1 b, an attachment device 100 configured to resist opening of a container 102 to which it as attached is shown, according to a first and second implementation respectively. As can be seen, the attachment device 100 of the first implementation is an adhesive label. In Figure 1a, the adhesive label is placed over the seal between the lid of a box and a side of the box. The label thereby resists the opening of the lid of the box, and resist removal from the box. In Figure 1b, the adhesive label is placed onto an item, in this case an electronic consumer device. The label thereby resists removal from the item. The attachment device 100 of the second implementation is a tag. In Figure 1c, the tag is tied around the handles of a bag. The tag resists separation of the handles and thereby resists opening of the bag. It will be apparent that these arrangements are merely examples, and that attachment devices 100 of the present disclosure are suitable for resisting opening of any number of different types of container 102. In other arrangements the attachment device 100 may be attached directly to an item. The tamper detection system of the present disclosure utilises a detection means for detecting tampering with the attachment device 100. The detection means in the described implementations comprises a conductive element 104 comprising a wire. Other conductive elements 104 that could be used will be apparent. When in normal operation, a current flows through the conductive element 104. The conductive element 104 is configured to be sufficiently brittle or fragile such that, when tampering occurs, a discontinuity in the conductive element 104 is created which causes the current flowing through the conductive element 104 to change or stop flowing altogether. This discontinuity is detected by a continuity sensor 106, as will be described in relation to Figure 2. Discontinuities may be created if someone breaks the attachment device 100 (for example in order to gain access to or remove the item inside the container 102). Alternatively, a force above a certain threshold applied to the attachment device may break the conductive element 104. Alternatively or in addition, tampering can comprise attempting to remove the attachment device 100.

Different arrangements of the conductive element 104 are possible, as will be described in the following. The different arrangements may suit particular contexts, but all share the same principle of providing a conductive element 104 in which a discontinuity is created when tampering occurs, wherein the discontinuity is detected by continuity sensor 106.

It will be apparent that in some contexts it may be advantageous for the conductive element 104 to be more or less sensitive. In some contexts it will be advantageous for the conductive element 104 to be so sensitive that a discontinuity occurs even before significant structural damage occurs to the attachment device 100. For example, where container 102 is to be used for transporting fragile goods, the tamper detection system may utilise a highly sensitive conductive element 104, such that excessive force or maltreatment of the container 102, to which the attachment device 100 is attached, causes a discontinuity in the conductive element 104. In other contexts, the opposite may be true and a less sensitive or more robust conductive element 104 may be used, optionally in combination with a more robust material for the attachment device 100 itself. Such arrangements may be suitable for carrying larger or less fragile items.

Figure 2 schematically shows a detection module 111 for use in the disclosed system. The detection module 111 houses an electronic sensor module 112 and a wireless transmitter module 120. The conductive element 104 is configured to carry a current during normal operation. The current is generated by current source 114, which in the implementations described herein is a battery. Other current sources will be apparent. In some implementations the attachment device 100 may be reusable and current source 114 may be replaceable.

The detection module 111 (and therefore the electronic sensor module 112 and transmitter module 120) is connected to the conductive element 104 such that the modules 111 , 112, 120 form part of a circuit comprising the conductive element 104 and current source 114. In use, current flows through the electronic sensor module 112 and transmitter module 120 and provides power to the respective components therein. The circuit is here shown schematically as a series circuit for simplicity, but it will be appreciated that the system is configured such that the detection module 111 still receives power even if the conductive element 104 is severed, for example due to tampering. Thus, in reality the circuit is preferably a parallel circuit. Advantageously, conductive element 104 is provided around (for example above and below and/or at either side of) detection module 111 to prevent removal of or tampering with detection module 111 or elements thereof.

Electronic sensor module 112 comprises the continuity sensor 106 described previously, which is configured to monitor the current flowing through the conductive element 104. In the implementations described herein the continuity sensor 106 monitors the absolute value of current flowing through conductive element 104. Other means of monitoring the current will be apparent. For example, the continuity sensor 106 may detect or monitor changes in current, absolute voltage, changes in voltage, absolute resistivity, changes in resistivity or some other parameter, for example temperature. A discontinuity may comprise a change or value beyond a pre-set threshold or tolerance. Furthermore, continuity of the circuit can be measured on more than one channel. In some arrangements, the continuity sensor 106 and/or electronic sensor module 112 can measure several circuits at once if desired or necessary. All implementations and arrangements of the present disclosure may optionally comprise more than one conductive element 104, each providing tamper detection functionality.

In the implementations described herein the electronic sensor module 112 further comprises a processor 115 and memory 116 operable to run a digital key encoding program 118. During operation this program 118 generates a series of encrypted digital keys. When the continuity sensor 106 does not detect any discontinuity (in other words when no tampering has occurred) the key encryption program 118 is configured to generate a first series of encrypted keys, for example“Series A”. If the continuity sensor 106 detects a discontinuity (e.g. as a result of tampering), the key encryption program 118 is configured to generate a second series of encrypted keys, for example“Series B”. Using series of encrypted digital keys is more secure than generating un-encrypted messages indicative of tampering. Encrypted keys must be decrypted, and the ability to decrypt the keys can be limited to devices that are provided with the appropriate decryption means, such as a database of decryption keys or a decryption formula or program. This reduces the ability of malicious hackers to alter or falsify indications of tampering (or lack thereof). In some implementations, however, un-encrypted signals may be used.

The electronic sensor module 112 is in communication with the transmitter module 120. The transmitter module 120 is configured, in use, to transmit the encrypted keys generated by the key encoding program 118. In other words, during normal operation when no tampering is detected, a transmitter 122 of the transmitter module 120 transmits generated Series A keys. If tampering occurs and a discontinuity is detected by the continuity sensor 106, the key encoding program 118 generates Series B keys and therefore the transmitter 122 of the transmitter module 120 begins to transmit generated key Series B.

In the implementations described herein, transmission of the generated series of keys (A or B) is continuous. In other words, the transmitter 122 continuously emits either Series A or B keys, depending on whether or not tampering has been detected. This has the advantage that the status of the system (e.g. the integrity of the attachment device 100) can be monitored continuously and at any time, by receiving the transmitted signal. “Continuous” transmission by the transmitter 122 is herein to be interpreted broadly as meaning simply that the transmitter transmits at regular or irregular intervals over an extended period of time, and the transmitted signals are available to be received by an appropriate device at any time or within a particular time window. The transmitter 122 continuously transmits signals until current source 114 no longer provides power to the transmitter module 120 or until an instruction is received, for example from processor 115 and memory 116, for the transmitter 122 to stop transmitting signals. Alternatively the transmitter may stop transmitting on receipt of an instruction from a mobile device, which may be sent once an approved transaction has been completed. The system can also be configured to stop transmitting after a pre-determined date (for example an expiry date) is reached. In the implementations described herein the encrypted keys are transmitted by the transmitter 122 via a low-energy Bluetooth signal. The transmitted signal may therefore be received by any device within range and operable to receive Bluetooth signals of this type. In the arrangement shown in Figure 2, the transmitted signals are received by a receiver of a Bluetooth enabled mobile device 124, such as a smartphone. It will be apparent that a variety of devices may be used, and signal types other than Bluetooth may be utilised. The transmitter 122 may also act as a receiver when the mobile device 124 sends signals back to the detection module 111. Thus, communication between the detection module 111 and the mobile device 124 can be two-way.

In an alternative implementation, communication between the tamper detection system and the mobile device 124 is in the form of data encoded into Infra Red or visible light signals, such as by modulating the output of a Light Emitting Diode. The encoded light data can in this case be captured by the mobile device 124 using, for example, an optical sensor or camera such as the camera on a smartphone. Software on the mobile device 124 can then convert these light signals into data. Depending on the application, this data may be encrypted or not. In order to save battery power, data transfer by light signals can be initiated by activation of a momentary push button or other switch mounted in a convenient location on the attachment device 100. An advantage of this method of data transfer is that security is improved due to the required proximity of the transmitter and receiver device (i.e. transmitter 122 and mobile device 124). As a result of this proximity, it may be more difficult to intercept the signal remotely.

In the implementations described herein, in order to receive the transmitted signals from the system (via the transmitter 122), the mobile device 124 is paired with the system prior to use. More specifically, once associated or paired with an ID of the system, an application running on the mobile device 124 enables the mobile device 124 to form a communication link with the transmitter 122 of the system and receive the transmitted series of encrypted keys from the transmitter 122. Unpaired or un-associated devices do not receive signals from the system in this implementation. This reduces processing and bandwidth requirements as devices do not receive signals from systems with which they are not paired. In other implementations, however, this restriction may not be used and the transmitter 122 may transmit the signals to any device that is within range.

Various security features may be provided to improve the security of the disclosed system.

A first optional security feature relates to the fact that unauthorized access to the electronic sensor module 112 could potentially lead to manipulation of the software and/or hardware components therein, which could be used by a malicious actor to gain a false un-tampered status, for example by artificially forcing the system to generate and transmit Series A keys. To avoid this, in some arrangements the electronic Sensor module 112 contains one or more physical circuit breakers or fuses that are triggered on detection of a breach of or intrusion into the electronic sensor module 112. This mechanism may act as a physical electrical interruption of the sense or other system circuits that cannot be re-set by the user once triggered. The or each circuit breaker or fuse may be incorporated as part of conductive element 104, for example. Triggering the circuit breaker or fuse may cause the system to permanently generate a signal indicative of tampering. For example, triggering the circuit breaker or fuse may cause the system to permanently generate Series B keys, or to generate no keys at all. One or several strategically located single use or re-settable circuit breakers or fuses can be provided to act as additional security barriers to help prevent against unauthorized tampering.

A second optional security feature relates to temperature detection. As noted above, the electronic sensor module 112 may be configured to sense and monitor the resistance of conductive element 104 and of the system circuitry in general. A higher or lower than normal resistance may be considered a discontinuity, in other words may be considered indicative of possible tampering, and may therefore trigger a breached or tampered state of the system (for example may trigger the generation and transmission of Series B keys).

In one arrangement, a permitted tolerance range above and/or below the normal resistance of the system may be provided. Any exceedance above or below this threshold or threshold range will trigger an alert. However, a potential problem arises due to the fact that changes in ambient temperature over a long circuit length may significantly change the resistance value sensed by the electronic sensor module 112. To allow for this, a temperature sensor may be incorporated into the system, for example as an additional component in the system circuitry shown in Figure 2. At the moment of arming or first activating the system, the processor 115 of the electronic sensor module 112 can log the ambient temperature and corresponding system circuit resistance at that time. As ambient temperature rises or falls, the difference between the original ambient temperature at system activation and actual ambient temperature can be used to compensate or adapt the thresholds used to determine whether or not a discontinuity is present. For example, if the ambient temperature is high relative to the original temperature at system activation, then the resistance threshold taken to be indicative of tampering can be lowered, and vice versa if the ambient temperature is relatively low. This can improve reliability, by preventing a tamper alert being triggered inadvertently when an active system is experiencing higher or lower ambient temperatures that are significant enough to increase or decrease the resistance value of the system circuitry beyond the pre-defined allowable threshold limits.

A first implementation of the attachment device 100 of the system will now be described with reference to Figures 3-7. In this implementation the attachment device 100 is an adhesive label 300 which may be considered a sticker. The sticker 300 is comprised of a planar piece of material, preferably (but not necessarily) commonly commercially available plastics, paper, reinforced or other durable, composite and synthetic materials that are advantageously cheap to source and easy to work with for mass production. Other suitable materials may be used. The sticker 300 is configured to be adhered to or stuck onto the container 102. In particular, a layer of adhesive, for example glue or double-sided tape, is provided on at least part of the sticker’s base. The base of the sticker 300 is the face or side of the sticker 300 intended to face the container 102 during use. In other arrangements the attachment device 100 of the first implementation may be attached directly to an item. The functionality and advantages provided by the attachment device are the same in either case, and so the details, functionality and features described below should be understood to apply equally to the arrangement where the attachment device 100 is attached directly to an item.

Turning to Figure 3a, a simplified view of sticker 300 is shown, attached to a surface of the container 102. While a seal or opening of the container 102 is not shown here, it will be understood that the sticker 300, when placed over such a seal or opening, will resist opening of the container 102. Conductive element 104 is shown here passing across the upper surface of the sticker 300. For simplicity only a segment of conductive element 104 is shown here. In reality, the conductive element 104 forms a circuit with detection module 111 and current source 114, as described above and shown in more detail in Figure 6. The upper surface of the sticker 300 here means the face or side of the sticker facing away from the container 102, in other words the side or face of the sticker that faces in an opposing direction to the base of the sticker 300.

Figure 3a shows an incision 136 over which the conductive element 104 passes. Incision 136 is in this arrangement a pre-stamped cut which severs the sticker 300 along the length of the incision. However, it will be appreciated that in some arrangements and implementations incision 136 may be a partial cut, such as a score or gouge. Incision 136 may also be a perforation or notch. The important point to note is that incision 136 creates a weak region or failure line, along which the sticker 300 will separate when either side of the sticker is lifted by a force, as shown in Figure 3b where the solid arrow represents a lifting force. This may occur, for example, if someone attempts to tamper with the sticker 300 by removing it from container 102. As also shown in Figure 3b, conductive element 104 is fragile enough such that this separation of the sticker 300 creates a shearing force on the conductive element 104 which severs the conductive element 104, creating a discontinuity 138 in the conductive element 104. Thus, it can be seen that incision 136 facilitates the creation of the discontinuity 138 in the conductive element 104 when the sticker 300 is tampered with. In particular, the discontinuity 138 will comprise a change in the current flowing through conductive element 104. This discontinuity 138 is detected by the discontinuity sensor 106 (not shown here) and reported by the transmitter 122 (not shown here) in the manner described above in relation to Figure 2.

While Figure 3 shows the conductive element passing over the surface of the sticker 300 and thus over the incision 136, it will be understood that the conductive element 104 may pass partly or wholly through the sticker 300. An implementation where the conductive element passes wholly through the sticker 300 is described in relation to Figures 9 and 10 below.

Turning now to Figures 4a and 4b, a cross sectional view of part of sticker 300 is shown, showing a different arrangement of the sticker 300 and conductive element 104. Figure 4a shows conductive element 104 adhered to the base of sticker 300 and the surface of container 102, such that conductive element 104 is in between sticker 300 and container 102. Conductive element 104 has at least one first portion 104a and at least one second portion 104b. In Figures 4a and 4b, there is one first portion 104a and two second portions 104b, although this is merely an example. It will be apparent that this arrangement can be used in place of or in addition to the other arrangements described throughout this disclosure. On removal of the sticker 300 from the container 102 this arrangement causes a discontinuity 138 in the conductive element 104, as will now be described.

In this arrangement the first portion 104a of the conductive element 104 is attached to a base of the sticker 300 and the second portions 104b of the conductive element 104 are attached, in use, to the container 102. The first portion 104a of conductive element 104 is adhered to the base of the sticker 300 by a first adhesive element 140a. The second portions 104b of conductive element 104 are each adhered to the container 102 second adhesive elements 140b. Generally the number of first conductive element portions 104a and first adhesive elements 140a is the same. Generally the number of second conductive element portions 104b and second adhesive elements 140b is the same. In Figures 4a and 4b there is one first adhesive element 140a and two second adhesive elements 140b.

As can be seen from Figure 4a, the first 104a and second 104b portions and first 140a and second 140b elements are staggered or stepped such that they alternate. This means that, upon application of a lifting force, first portion 104a of conductive element 104 remains adhered to the base of the sticker 300 while second portions 104b of conductive element 104 remain adhered to the container 102. This is shown in Figure 4b where the solid arrows represent the lifting force. This may occur, for example, if someone attempts to tamper with the sticker 300 by removing it from container 102. Thus, upon tampering with the sticker 300, the conductive element 104 breaks and discontinuities 138 are created. These discontinuities 138 can then be detected by the discontinuity sensor 106 (not shown here) and reported by the transmitter 122 (not shown here) in the manner described above in relation to Figure 2. The pattern of first 104a and second 104b sticker portions and first 140a and second 140b adhesive elements can be random to improve security. In the arrangement shown in Figures 4a and 4b, incisions 136 are made in the conductive element 104 at the boundary between the first portion 104a and the second portions 104b. The incisions 136 aid in the creation of the discontinuities 138 on tampering. These incisions 136 are however not essential.

In some arrangements, it may be simpler to apply adhesive to substantially all areas of the base of the sticker 300. In these arrangements first adhesive element 140a will essentially extend across all of the top of conductive element 104 and second adhesive element 140b will essentially extend across all of the bottom of conductive element 104. In this arrangement, a releasing agent can be applied at release agent areas 142, indicated in Figure 4a. Applying the releasing agent at these areas will facilitate the releasing of the first 104a and second 104b conductive element portions from the sticker 300 and container 102 respectively, and so the same staggering effect will be created, leading to the same creation of discontinuities 138. Examples of suitable releasing agents include oily or non-stick substances such as Teflon or a silicon based grease, oil, paint or spray applied through a mask pattern during mass production.

Turning now to Figures 5a and 5b, a simplified view of another arrangement of sticker 300 is shown, attached to a surface of the container 102. While a seal or opening of the container 102 is not shown here, it will be understood that the sticker 300, when placed over such a seal or opening, will resist opening of the container 102. Conductive element 104 is shown here passing across the upper surface of the sticker 300. For simplicity only a segment of conductive element 104 is shown here. In reality, the conductive element 104 forms a circuit with detection module 111 and current source 114, as described above and shown in more detail in Figure 6.

In the arrangement shown in Figures 5a and 5b, two incisions 136a and 136b are made in the sticker 300. In this arrangement the incisions 136 are shaped incisions rather than straight incisions, however all other features and functions of the incisions 136 are the same as those described in reference to Figures 3a and 3b. As in the arrangement of Figures 3a and 3b, conductive element 104 passes over the incisions 136.

Upon the application of a lifting force, the incisions 136 create weak regions or failure lines, along which the sticker 300 will separate when either end of the sticker is lifted, as shown in Figure 5b where the solid arrows represent a lifting force. This may occur, for example, if someone attempts to tamper with the sticker 300 by removing it from container 102. Sticker portion 300h is adhered to the container 102 sufficiently that it remains in place. As in the case of Figure 3b, conductive element 104 is fragile enough such that this separation of the sticker severs the conductive element 104, creating discontinuities 138 in the conductive element 104. Thus, it can be seen that incisions 136 facilitate the creation of the discontinuity 138 in the conductive element 104 when the sticker 300 is tampered with. These discontinuities 138 can then be detected by the discontinuity sensor 106 (not shown here) and reported by the transmitter 122 (not shown here) in the manner described above in relation to Figure 2.

As can be seen from Figure 5b, incision 136a facilitates the creation of a discontinuity in particular when the sticker 300 is lifted from end 300a, while incision 136b facilitates the creation of a discontinuity in particular when the sicker 300 is lifted from end 300b.

Turning now to Figure 6, a top-down view of an arrangement of the attachment device 100 of the first implementation is shown. As can be seen, incisions 136 are included throughout the sticker 300. Some incisions 136 are straight incisions of the sort described in relation to Figures 3a and 3b. Other incisions 136 are shaped incisions of the sort described in relation to Figures 5a and 5b. The conductive element 104 passes around the sticker and connects to detection module 111 at points 105, forming a circuit. Current source 114, which supplies current to the various elements of the circuit, is not shown here. The sticker 300 of the first implementation may advantageously be provided with a removable backing. The current source 114 can advantageously be activated once the backing has been removed. The activated sticker 300 can then be stuck to the container 102.

The various incisions 136 provide the functionality described above in relation to Figures 3a, 3b, 5a and 5b. Additionally, the edges 300c and corners 300d of the sticker 300 in this arrangement are shaped to further enhance the functioning of the incisions 136. As shown, in this arrangement the edges 300c of the sticker are concave and the corners 300d of the sticker are convex. The apex of the edges 300c meet at a straight incision 136, while each corner quadrant comprises a shaped incision 136. This means that whichever way the sticker 300 is tampered with, the chances of a discontinuity 138 being created are maximised. For example, if an attempt is made to peel the sticker off at the edge 300c, the nearest straight incision 136 will cause the sticker 300 to separate in the manner described in relation to Figures 3a and 3b. Alternatively, if an attempt is made to peel the sticker off at the corners 300d, the nearest shaped incision 136 will cause the sticker to separate in the manner described in relation to Figures 5a and 5b.

While not shown here, some portions of the sticker 300 and conductive element 104 shown in Figure 6 may also comprise the structure and functionality described in relation to Figures 4a and 4b.

Figures 7a-7c show other possible arrangements of the sticker 300, incisions 136 and conductive element 104.

Figure 7a demonstrates different possible positions of the incisions of the first implementation. As can be seen, some incisions 136 travel from the edge of the sticker 300 inwards. Others incisions 136 start and finish within the sticker. The incisions 136 may be at different angles with respect to the edge of the sticker 300. Preferably, and as shown here, all incisions intersect with a part of the discontinuity detection circuit, in this case the conductive element 104. It will be appreciated that any number and shape of incision 136 can be used in this and all other arrangements of the sticker 300 of the present disclosure. The incisions 136 can be in any direction, of any quantity and any size to ensure maximum probability that a discontinuity 138 is created in the conductive element 104 when sticker 300 is tampered with.

Another element of functionality provided by the present disclosure relates to the fact that different portions of the sticker 300 may be adhered to the container 102 by varying amounts. The portions of the sticker 300 that are adhered less strongly to the container 102 will come away more easily than those that are adhered more strongly to the container 102. This can help to create discontinuities when the sticker 300 is tampered with. This functionality will now be described in more detail in relation to Figures 7b and 7c.

Figures 7b and 7c show two arrangements of the first implementation where the sticker 300 has at least one first portion and at least one second portion, where the first and second portions are configured to be adhered to the container by different amounts. Incisions 136 are provided along at least part of the boundaries between the first and second portions.

Turning first to Figure 7b, this arrangement shows a sticker 300 with three first portions 300e and three second portions 300f. The first portions 300e are each adhered to the container 102 (not shown here) by a third adhesive element and the second portions 300f are each adhered to the container 102 by a fourth adhesive element, or are not adhered to the container 102 at all. Incisions 136 are provided along the boundaries between the first and second portions, such that the incisions intersect the conductive element 104 in a similar manner to the previously described arrangements.

The adhesion to the container 102 provided by the third adhesive element is greater than the adhesion to the container provided by the fourth adhesive element. Thus, the first portions 300e are adhered to the container 102 more strongly than the second portions 300f. This means that the application of a force to remove the sticker 300 from the container 102 will cause the sticker 300 to separate at the incision 136 along the sticker portion boundary, and thereby create a discontinuity 138 in the conductive element 104, in the same way as described in relation to previous arrangements. The discontinuity 138 is created, in particular, because, when removal is attempted, the first portions 300e will tend to remain attached to the container 102 while the second portions 300f, because of their lesser adhesion to the container 102, will tend to come away from the container 102. As can be seen from Figure 7b, the sticker 300 in this arrangement also comprises a serrated edge which enhances this functionality by making it more likely that one of the second portions 300f is pulled away when tampering occurs.

Figure 7c shows an arrangement using a similar concept to that of Figure 7b. The sticker 300 here similarly has a first sticker portion 300e and a second sticker portion 300f, adhered to the container 102 (not shown here) by third and fourth adhesive elements respectively. The first portion 300e is adhered to the container 102 more strongly than the second portion 300f, because the adhesion to the container 102 provided by the third adhesive element is greater than the adhesion to the container provided by the fourth adhesive element. An incision 136 is provided along the boundary between the first 300e and second 300f sticker portions. In this arrangement, the boundary is a serrated boundary which crosses the conductive element 104 multiple times.

As in the arrangement of Figure 7b, the application of a force to remove the sticker 300 from the container 102 will cause the sticker 300 to separate at the incision 136 along the sticker portion boundary, and thereby create a discontinuity 138 in the conductive element 104. The discontinuity 138 is created, in particular, because, when removal is attempted, the first portion 300e will tend to remain attached to the container 102 while the second portions 300f, because of its lesser adhesion to the container 102, will tend to come away from the container 102.

Various arrangements of the first implementation of the disclosed system have been described in relation to Figures 3-7. It will be apparent that while each of the arrangements introduced and expanded on different concepts, such as types of incision 136, adhesion and combinations of the two, the concepts described can be combined in any arrangement and combination. Thus, a sticker 300 attachment device 100 according to the present disclosure can comprise any combination of the arrangements, features and functionality described in relation to Figures 3-7.

It will also be apparent that, while the implementations described herein describe the functionality of incisions 136 in relation to an attempt to remove sticker 300, the incisions will also work if a stretching force is applied to this sticker 300. This may occur, for example, if the sticker 300 is placed over the seal of a container 102 and someone subsequently attempts to open the container 102. This will stretch the sticker 300 and separation will occur at incisions 136 in the same way as when removal is attempted. Thus, discontinuities 138 in the conductive element will be created in the usual way. The sticker 300 can therefore detect a wide variety of attempted tampering. A second implementation of the attachment device 100 of the system will now be described with reference to Figure 8. In this implementation the attachment device 100 is a tag 800. A tag may generally be considered to comprise a body 804 and a tail 802, wherein the tail 802 is configured to loop around part of the container, such as the handles of a bag or the eye-holes of two zips, and then re-attach to the body 804. The tag can thereby resist opening of the container, and can thus function as the attachment device 100 of the present system in the same way as described above in relation to Figure 2 and the first implementation. In particular, as in the first implementation, the tag 800 of the second implementation is affixed to a conductive element 104 which forms a tamper detection circuit with the detection module 111 and current source 114. In particular, the conductive element passes at least partly across the surface of and/or at least partly through the tag 800, in the same manner as in the sticker 300 of the first implementation. As in the first implementation, the system of the second implementation is arranged such that tampering with the tag 800 creates a discontinuity 138 in the conductive element 104. Tampering may comprise attempting to remove the tag 800 or attempting to open the container 102. In other arrangements the attachment device 100 of the second implementation may be attached directly to an item. The functionality and advantages provided by the attachment device are the same in either case, and so the details, functionality and features described below should be understood to apply equally to the arrangement where the attachment device 100 is attached directly to an item.

An example arrangement of the tag 800 of the second implementation is shown in Figure 8. In this arrangement the tag 800 is a sticker tag such that the tail 802 of the tag is configured to be wound round part or all of the container 102 and is then stuck to the body 804 of the tag 800. Figures 8a-e show this arrangement at various stages of assembly. It will be apparent that this form of tag is merely an example, and that the tail 802 of the tag 800 can attach to the body 804 in other ways, for example mechanically in a similar way to a standard cable-tie. In an alternative arrangement the tag may be re-useable and employ conductive snap buttons which form part of the tamper detection circuit and break the circuit when opened.

Figure 8a shows a schematic view of the tag 800 in its unassembled, unfolded state. The tag 800 comprises a net of tabs or panels 801 a-d extending out from a central panel 803. Panels 801 a-d can be folded to create the complete tag 800. In its completed state the tag’s body 804 therefore comprises the folded combination of panels 801 a-d and panel 803. Panel 803 houses the current source 114 and detection module 111 (not shown here). This means that activation of the current source 114 can advantageously be performed before assembly of the tag 800.

In this arrangement the tag’s panels 801a-d, 803 and tail 802 are made from commonly commercially available plastics, paper, reinforced or other durable, composite and synthetic materials that are advantageously cheap to source and easy to work with and mass produce, but it will be appreciated that other suitable materials could be used. The tail 802 extends from one panel 801a. As can be seen, in this particular arrangement, conductive element 104 passes through all panels 801 a-d, 803 of the tag’s body 804, as well as the tag’s tail 802.

Incisions 136 are shown cut into panels 801a-d. As in arrangements of the first implementation, both straight and shaped incisions 136 are utilised. These incisions 136 provide the same functionality as was described in relation to the first implementation, namely they facilitate the creation of discontinuities 138 in the conductive element 104 when the tag 800 is tampered with.

Figures 8b-d show how the panels 801 a-d of the tag 800 can be folded to create the finished tag 800. Preferably, adhesive is provided on the back of the tag 800, such that the panels 801 a-d stick together upon folding. The tag 800 may be cut out, for example using a laser or a stamp, from the same material which is used to make the sticker 300 of the first implementation, such that there is already a layer of adhesive on the back of the tag 800 in its unfolded state. This adhesive will then adhere the tag’s panels 801 a-d and tail 802 together upon assembly. The adhesive may also enable the tag body 804 to be stuck to container 102.

Figure 8d shows how the tag’s tail 802 is folded back into the body 804 of the tag towards the end of the folding process. In use, this step would be performed once the tail 802 had been wrapped around part or all of the container 102 (not shown here). Once stuck down, the tag would thus resist opening of the container 102.

The completed tag 800 is shown in Figure 8e, comprising completed tag body 804 and tag tail 802 attached to tag body 804.

Any attempt to remove the tag, for example by cutting the tail 802 or body 804 of the tag 800 will sever the conductive element 104 and thus create a discontinuity 138 which can be detected by continuity sensor 106, as described in detail in relation to Figure 2.

Furthermore, the various incisions 136 included in the tag and shown in Figure 8a mean that the tag 800 is also secured against attempts to pull the tag 800 apart or away from the container 102. In particular, as in the first implementation, any shear forces applied to the tag will cause the tag to separate at the incisions 136. The conductive element 104 is fragile and brittle enough such that a discontinuity 138 will be created as a result.

An incision 136 is also included in the tail 802, as shown in Figure 8c. This incision means that an attempt to pull the tail off the tag 800, for example in order to gain access to the container 102, will cause the tail 802 to break at the incision 136. Thus, again, a discontinuity 138 in conductive element 104 will be created and tampering can be detected. The fact that each of the panels 801 a-d comprises a layer of adhesive on its back means that the various panels 801 a-d and tail 802 are firmly adhered together once folding of the tag 800 is completed. This ensures that a significant amount of force must be applied to the tag 800 to break or disassemble it, which increases the chance of creating discontinuities in the manner described above.

It will be appreciated that the arrangement of the tag 800 shown in Figure 8 is merely one example and that a variety of arrangements will be apparent. In particular, the incisions 136 and areas of adhesion can be arranged in any number and combination and at any position. The method of folding is also completely optional. In some arrangements folding may not be required at all, rather the body 804 and tail 802 of the tag may be pre assembled. In some arrangements the tag 800 may have more than one tail 802. When more than one tail 802 is provided, the tails may be configured to be adhered together. The tag 800 can be any suitable shape.

As was made clear above, the way in which the conductive element 104 is affixed to the attachment device 100 in both the first and second implementations is entirely optional. Figures 3-8 all show the conductive element passing over a surface of the attachment device 100, but the conductive element may pass partly or wholly through the material of the attachment device 100.

An arrangement of the conductive element 104 where the conductive element 104 is arranged inside the walls of the attachment device 100 will now be described in relation to Figures 9 and 10. This arrangement can be used in combination with or instead of the arrangements of the conductive element 104 described in relation to Figures 3-8. The arrangement can be used with both the adhesive label 300 of the first implementation and the tag 800 of the second implementation, and any other attachment devices 100 envisaged. Part, all or none of the conductive element 104 may be arranged in the manner described in relation to Figures 3-8. Part, all or none of the conductive element 104 may be arranged in the manner described below in relation to Figures 9 and 10.

Figure 9 shows an exemplary arrangement of the conductive element 104. The conductive element 104 performs the same function as in the arrangements described above, however in this arrangement the conductive element is configured to be affixed to the attachment device 100 and be contained within the walls 101 of the attachment device 100. Figure 9 shows the conductive element 104 in a mesh configuration, but other arrangements will be apparent such as wave configurations or irregular configurations.

Figure 10 shows the conductive element 104 of this arrangement, where the conductive element 104 is intermediate to (or“sandwiched” between) layers 108, 110 of the walls 101 of the attachment device 100. This arrangement provides rigidity and structural integrity to the attachment device 100 whilst also ensuring that any tearing of the walls 101 of the attachment device 100 will tear the conductive element 104 as well. If the outer layer 110 (or some number of sub-layers making up the outer layer 110) of the attachment device 100 is made from opaque material, such as coloured plastic, this arrangement also ensures that the conductive element 104 is hidden from view. This makes the attachment device 100 more secure, as potential intruders cannot tell that the attachment device 100 is secured with a tamper detection means or where the conductive elements are located.

The conductive element 104 in the arrangement of Figure 10 is preferably arranged in such a way that no large sections of the attachment device’s 100 walls 101 are not adhered to or in contact with a portion of the conductive element 104. In other words, all portions of the attachment device’s 100 walls 101 should in this arrangement be connected to or in close proximity to a portion of the conductive element 104, in order to provide tamper-detection functionality throughout substantially the entire attachment device 100. This can be achieved by arranging the conductive element 104 in a mesh, as shown in Figure 9, and distributing it throughout substantially all areas of the attachment device’s 100 walls 101. This ensures that the conductive element 104 is in contact with or in close proximity to enough of the surface of the walls 101 to ensure that any significant intrusion (e.g. tearing or ripping of the walls 101) results in a discontinuity (e.g. bend or tear) of the conductive element 104. A substantial intrusion in this context generally comprises a tearing or ripping that allows the container 102 to which the attachment device 100 is attached to be opened such that an intruder can access the internal cavity of the container 102 (and therefore the item stored inside the container 102).

In most implementations of this arrangement, the gaps between the overlapping sections of the conductive element 104 are of the order of millimetres, however the distance between portions of the conductive element 104 may be larger or smaller depending on the context in which the attachment device 100 is used.

Various arrangements of the tamper detection system of the present disclosure have been described, in particular with reference to two example implementations of the attachment device 100 of the system. Various arrangements of the features of the system, in particular the conductive element 104 and the features which enable discontinuities 138 to be created in the conductive element 104, have been described. Example methods and uses for the disclosed system will now be described with reference to Figures 11-16.

It will be appreciated that, by using the disclosed system of any of the above-described implementations and arrangements, signals can be transmitted responsive to the status of the system (e.g. the tamper-detection status of the continuity sensor 106 and integrity of the attachment device 100) to a mobile device 124 in the manner described in relation to Figure 2. The transmitted signals can be decrypted and an indication of whether or not the system has detected tampering can be provided. This process is shown in Figure 11.

Turning to Figure 11 , at step 200 the system either detects or does not detect tampering (depending on whether the continuity sensor 106 detects a discontinuity in the conductive element 104 or not). If the system does not detect tampering (i.e. the continuity sensor 106 does not detect a discontinuity 138), the transmitter 122 transmits at step 202 a first type of signal (encrypted key Series A in the implementations described herein) to paired mobile device 124. Once this signal has been interpreted, a first type of result (such as “no tampering detected” or“pass”) is reported by the mobile device, at step 204. The transmitted signal may be configured such that receipt of the signal at the paired mobile device 124 triggers an additional event, such as the completion of a separate transaction such as an electronic payment or execution of a smart contract on a Distributed Ledger or Blockchain. Triggering of this additional event may additionally or alternatively depend on the determined location of the system being a pre-determined approved or allowable location.

If the system detects tampering (i.e. the continuity sensor 106 detects a discontinuity 138), the transmitter 122 transmits at step 206 a second type of signal (encrypted keys Series B in the implementations described herein) to paired mobile device 124. Once this signal has been interpreted, a second type of result (such as“tampering detected” or“fail”) is reported by the mobile device 124, at step 208.

In order for reports (such as those at step 204 and 208) to be provided, the transmitted encrypted keys must be decrypted in order to determine whether or not they are indicative of tamper detection or not (which, in the implementations described herein, involves determining which series, A or B, the encrypted keys belong to). In some implementations, the mobile device 124 may store a database 126 locally, which can be used to decrypt the encrypted keys, or against which the received series of encrypted keys can be compared. The database 126 enables the mobile device 124 to determine whether the received series of keys indicates that the system has detected tampering or not. The mobile device 124 can then provide a status indicator to a user of the mobile device 124 (or to another user, for example by sending the status indicator in a text message or email) showing whether or not the system has detected tampering, as described in relation to Figure 11.

Storing the database 126 locally on the mobile device 124 in this way may however leave the system vulnerable to hacking or manipulation, because the owner of the mobile device 124 may be able to manipulate the database 126 to cause the mobile device 124 to report a false status indicator (for example a“pass” indicator even though the system has detected tampering and transmitted key Series B). Therefore, in the present implementation, the database 126 is not stored locally at the mobile device 124 but is instead stored at a remote server 128. In this implementation, upon receiving the transmitted series of encrypted keys from the transmitter 122 of the system, the mobile device 124 sends the signal on to the remote server 128. The remote server 128 then decrypts the encrypted keys by comparing the signal (i.e. the series of encrypted keys) to a database 126 stored at the remote server 128. The remote server 128 can then independently provide a status indicator indicating whether or not the system has detected tampering. This status indicator may be sent back to the mobile device 124 for presenting to the user, or to an independent authority such as a customs regulator. In this way, the status indicator is produced independently of the courier or person transporting the system, which reduces the ability for that person to alter the status indicator for their own advantage. The system is therefore made more secure and trustworthy. It will be apparent that in some circumstances (for example in small scale/low value operations or where levels of trust are high) this added level of security may not always be necessary, and the database 126 may be stored locally at the mobile device 124 as described previously.

Turning now to Figure 12, Figure 12 shows a flow diagram of a method for using a system according to the present disclosure for secure transport of an item, in particular where a remote server 128 is used to improve security.

At step 900 the system transmits (via transmitter 122) either a first type of signal or a second type of signal, depending on whether or not the system has detected (via conductive element 104 and continuity sensor 106) tampering. At step 902, the signal transmitted by the system is sent to a remote device, such as remote server 128. At step 904, the remote device determines whether or not the system has detected tampering. This determining may comprise decrypting the signal transmitted by the system and/or comparing the signal to data stored in a database 126.

If it is determined at step 904 that tampering has not been detected, a first type of result (e.g.“pass”) is reported at step 906. This may trigger an additional event to occur, as was described above in relation to steps 202 and 204 of Figure 11.

If it is determined at step 904 that tampering has been detected, a second type of result (e.g.“fail”) is reported at step 908.

Figure 13 shows a flow diagram of another method for using a system according to the present disclosure for secure transport of an item, in particular where a remote server 128 is used to improve security.

At step 1000, the system transmits (via transmitter 122) either a first type of signal or a second type of signal, depending on whether or not the system has detected (via conductive element 104 and continuity sensor 106) tampering. At step 1002, geo-location information is received, for example from a mobile network, e.g. a mobile phone network or a GPS signal, indicating the location of the system.

At step 1004, the signal transmitted by the system and the geo-location information indicating the location of the system is sent to a remote device, such as remote server 128. At step 1006, the remote device determines whether or not the system has detected tampering. This determining may comprise comparing the signal transmitted by the system to data stored in a database 126.

If it is determined at step 1006 that tampering has not been detected, the remote device determines at step 1008 whether or not the system is in an allowable location. This determining is on the basis of the geo-location information transmitted at step 1004. An allowable location may comprise being located inside or outside of a particular country, region or area. If it is determined at step 1008 that the system is in an allowable location, a first type of result (e.g.“pass”) is reported at step 1010. This may trigger an additional event to occur, as was described above in relation to steps 202 and 204 of Figure 11.

If it is determined at step 1006 that tampering has been detected or if it is determined at step 1008 that the system is in an un-allowable location, a second type of result (e.g. “fail”) is reported at step 1012.

The methods described in relation to Figures 11-13 are illustrative methods by which the system of the present disclosure can be used to provide more secure transport of items. It will be apparent that the method steps described in relation to Figures 11-13 may be performed by a variety of devices, and the specific devices described herein are not intended to be limiting. For example, the signals transmitted by the system at steps 900 and 1000 and the geo-location information provided at step 1002 respectively may be transmitted to any device operable to receive such signals. In some implementations, the receiving device may be a mobile device such as a smartphone. The sending of the signal to a remote device at steps and 902 and 1004 may also be by any device capable of sending such signals. The sending may be by the same device as initially received the signals from the system, but this need not be the case - in other words, there may be intermediary devices. The step of sending the data to a remote device may be omitted entirely if this added layer of security is deemed to be unnecessary. The determining at steps 904, 1006 and 1008 may be by any device capable of analysing and/or decrypting the signal received from the system. The reporting at steps 906, 908, 1010 and 1012 respectively may similarly be by any device capable of providing such reports.

Now that methods for using the system of the present disclosure have been described at a high level, more specific examples of how the system may be used in various circumstances will be given. These examples are merely intended to illustrate the advantages provided by the disclosed systems and methods, and are therefore not to be read as limiting the scope of the disclosure to the specific implementations and circumstances described therein.

Example 1 : Courier service

In a first example, the system of either the first or second implementation may be used by a courier transporting an item. This example will be described with reference to Figure 14.

The process in this example begins when a purchaser purchases an item, for example at an online marketplace. The item is prepared for dispatch by being placed within container 102. The attachment device 100 is then attached to the sealed container at step 1100. Current source 114 is then activated at step 1102 and power is provided to the tamper detection circuit of the system. As there should be no discontinuities in the conductive element 104 at the beginning of the process, the transmitter 122 begins to transmit encrypted key Series A at this stage.

A mobile device 124, such as a smartphone, is then associated with the system at step 1104. In this example, association is achieved by scanning an ID tag of the attachment device 100 or container 102, for example with a barcode scanner or with the camera of the mobile device 124. In this example, once scanned, association with the attachment device 100 is registered by an application running on the mobile device 124. The application causes the mobile device 124 to send a notification of association to a remote server 128 owned by the courier company. The notification identifies the courier who will be delivering the package. This provides security and accountability. The association between the system, item, purchaser and courier is also stored at remote server 128.

Additional security can be provided by generating a unique ID key, for example by the mobile device 124, upon initial activation and association with a particular tamper detection system. The unique ID key can be transmitted to the electronic processor module 112 and stored in non-volatile memory 116. All future communication of tamper detection data by detection module 111 (via transmitter 112) for that system will then only be permitted to be transmitted to the initial mobile device 124 used to generate the unique ID key.

Yet further security can be provided if, during initial paging and connecting of the mobile device 124 and the system’s detection module 111 via transmitter module 120, the process is timed and this time value is stored by the electronic sensor module 112 in non volatile memory 116 and/or the mobile device 124 and/or at remote server 128. At each subsequent connection between the system and the mobile device 124, the time taken from commencement of the paging and completion of the verification of a connected status is compared to the initial time value. If the actual time taken to connect exceeds the expected time value by more than a certain pre-determined tolerance, no connection and subsequent transfer of data to the mobile device 124 will be permitted to take place. This advantageously may prevent potential hacking by relay fraud.

The package, comprising container 102 with the purchased item inside and attachment device 100 attached thereto, is then transported by the courier to a new location at step 1106. Upon arrival, the courier presents the package to the recipient. The courier also opens the application running on his mobile device 124. As the mobile device 124 is associated with the system, the mobile device 124 receives a signal (either Series A or Series B keys) from the transmitter 122 of the system. This signal represents the most recently received signal from the system and is sent to a remote server 128 at step 1108.

By comparing the received signal to a database 126, the remote server 128 can decrypt at step 1110 the signal to determine which series of encrypted keys (A or B) the system is transmitting. The remote server 128 can therefore determine whether or not the continuity sensor 106 of the system has detected a discontinuity 138, in other words whether the system has detected tampering. The remote server 128 sends an indication at step 1112 to the mobile device 124 either reporting a pass or fail result, depending on whether or not the decrypted signal indicated that a discontinuity 138 had been detected. Assuming the system has not been damaged or tampered with during transit, the remote server 128 will have received Series A keys and therefore sends a pass result to the mobile device 124. The remote server 128 also generates an instruction, relayed by the mobile device 124 to the system, for the system to stop transmitting signals in order to save power and prevent re-use through hacking of the detection module 111.

The received“pass” notification can then be shown to the recipient of the package as evidence that their package has not been tampered with or maltreated during transit. The result may also be logged by the courier service as an indication that the courier who transported the item has safely delivered the package, for example to the desired location.

Furthermore, as the mobile device 124 is associated with the system and has been within range of the Bluetooth signals being transmitted by the transmitter 122 of the system throughout transit, the mobile device 124 has continuously been receiving either Series A or Series B signals from the system during transit. The mobile device 124 has also been continuously receiving geo-location information indicating the location of the system. The received signals (A or B keys) and geo-location information has been continuously being sent to and stored by the remote server 128. The courier or courier service can therefore access the remote server 128 and provide detailed information about the various locations of the system throughout transit. Importantly, assuming no tampering or damage has occurred, the server 128 will have received Series A keys at every stage of the transit of the system. The courier or courier service can therefore provide detailed tracking information comprising evidence that no tampering occurred at any point during transit. It will be apparent that not all implementations will require geo-location or tracking information, and so in some implementations only a single, final tamper-detection status indication is provided.

If the package has been damaged or tampered with at any point during transit, the damage or tampering will have been detected by the conductive element 104 and continuity sensor 106 of the system. The system will therefore have begun to transmit Series B encrypted keys to mobile device 124. Upon receiving this signal from mobile device 124, the remote server 128 will determine that tampering has occurred and will therefore report a fail result to the mobile device 124 and/or courier service. The purchaser may decide to reject the package as a result of this, and the courier service may take action to determine why tampering or damage occurred during transit.

It can therefore be seen that the disclosed system enables more informative and secure transport of a package, for example by a courier service.

A second example will now be given which shows how the disclosed system can be used to determine whether or not the system of the present disclosure still contains a particular item and is in an allowable location. This example will be described with reference to Figure 15.

Example 2: Sales tax (e.q. VAT) refund

In a second example, a purchaser has purchased an item in a country which they are leaving. Upon leaving the country, the purchaser wishes to apply for a VAT refund on the item they purchased. As in the first example, the item is placed inside container 102. The attachment device 100 is then attached to the sealed container at step 1200. Alternatively, the attachment device 100 may be attached directly to the purchased item at step 1200. Current source 114 is then activated at step 1202 and power is provided to the tamper detection circuit of the system, causing the transmitter 122 to begin transmitting Series A keys. The mobile device 124 belonging to the purchaser is associated with the system at step 1204 via an application running on the purchaser’s mobile device 124. The association between the seller, system, item and purchaser is stored at remote server 128.

The purchaser then takes container 102, with the purchased item inside and attachment device 100 attached thereto the item, back to their home country at step 1206. In arrangements where the attachment device 100 is attached directly to the item, the item itself is transported similarly at step 1206. Upon arriving in their home country, the purchaser opens the application running on their mobile device 124. The mobile device 124 receives series of encrypted keys from the transmitter 122 of the system. In this example, the mobile device 124 also receives geo-location information from the local mobile network 134 to determine the mobile device’s 124 location at the time it received the signal from the system. The time and date at which the signal was received from the system and the geo-location was received from the network 134 is verified by a time stamp. As the mobile device 124 is in Bluetooth communication with the system and Bluetooth signals have a range of around 100m, the location of the mobile device 124 will be approximately equal to (or less than approximately 100m away from) the location of the system.

As in the first example, the mobile device 124 sends the most recently received set of encrypted keys to a remote server 128 for comparison with a database 126 at step 1208, in order that the remote server 128 can determine at step 1212 whether or not the system has been tampered with or damaged. The mobile device 124 also sends at step 1210 the geo-location information indicating the system’s (approximate) location. The concurrence of the signal received from the system and the geo-location information can be verified by the time stamp of each. The remote server 128 can therefore compare the geo-location information to a database of approved or allowable locations, in order to determine at step 1214 whether or not the system is in an allowable location. In this context, an allowable location comprises a location outside of the country where the item was originally purchased.

If the purchaser has left the item in the container 102 and not damaged the system, the signal received from the transmitter 122 of the system will comprise Series A keys. Similarly, in arrangements where the attachment device is attached directly to the item, the signal received from the transmitter 122 will comprise Series A keys if no attempt has been made to tamper with the attachment device 100 or remove the attachment device 100 from the item. The remote server 128 will therefore confirm at step 1212 that no tampering has been detected. If the purchaser has also left the country where they purchased the item and taken the system (and therefore the item sealed in container 102 or attached to the attachment device) with them, the remote server 128 will confirm this at step 1214 from the geo-location information. The remote server 128 will then send to the mobile device 124 at step 1216 an instruction to disable the detection module 111 along with a pass notification, because the purchaser has provided evidence that: i) the attachment device 100 has not been tampered with, and so container 102 has not been opened, indicating that the item is still sealed in the container 102 and ii) the container containing the item has been taken out of the country where the item was purchased. In arrangements where the attachment device 100 is attached directly to the item, the remote server 128 will send to the mobile device 124 at step 1216 an instruction to disable the detection module 111 along with a pass notification, because the purchaser has provided evidence that: i) the attachment device 100 has not been tampered with, and so is still attached to the item and ii) the item has been taken out of the country where the item was purchased. The pass result can then be reported both to the purchaser, the seller and the customs agency and a suitable refund or receipt (for example a VAT refund) can be issued. The attachment device 100 can then be removed from the container 102.

In arrangements where the attachment device 100 is attached to the container 102, a fail result will be generated, and therefore no refund will be given, if either: i) the signal received from the system indicates that the attachment device 100 has been tampered with, and therefore that the container 102 may have been opened since the time of purchase or ii) the geo-location information shows that the container has not been taken out of the country where the item was purchased.

In arrangements where the attachment device 100 is attached to the item, a fail result will be generated, and therefore no refund will be given, if either: i) the signal received from the system indicates that the attachment device 100 has been tampered with, and therefore that the attachment device 100 may have been removed from the item since the time of purchase or ii) the geo-location information shows that the item has not been taken out of the country where the item was purchased.

In this example, the transmitter 122 is also configured to transmit the second type of signal (Series B keys) after a pre-determined period of time has elapsed. This advantageously provides a defined expiry date by which the signal transmitted by the system and the geo-location information must be sent to the remote server 128. The defined expiry date can be adjusted as required, for example to comply with export regulations that require items to be removed from the country of purchase within three months in order to qualify for a VAT refund.

The exchange of data of the methods described in relation to Figures 14 and 15 is represented schematically by the arrows in Figure 16.

The system comprising attachment device 100, attached to container 102 or the item (not shown here), transmits (1) signals via transmitter 122 to mobile device 124. The signals comprise encrypted key Series A or B, depending on whether or not the system has detected tampering. The mobile device 124 receives (2) geo-location information from mobile network 134, indicating the location of the mobile device 124 and therefore the approximate location of the system. Mobile device 124 sends (3) the received encrypted key signals and geo-location information to remote server 128. Remote server 128 compares (4) the encrypted key signals to database 126 in order to decrypt the keys and determine whether or not the system has detected tampering. The remote server 128 also determines whether the geo-location information indicates that the system is in an allowable location. The remote server then reports (5) either a pass or fail result accordingly to the mobile device.

While the uses of the disclosed system described in relation to Figures 14 and 15 relate to specific scenarios, the concepts and functionalities described therein are generalisable to any potential scenario or use of the disclosed system.

It will be apparent that the disclosed systems and methods provide a tamper detection system which is able to detect and report without any need for a trusted or authorised receiving party to verify the integrity of the attachment device, item or container upon receipt. This provides a clear advantage over existing tamper detection devices which must be verified by an authorised person (for example visually, which is prone to error, or by using an RFID tag reader, which has disadvantages as described in the Background section of this disclosure.

The term“container” as used herein refers to any object capable of holding or storing a consumer item. Containers thus defined therefore include, but are not limited to, bags, boxes, envelopes, packaging and casings.

The term“mobile device” as used herein refers to any device capable of receiving and/or sending signals of the kind described in the various implementations. Mobile devices thus defined include, but are not limited to, mobile phones (“smart” or otherwise), tablets, portable computers, radio transmitters or any other device capable of sending and receiving wireless signals.

The term “remote device” and“remote server” as used herein refer to any device or plurality of devices operable to receive and analyse signals, such as those transmitted by a system of the present disclosure. Remote devices and remote servers thus defined therefore include, but are not limited to, computers, mobile devices and networks including cloud storage networks.

The terms“adhesion”,“adherence”,“adhesion element” and“adhesive” are used herein to refer to any device, means or substance suitable to stick or adhere the various elements of the system together, for example attachment device 100 to container 102. Thus, adhesives such as glue, adhesive tape (both single and double sided) and any other suitable fastening means or substance are included.

Singular terms“a” and“an” as used herein should not be taken to mean“one and only one”. Rather, they should be taken to mean“at least one” or“one or more” unless stated otherwise.

The word "comprising" and its derivatives including "comprises" and "comprise" include each of the stated features, but does not exclude the inclusion of one or more further features.

The above implementations and exemplary use circumstances have been described by way of example only, and the described implementations are to be considered in all respects only as illustrative and not restrictive. It will be appreciated that variations of the described implementations may be made without departing from the scope of the disclosure. It will also be apparent that there are many variations that have not been described, but that fall within the scope of the appended claims.