This is a security alert for anyone who operates a California Cannabis License
If you or anyone you sell to uses METRC Retail ID, either directly or through a third party software, your operation’s physical address may have been leaked.
METRC Retail ID is a QR-code system recently implemented in California. It allows operators and consumers to scan a METRC-generated QR code associated with a cannabis product, which will take them to an app/webpage with information on that product.
The security risk is due to the Certificate Of Analysis (COA) information linked to the code. The Retail ID provides a direct link to the COA uploaded by the lab that tested the product. These COA’s list the street address of the operators who grew/distributed the product. By attaching these unredacted documents to a public QR code that is meant to be put on consumer products, METRC is leaking the locations of legal operators.
This is a serious security and privacy risk because cannabis operations are frequent targets of theft. By doxxing these operators, METRC is serving up a publicly accessible menu of active targets to criminals. Due to economic pressure from over regulation and taxation, the illicit cannabis market in California is much larger and more profitable than the legal market, so criminals have a strong financial incentive to steal cannabis from the inventories of legal operators.
Farms and other operators may not know that they have been exposed, since manufacturers or distributors may choose to create a Retail ID QR for any product they sell. For example, a distributor may buy wholesale cannabis from a farm, then turn it into a product with a Retail ID code without the farm's knowledge, thereby leaking the farm’s location. Since many upstream cannabis operators have little to no interaction with or visibility of what happens to their products after they are transferred, these privacy violations may not be discovered by the victims.
As an example, here is a COA that was publicly accessible by scanning a Retail ID on a product from a dispensary, just like an average consumer would. To access the COA, press "View Lab Report" in the Retail ID interface that pops up after you scan.
Two addresses for two different licenses are revealed, increasing their risk of theft. Anyone could scan the QR code and know exactly where a large amount of market-ready cannabis was being stored. We have redacted this COA for safety.
What you can do:
If you believe your address may have been leaked, consider reviewing and testing your physical onsite security protocols.
If you are a retailer, remove all Retail ID’s from your inventory and contact the brands and farms affected.
If you are a distributor/manufacturer, cease using Retail ID, and contact all buyers and sellers who may have been affected.
If you use a third party METRC integration software, contact their support and ask that they remove Retail ID integration and put pressure on METRC to fix this. (Note: Higher Origins does NOT use Retail ID) Check this list to see who’s integrated. Here are the integrators that METRC openly works with as shown on their Retail ID page:
California’s consumer data protection laws may be on your side. METRC is a government contractor and is responsible for user data protection. Contact these State Offices:
File a DCC Complaint: https://www.cannabis.ca.gov/resources/file-complaint/
Contact the DCC at:
Email: [email protected]
Phone: 1-844-61-CA-DCC
(1-844-612-2322)
Mail: P.O. Box 419106
Rancho Cordova, CA 95741-9106
File a CPPA Complaint: https://cppa.ca.gov/webapplications/complaint
Call METRC Support at: 1-877-566-6506
File a complaint with the Office of the Attorney General: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company and indicate that a reasonable resolution from the company would be to fix the software issue and notify all affected parties immediately.
Historically, the DCC has agreed that exposure of non-retail operator addresses was a security risk. In the past, they published operator addresses and even map coordinates in their License Search data, but agreed to redact that data based on complaints. This establishes a precedent that the State is aware of the risk to operators and is willing to take action to mitigate that risk.
Be careful out there and give the guard dog an extra bone
-The Higher Origins Team
