In September, blockchain trended in cycling news stories as storied Italian bike brand Colnago announced it was partnering with a digital security company called MyLime to outfit its frames with encrypted security features to deter theft and counterfeiting. It’s either an idea that could revolutionise bicycle security or the most overwrought bike-marketing pitch since Bontrager claimed its WaveCel-equipped helmets were “the most important tech” in cycling in 30 years.

The idea is reasonably simple: starting in 2022, Colnago bikes will feature a frame-mounted radio-frequency identification (RFID) chip. That chip—or tag, as MyLime calls it—is essentially a digital ID which, when scanned by an RFID scanner, links to a blockchain database that stores the production and ownership information on each bike. Since blockchain transactions can’t be erased, that would theoretically discourage both theft and counterfeit production, both of which are huge problems in cycling, impacting luxury brands most.

RFID is already used in some industries, such as health care and pharmaceuticals, to combat those very issues, although adoption has been sporadic. Blockchain has been slower to take hold. High-end road, mountain, and, of course, e-bikes could potentially benefit from both.

“We’ve been looking at the security provided by blockchain technology to give our customers the confidence to know that the frame they are buying is authentic and to demonstrate the chain of ownership forever,” Colnago’s Manolo Bertocchi said in the press release.

While a few outlets covered the Colnago-MyLime announcement, they generally repackaged the press release without scrutiny, and the news mostly vanished without comment. When Bicycling dug a bit deeper into the story, we found that there are more questions than answers. The partnership could be the start of an innovative approach to combatting bike theft and counterfeiting, but the Internet of Things, as it’s called, is not always well thought-out. Colnago and MyLime have a number of challenges to solve to avoid that fate.

Let’s start with the RFID tag, which is essentially a digital serial number and purchase registry in one. When you scan the tag with an RFID scanner, you can access the blockchain database to learn whether it’s a real Colnago, and who is the rightful owner.

RFID itself is vulnerable; some tags can be hacked, overwritten, or even copied, a process called RFID cloning. That raises the possibility a thief could digitally transfer ownership of the bike. But that’s where the blockchain comes in, right? Even if the tag is compromised somehow, the bike’s authenticity and ownership is still coded in the blockchain, where it can’t be overwritten. Sort of.

What is blockchain, actually?

A blockchain, at heart, is basically a digital accounting ledger, where entries of computer code (blocks) are made in a linked, chronological series (chain) to record information like ownership of assets.

What makes blockchain different than other ledgers, and provides its unique security case, is that the technology is distributed: copies of the ledger are kept and simultaneously updated across a network of computers, called nodes. When a new transaction occurs, the nodes that process the data each independently verify the transaction via consensus. Essentially, that means when a new transaction appears, the nodes ask, ‘This is the transaction I see; is that what you see?’ Once validated—if more than half of the nodes agree—the transaction is added as a timestamped block of code across the network.

That makes it essentially impossible to go back and alter or erase prior blockchain transactions; once a block of code is added, you can’t modify it without changing every single copy of the ledger. Since that violates network rules, the nodes will refuse to validate the change.

But here’s the catch: while it’s fashionable to say “the blockchain,” as if it’s a single entity, that’s a misunderstanding. Blockchain isn’t a thing; it’s a technology. There isn’t one blockchain; there are hundreds, maybe thousands. There are public blockchains and privately run ones, which come in several flavours. So the public blockchain platform that, say, Bitcoin runs on is not the same as the one for rival cryptocurrency Ether (called Ethereum), which is different still than the (likely private) platform that will underpin Colnago’s project. And that’s where things get fuzzy.

MyLime’s press release stated that the Colnago database would be part of the Automotive Blockchain®. But as with other blockchains, there isn’t just one in the automotive industry (or even a dominant player). MyLime did register a logo trademark for Automotive Blockchain in the United States and Europe in 2020, according to the World Intellectual Property Organization. But that bold ambition belies the fact that MyLime, an Italian tech startup, has only a handful of clients, one of which appears to be its own sister company. It’s not even clear that its Automotive Blockchain is operational.

MyLime has been in business since 2018, says Martina Laconca, the company’s PR representative. But that’s about the only information I got. I sent a list of questions, which Laconca said she found “interesting and insightful” but could not answer because of a non-disclosure agreement, and suggested that information might be available in the future.

Laconca declined to answer requests for more information about MyLime’s blockchain services, or its Automotive Blockchain® specifically: what it is, who are the partners besides MyLime, and how large is the network. That matters because blockchain, once thought to be unhackable, well, isn’t.

While you can’t erase past blockchain transactions, the technology does have vulnerabilities, including private key hacking, where a thief could impersonate an asset’s owner, and something called a 51 percent attack: when a malicious actor gains control over more than 50 percent of a blockchain’s computing power, which is the threshold to validate a transaction across the network.

When that happens, a hacker can write new transactions into the blockchain: the fraudulent transaction is validated by at least 51 percent of the network nodes and accepted as legitimate. So a 51 percent attack is partly an issue of scale: public blockchains with a huge network, like Bitcoin, carry too high a cost, but a small, proprietary one? Game on.

Because MyLime didn’t respond to most of my questions, it’s impossible to know any details about the blockchain technology that will underpin digital security for Colnago. If MyLime is acquired, or pivots to a different product, or goes out of business—all common outcomes for tech startups—what happens to the Colnago database?

Colnago also did not respond to two requests for comment about specifics of the plan. So on topics like how owners might update the blockchain and RFID tag in case they sell their bike; how potential buyers might be able to access the database to verify a bike is rightfully owned and authentic (say, via a Colnago dealer); and whether law enforcement will be able to do so to verify ownership—there is no firm information.

Given Colnago’s and MyLime’s claims about the technology’s anti-theft potential, that last question may be toughest, since law enforcement generally treats stolen bikes as a low priority and already is somewhat technology-challenged. Dan Guido, CEO of digital security firm Trail of Bits, recently wrote a viral Twitter thread about how he recovered a stolen scooter using Apple Airtags after he did the entire casework for the police, who were most suspicious of him, and physically led them to the chop shop that had the scooter. So it may be a bit much to expect police to carry RFID scanners to access a proprietary blockchain of uncertain authority that tells them who is the rightful owner of this $5,000 V3Rs frameset with Tadej Pogačar’s “Fire and Ice” paint scheme.

A separate and major issue: for some reason, Colnago put the RFID tag on the outside of the downtube (there’s a closeup picture in the press release), where it’s easily scraped off. Is a missing tag a sign a bike is stolen or fake? Sure. But this is a physical product, not a digital asset like an NFT; actual possession matters. People who steal and re-sell bikes may not be bothered that there’s an RFID tag on it or not, or if some digital ledger says the bike isn’t legally theirs. Proof of ownership? It’s right there, in their hands, right?

Similarly, counterfeiting is not easy to solve. When I wrote about counterfeit bikes a few years ago, I learned in talking with sources that many buyers know what they’re buying is fake, and don’t care: hence the term “Chinarello.” A fake tag, or no tag at all, isn’t a big deterrent. And if the database of authentic bikes is obscure, proprietary, and difficult to access, it’s even less effective.

RFID, and blockchain, do have potential for both theft and counterfeit deterrence if properly executed: anything that raises the cost of illegal behaviour will decrease it to a corresponding degree. But there are just too many questions right now about Colnago’s partnership to know whether this is going to be a meaningful step in that direction, or if those 2022 Colnagos are just a few grams heavier for the weight of an RFID tag and some adhesive.

READ MORE ON: bike theft blockchain colnago new tech tech