MJ Freeway’s Seed-to-Sale Software Dilemma
This article has been updated since it appeared in Issue 29.
One of the biggest changes to hit the marijuana industry as it makes the transition from an illegal underground business to a legal, regulated one has to do with paperwork. In the old days, growers and dealers kept records in their heads, or as arcane scribbles on a notepad. Detailed records could put a person away in prison for a long time, because they were proof of ongoing illegal activity—what law enforcement refers to as a “continuing criminal enterprise.”
Under legalization and regulation, however, come record-keeping requirements. Notepads just won’t cut it anymore. States require constant monitoring and electronic access to data, what’s called “seed-to-sale” tracking in order to prevent diversion of marijuana outside the regulated system, so that they can be sure that they’re getting all the tax revenue due under the law. The means they use for this is an integral part of modern supply-chain management, from the manufacturing process all the way through wholesale and retail distribution: Radio Frequency Identification, or RFID.
In the marijuana industry, RFID chips are attached to each plant and to each container of product as it’s processed. Since the chips can’t weigh plants or bags yet, regulatory agencies mandate monitoring and video surveillance, and may make official inspections.
That brings us to a couple of more acronyms: ERP and CRM. ERP stands for Enterprise Resource Planning. It’s software that integrates different applications for back-office operations, covering everything from manufacturing to administration, and are essentially databases and spreadsheets that also manage communications like email and messaging. CRM is Client (or Customer) Relationship Management. CRM software is also databases and spreadsheets, but used for front-office operations.
Because of seed-to-sale tracking, states are mandating that businesses in the marijuana industry use software that can provide both ERP and CRM. The companies producing that software, therefore, are doing a lot more than just providing RFID tracking chips. They’re developing programs for real-time monitoring, analysis and reporting, systems that rely on the Internet for communications as well as data storage.
On one hand, these programs are really just databases and spreadsheets with a calendar function thrown in. They also have to be simple enough for people at businesses and state agencies to use efficiently. On the other hand, as they rely on accurate and timely inputs, people have to be properly and adequately trained to use them, and reports have to be read and understood by both managers and the regulators who actively monitor compliance. In the end, the software is only as good as the people using it.
Also See: Seed-to-Sale Tracking: How It Works
One of the biggest players in this seed-to-sale monitoring business is MJ Freeway, a Denver-based firm founded in 2010. Its software covers the full range of business and regulatory needs. MJ Freeway originally focused on the medical-marijuana industry. Its biggest competitor at the time was BioTrackTHC, a Florida firm that started out doing monitoring and tracking in the pharmaceutical industry and expanded to the marijuana business in 2010. The third company in this mix is Metrc, which is owned by Franwell, a longtime player in RFID technology.
Monitoring and compliance are mandatory in adult use and medical states, so businesses can’t afford to have tracking software go down.
After Colorado and Washington passed initiatives to legalize marijuana in 2012, MJ Freeway’s cofounders, CEO Amy Poinsett and COO Jessica Billingsley, moved to expand into the adult-use market. In 2013, Poinsett was appointed to Colorado’s advisory panel that develops rules for retail marijuana sales. Things were looking really good.
“MJ Freeway was first-to-market with seed-to-sale tracking,” Jeanette Ward, their vice president of global marketing and communications, tells Freedom Leaf. “We invented the seed-to-sale tracking, because our clients needed to track cannabis throughout its life cycle with an exactness and precision that it deserved, and no other technology product on the market met their needs. We believe our commitment to innovation has helped us continue to lead in the market.”
Computer systems, however, have to be secure. Unfortunately, security is often an afterthought with systems handling large amounts of data, even those at major technology companies. You hear about data breaches all the time: personal data, credit card information and confidential materials getting stolen or sometimes even destroyed, websites being taken down, and services going offline.
Hackers Target MJ Freeway
The first big cyber attack on MJ Freeway happened last January. Its systems—both main servers and their backups went down completely. Companies that relied on its software to manage every aspect of their businesses were left hanging for several days. MJ Freeway assured people that no patient information or other data had been stolen, but the files were corrupted beyond repair and unusable. Its massive databases had to be reconstructed largely by hand.
If those companies had just used the software for their own business purposes, it would’ve been inconvenient, but manageable. The problem is that monitoring and compliance are mandatory in adult use and medical states, so cannabis businesses can’t afford to have them go down. Not surprisingly, some of MJ Freeway’s customers started looking at other systems.
Despite this major breach, five months later, on June 13, Washington State’s Liquor and Cannabis Board awarded MJ Freeway the contract to set up its regulatory compliance system. (BioTrackTHC had previously held that contract.) It was probably just a coincidence, but the next big cyber attack against MJ Freeway happened a week later. This time, the hackers hit the company where it hurts most: They posted the proprietary source code underlying its software on GitHub, a major software repository. MJ Freeway took the matter to law enforcement, which investigated it as theft. The code was taken down, but it may still be available illegally on other parts of the Internet.
“MJ Freeway’s security protections were high before the January 2017 attack, and now our defenses are the most robust in the industry,” Ward explains. “First, we upgraded security overall by moving to Amazon Web Services. We had a great firewall before. Now, with Amazon, we have the most sophisticated firewall that exists and the best engineers in the world that can work on it. Second, we’ve hired a third-party security firm to perform ongoing security audits to ensure security is continually the best it can be. Third, we’ve taken direct measures to address the specifics of how the January 2017 attack occurred. This matter is still under investigation.”
These attacks have left MJ Freeway’s business vulnerable. BioTrackTHC is no longer its only significant competitor. New software companies catering to the cannabis industry are springing up, including Flowhub and Kind Financial, which has partnered with Microsoft, who owns ERP and CRM software, indicating that Microsoft is thinking about going into the marijuana business-services market. If that happens, all bets are off. And Microsoft has less than 10% of the ERP market. The German software giant SAP dominates that market with a share of more than 20%, followed by Oracle, which has almost 14%.
Delays Plague MJ Freeway Rollout in Washington
Problems have continued for MJ Freeway. Washington State’s transition to MJ Freeway from BioTrackTHC was supposed to be completed by Oct. 31. But in late October, the Washington State Liquor and Cannabis Board announced delays in implementation. That meant stores, distributors, producers and growers in Washington would have to use their own spreadsheets to track marijuana for an undetermined period and would have to go to weekly reporting rather than monthly.
BioTrackTHC turned down the state’s offer of a four-month contract extension as an interim solution, arguing that there were too many security concerns regarding MJ Freeway. In an open letter to the cannabis industry, BioTrackTHC CEO Patrick Vo wrote:
“… many Washington licensees received an email in mid-September alleging to sell databases described as ‘WA DATABASE,’ ‘NV PROD DATABASE’ and ‘PA PROD DATABASE,’ among others. These presumably are to mean the Washington database, the Nevada database and the Pennsylvania database. The emails also provided unencrypted sample data files as a kind of ‘proof of life.’ Some business seed-to-sale software providers took it upon themselves to investigate the sample data and it was reported that the sample data not only appeared legitimate, but that it included sensitive data that is not publicly available: data that is contained within the full un-redacted traceability dataset.”
On Nov. 1, BioTrackTHC launched a «private traceability system,» known as the Universal Cannabis System (UCS), as an interim solution. «We’re currently operating the UCS, independently of the LCB and MJ Freeway, that allows licensees to submit compliance data, which is then submitted to the LCB on their behalf,» BioTrack director of marketing and communications Jeff Gonring explains in an email to Freedom Leaf. «This system was collectively agreed upon as the best path forward among Washington licensees and the majority of third-party software providers and is reducing the strain on licensees of the LCB’s manual spreadsheet contingency plan. The UCS has collected and submitted over 250,000 spreadsheets to the LCB on behalf of licensees since November 1. Non-BioTrackTHC licensees can access and use the system for a monthly cost of $50 per license to maintain ongoing hosting and maintenance costs associated with the System. The $50 monthly fee is being waived for all BioTrack customers.»
MJ Freeway’s Leaf Data Systems was supposed to be implemented by Jan. 1, but on Dec. 28, the LCB announced another Leaf Data Systems delay, until Feb. 1. «We’ve elected to extend the preparation period to ensure the system is ready and (the) transition is as smooth as possible,» it said in a statement.
The two main reasons for breaking into a computer system are to test your skills and the system’s defenses so that both may improve; or to break in, take stuff and possibly add malignant code. We don’t yet know who’s responsible for breaking into MJ Freeway’s system, so it’s hard to say which category they fall into. Regardless of motive, it appears that MJ Freeway is being targeted, the only question is whether it’s business, which would mean a competitor, or personal, which would mean a disgruntled former employee with the technical skills and access to have installed a backdoor before leaving. Either that or MJ Freeway just uses really crufty code. Whatever’s going on, the company’s survival depends on finding an answer.
Paperwork may be the bane of the marijuana industry, but regulations depend on paperwork and red tape, because without those, monitoring and compliance couldn’t happen. Even if MJ Freeway, BioTrackTHC and Metrc aren’t around in 10 years, they will have played major roles in blazing the seed-to-sale trail.
If you enjoyed this Freedom Leaf article, subscribe to the magazine today!