Recent events worldwide, notably Russia’s invasion of Ukraine and the recent display of military might by China in the Taiwan Strait, have highlighted the cybersecurity implications of digital product origins and sourcing. For instance, with reference to the perceived threat from a well-known anti-virus company (Kaspersky) to national security, the director of the UK National Cyber Security Centre, Ciaran Martin, concluded “Russian-made anti-virus software should not be used in systems containing information that would harm national security if it was accessed by the Russian government” [1] (para. 2). The decision by the US company Google to withdraw the utilisation permit for the Android mobile operating system and other technologies in Huawei products, because of the potential threat of information leakage to the Chinese government, is another example of the need to develop a means for assessing the domesticity of technology products [2]. In Europe, this has given rise to a number of projects aimed at designing and implementing new data infrastructure and communication platforms such as Gaia-X [3]. More specifically, in India, legislation has been introduced that requires all ecommerce entities to provide country of origin (COO) information for all products, motivated by the government’s desire to lessen their reliance on imports from China for security reasons [4]. Such concerns have only been exacerbated by recent research on the “dark side” of certain technologies, notably artificial intelligence [5], which was motivated by the “harmful and unintended consequences that have emerged during early AI implementation and use in organizations” [6] (p. 423). These factors illustrate the multiple aspects of cybersecurity, which can be defined as “the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber-attacks” [7] (para. 1).

Allied to this rationale—based mainly upon security and trading concerns—is the need to establish the true origin of digital products to guide consumer choice, which is often problematic when these products comprise a variety of components that may emanate from different locations and different countries. For the purposes of this paper, “digital products” are taken to be those often referred to as the SMAC (social media, mobile, analytics, and cloud) and BRAID (blockchain, robotics, artificial intelligence, internet of things, and digital fabrication) technologies, and to include all layers in the systems stack, as defined by Noergaard [8]. This encompasses the emerging technologies in the computing domain, and not only the application and system software layers, but also the hardware layer upon which they operate and run. In addition to cybersecurity concerns, Goodrich [9] noted two other reasons why COO is important. Firstly, “duty rates, preferential trade agreements, trade sanctions and import quotas are regulated according to country of origin” (para. 4), and secondly, “country of origin is also important for marking purposes. The import regulations put an emphasis on informing the end user of the country of origin of imported articles” (para. 5). Indeed, the 2020 Consumer Protection Act in India notes the need to “provide all relevant details about the goods and services offered for sale by the seller, including country of origin, which are necessary for enabling the consumer to make an informed decision at the pre-purchase stage” [10] (para. 6). In a similar vein, Shairwal and Tripathy [11] (para. 1) conclude that a major rationale for determining the country of origin is “to help consumers in making informed choices”.

However, there is a further dimension to this debate. Previous research ^[12][13][12,13] suggests that consumers from developing world countries have hitherto preferred non-domestic products and that there is a general bias against products from developing nations. Products from developed, industrialised countries tend to have a higher quality image ^[14][15][14,15], as epitomised, for example, by the reputation of the “Made in Germany” label around the world [16]. A recent study by Oumlil [17] concluded that this applied particularly to more technical products, and that “the more specialized the product, the less favorable the perception of the quality of the product(s) if it is made in a less developed nation or nations in the process of industrialization” (p. 62). So, revealing the true origin of products that may, at first glance, appear western, may help boost competing domestically produced products in developing world countries. The COO concept can thus offer a framework for assessing the domesticity of digital products, and this article suggests a new set of parameters that can be used to help consumers determine the COO of digital products. This is of particular relevance in the context of digital transformation projects in developing world environments. As Khan et al. [18] (p. 2) observe, “public sector projects in developing countries have to deal with issues that are unique to that environment, including large number of stakeholders, weak procurement systems, complex processes, shortage of skills and resources, and bureaucratic red tape”. In such environments, cost-effective ways of implementing digital products can be critical to project success or failure.

2. The Country-of-Origin Concept and Its Regulation

The COO construct has been widely researched since its introduction in 1965 by Robert Schooler ^[19][20]. The COO of a product is typically associated with the “made in…” labelling and was described by Peterson and Jolibert ^[20][21] (p. 884) as “an extrinsic product cue—an intangible product attribute—that is distinct from a physical product characteristic or intrinsic attribute. As such, a country-of-origin cue is similar to price, brand name, or warranty in that none of these directly bear on product performance”. However, the COO concept has been given various interpretations by different authors and in different sets of regulations. Phau and Cheong ^[21][22] see the term as denoting the country in which a business or brand is headquartered. In a similar vein, Johansson et al. ^[22][23] described it as the country where the product or name is housed at its corporate headquarters. It can be connoted that, because of international elements and sources, even though a product may not be considered to be produced in that region, it is presumed that the product or brand is associated with that country. Lee and Lee ^[23][24], on the other hand, state that the COO can be evaluated by considering the location in which the product is built, produced, and assembled. Aiello et al. ^[24][25] explain the term from a different viewpoint, arguing that the origin must be the country commonly associated with a commodity by the consumers, regardless of where it was made. Ahmed et al. ^[25][26] see the COO concept as denoting the product or service quality. As regards the national regulations for defining COO, the picture is equally complex. In the US, the Federal Trade Commission (FTC) defines the domesticity of a product as the country where the product was last “substantially transformed” ^[26][27] (p. 5). However, as Goodrich [9] (para. 9) observes, “the concept of substantial transformation is somewhat vague”, and it is not straight forward to establish what “substantial transformation” entails. The International Trade Association ^[27][28] (para. 3) notes “country-of-origin determinations are governed by many rules; in certain circumstances, discerning a product’s origin is difficult. For example, if you import raw plastic pellets but then process them to manufacture a telephone handset in a United States facility, is the handset considered to be of United States origin? Or, if you import telephone handset parts but then assemble and paint the finished product in the United States, what is that product’s country of origin?”. Rather similarly, the European Union (EU), in classifying products according to tariff duties, make the distinction between goods wholly obtained or produced in a single country, and goods whose production involved materials from more than one country ^[28][29]. In UK regulations, there is the concept of cumulation, which is somewhat akin to that of substantial transformation, noted above, in the US. “Cumulation is the term used to describe a system that allows originating products of country A to be further processed or added to products originating in country B, just as if they had originated in country B. The resulting product would have the origin of country B. With cumulation the working or processing carried out in each partner country on originating products does not have to be ‘sufficient working or processing’ as set out in the list rules, although it should be beyond minimal processing” ^[29][30] (paras. 4–5). In practice, establishing such metrics is not an easy task, notably for digital products. For example, on the ProductFrom website ^[30][31] (a participant in the Amazon Services LLC Associates Program), the technology company Western Digital Products list their products by category and by country origin. By country they note: 3 China, 40 Malaysia, 2 Singapore, 176 Thailand. However, the website adds a number of qualifications including, “companies often have more than one factory for the same type of products, so the country listed on this page may not be the only place of production” (para. 5). More specifically, as regards computer software, the Customs and Borders Protection agency in the US issued a final determination in 2016, deciding that a software product with a Malaysian source code, which was subsequently compiled into an object code in the United States, qualified as a US-made end product, and that the software construction (i.e., development) was the vital component that gives the software a new identity, thus making the place of software construction a significant criterion for the determination of the COO. Further, as regards cloud computing, the US Government Accountability Office issued guidelines in 2011 stating that the COO for cloud-based services is determined by where the client or end-user was located, regardless of the location of the data centre ^[26][27]. This is of particular significance for organisations using US-based cloud service providers, such as Amazon Web Services and Microsoft Azure. There are other related terms in the literature that are worthy of mention. The country of manufacture (COM) is the term sometimes used to indicate the country where a product was manufactured or assembled. The term has been described as a COO synonym, and it is generally used to indicate where a product was finished in its final assembly. However, when the item has been produced and built in a specific country, the country of design (COD) term is also sometimes used. In addition, multinational businesses sometimes use country of brand (COB) for specific provenance of brand names ^[24][25]. The COO “effect” and its indicators are another dimension to the debate found in the extant literature. This concept, sometimes abbreviated to COE (i.e., country-of-origin effect), concerns the influence that a product’s country of origin labelling may have on consumers’ perceptions, attitudes, and purchasing decisions; however, as Eder ^[31][32] notes, because of the complexities of the concept, no consensus has been reached for developing an analytical framework. Roth and Romero ^[32][33] concluded that it is necessary to concentrate on the local production and country image in order to thoroughly investigate COO effects. Ballington ^[33][34] found that information indicators function differently for different countries for particular product categories, and Chao ^[34][35] noted that customers may rely on other information indicators, such as where the product was manufactured, in assessing COO information. In summary, the extant literature indicates that there are multiple definitions for the COO concept, and there is no international standard for a generic definition. There are a number of parameters identified in the literature that are used in different contexts and environments to determine a product’s COO and domesticity, i.e., to what extent it was produced in the country in which it is used. These include the production place ^[24][26][25,27], assembly place ^[23][34][24,35], raw material origin ^[35][36][36,37], headquarters location ^[37][38][38,39], and domestic capital usage ^[39][40][40,41]. With digital products, determining the product’s domesticity is all the more challenging because a digital product may comprise a number of different elements that may have come from different parts of the globe and different production environments. Digital products often include embedded systems, software, hardware components, and even accumulated data. There is thus a need for a new set of criteria for making such decisions that assesses the different components of digital products and allows due consideration of data security and import dependency issues, as well as providing guidelines for tariff calculations. Available research studies neither recognise nor address this challenge; to the authors’ knowledge, there is no literature that focuses on the COO determination for digital products. Much of the extant literature is more than 10 years old, but more recent publications include considerations of the COO in a number of diverse business or academic contexts, including the origin of research publications ^[41][42], the varying influence of a brand in COO classification ^[42][43], the influence of COO on buying decisions in the United Arab Emirates ^[43][44], and comparative studies of COO regulations ^[44][45]. These studies illustrate the broad range of applications of the COO concept, but very few are of direct relevance to the current researchtudy, although Potluri and Johnson ^[43][44] employ a similar research methodology of survey data collection and hypotheses testing. Of greater relevance is the literature concerning agri-food and manufactured products for tariff assessment and duty payment purposes discussed above (see, for example, HM Revenue & Customs ^[45][46]), but these are mainly in the form of rules and regulations rather than research outputs, and do not address the complexity of digital products. This research aims to contribute towards closing this gap in the literature by putting forward parameters that may facilitate a more realistic and effective measurement of the COO for digital products.

3. Country of Origin Assessment for Digital Products

As explained in the previous sections,  the most commonly used parameters for COO determination are, in general terms, production place, headquarters location, and domestic capital deployment. This is replicated in many of the COO regulations, which are there to assess tariff calculations rather than to determine the domesticity of products. Although these are reasonable metrics for simple tariff transaction calculations, they are not geared to identifying the security aspects of imported digital products, nor do they provide an effective mechanism for import control.  

On the other hand, digital products can contain hardware components, software elements, embedded systems, and data; determining the country of origin (COO) in these circumstances is problematic. The research in ^[46][47])  provides an operational framework for the COO concept to address this problem. Using an inductive research methodology based on semi-structured interviews and an online survey, a 19-parameter framework for assessing the COO of digital products is developed.