Remember in January when OpenAI announced some great achievement, and then a few days later we learned that the Chinese firm DeepSeek could boast the same performance, only much better?
These Chinese leapfrogs don’t only happen in artificial intelligence.
One kilometer facial capture
In February, I wrote about something that I initially heard of via Biometric Update. My post, “How to Recognize People From Quite a Long Way Away,” told of an effort at Heriot-Watt University in Edinburgh, Scotland in which the researchers used light detection and ranging (LiDAR) to capture and evaluate faces from as far as a kilometer away.
In normal circumstances, we capture faces from a distance of mere meters. So one kilometer facial capture is impressive.
Scientists in China have created a satellite with laser-imaging technology powerful enough to capture human facial details from more than 60 miles (100 kilometers) away….
According to the South China Morning Post, the scientists conducted a test across Qinghai Lake in the northwest of the country with a new system based on synthetic aperture lidar (SAL), a type of laser radar capable of constructing two-dimensional or three-dimensional images.
Qinghai Lake, from Google Maps.
Writers will note that the acronym SAL incorporates the L from the acronym LiDAR. This is APO, or acronym piling on.
Since I cannot read the original report, I don’t know if the researchers actually performed tests with actual faces. But supposedly SAL “detected details as small as 0.07 inches (1.7 millimeters),” based in part upon the benefits of its technology:
[T]his new system operates at optical wavelengths, which have much shorter wavelengths than microwaves and produce clearer images (though microwaves are better for penetrating into materials, because their longer wavelengths aren’t scattered or absorbed as easily).
All the cited articles make a big deal about the 100 kilometer distance’s equivalence to the boundaries of space. But before you get too excited, remember that a space-hosted SAL will be ABOVE any human subjects, and therefore will NOT capture the face at an optimal angle…
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Regarding facial recognition, I wrote this in a social media conversation earlier today:
“Facial recognition CAN be used as a crowd checking tool…with proper governance, including strict adherence to a policy of only using FR as an investigative lead, and requiring review of potential criminal matches by a forensic face investigator. Even then, investigative lead ONLY. Same with DNA.”
I received this reply:
“It’s true but in my experience cops rarely follow any rules.”
Now I could have claimed that this view was exaggerated, but there are enough examples of cops who DON’T follow the rules to tarnish all of them.
“The complaint alleges that the surveillance footage is poorly lit, the shoplifter never looks directly into the camera and still a Detroit Police Department detective ran a grainy photo made from the footage through the facial recognition technology.”
There’s so much that isn’t said here, such as whether a forensic face examiner made a definitive conclusion, or if the detective just took the first candidate from the list and ran with it.
But I am willing to bet that there was no independent evidence placing Williams at the shop location.
Why this matters
The thing that concerns me about all this? It just provides ammo to the people who want to ban facial recognition entirely.
Yes, oil company executives. I keep on hearing ads for some TV show that imply that the oil industry is invincible. Um…ask John Connally.
Survey says
Richard Dawson did not kiss anyone in this survey.
Back to the survey, conducted by the ultra libtards at the Federal Reserve Bank of Dallas.
“Uncertainty around everything has sharply risen during the past quarter,” another executive said. “Planning for new development is extremely difficult right now due to the uncertainty around steel-based products.”
But what of the politicians in high places who are pro-oil (well, except when they promote a certain woke electric car) and are doing everything they can to encourage oil production?
“The threat of $50 oil prices by the administration has caused our firm to reduce its 2025 and 2026 capital expenditures,” an executive said. “‘Drill, baby, drill’ does not work with $50 per barrel oil. Rigs will get dropped, employment in the oil industry will decrease, and U.S. oil production will decline as it did during COVID-19.”
I wonder if one of my old employers is still conducting its three year planning exercises.
I was encouraged to check out k-ID, a firm that tracks age compliance laws on a global basis. It also lets companies ensure that their users comply with these laws.
“Age assurance refers to a range of methods and technologies used to estimate, verify or confirm someone’s age. Different countries allow different methods, but here are a few commonly used by k-ID…”
The following methods are then listed:
Face Scan: Your age is estimated by completing a video selfie
ID Scan: Your age is confirmed by scanning a government-issued ID
Credit Card: Confirm you’re an adult by using a valid credit card
Note that k-ID’s age assurance methods include age estimation (via your face), age verification (via your government ID), and age who-knows-what (IMHO, possession of a credit card proves nothing, especially if it’s someone else’s).
But if k-ID truly applies the appropriate laws to age assurance, it’s a step in the right direction. Because keeping track of laws in hundreds of thousands of jurisdictions can be a…um…challenge.
12-18-6.1. Voters required to provide identification before voting.
When the voter is requesting a ballot, the voter shall present a valid form of personal identification. The personal identification that may be presented shall be either:
(1) A South Dakota driver’s license or nondriver identification card;
(2) A passport or an identification card, including a picture, issued by an agency of the United States government;
(3) A tribal identification card, including a picture; or
(4) A current student identification card, including a picture, issued by a high school or an accredited institution of higher education, including a university, college, or technical school, located within the State of South Dakota.
As most people know, legislators only define the law in broad strokes. It is up to the executive to figure out the details of how to implement the law.
So how does the South Dakota Board of Elections determine that the presented identification is valid?
Does every precinct worker in South Dakota possess a copy of a guide (such as this one) that includes, among other items:
“Explanation of what the proper alphanumeric sequencing of a South Dakota ID or Driver’s License should be (how many letters, numbers, etc.).”
In addition, does every precinct worker in South Dakota have access to software and equipment (such as this one that uses “white, infrared, ultraviolet and coaxial lights”) that detects deepfake IDs? This one has a $1,600 list price. You can get cheaper ones that only support white light and can’t detect the other security features, but such readers would violate the law.
If the state can negotiate a discount of $1,000 per reader, then you can equip almost 700 precincts for less than $1 million (excluding training and maintenance, and assuming only 1 reader per precinct). A small price to pay for democracy.
Of course voter ID fraud doesn’t just affect South Dakota, as I previously noted. But even if South Dakota doesn’t equip its precinct workers to reject voters with fake IDs, I’m sure the other states do.
An announcement from Paravision says its biometric age estimation technology has achieved Level 3 certification from the Age Check Certification Scheme (ACCS), the leading independent certification body for age estimation. The results make it one of only six companies globally to receive ACCS’s highest-level designation for compliance.
San Francisco-based Paravision’s age estimation tech posted 100 percent precision in Challenge 25 compliance, with 0 subjects falsely identified as over 25 years old. It also scored a 0 percent Failure to Acquire Rate, meaning that every image submitted for analysis returned a result. Mean Absolute Error (MAE) was 1.37 years, with Standard Deviation of 1.17.
Now this is an impressive achievement, and Paravision is a quality company, and Joey Pritikin is a quality biometric executive, but…well, let me share the other story first, involving a Yoti customer (not Yoti).
Fenix responded that it set a challenge threshold at 23 years of age. Any user estimated to be that age or younger based on their face biometrics is required to use a secondary method for age verification.
Fenix had set OnlyFans challenge age, it turns out, at 20 years old. A correction to 23 years old was carried out on January 16, and then Fenix changed it again three days later, to 21 years old, Ofcom says.
Now Biometric Update was very clear that “Yoti provides the tech, but does not set the threshold.”
Challenge ages and legal ages
But do challenge thresholds have any meaning? I addressed that issue back in May 2024.
Many of the tests used a “Challenge-T” policy, such as “Challenge 25.” In other words, the test doesn’t estimate whether a person IS a particular age, but whether a person is WELL ABOVE a particular age….
So if you have to be 21 to access a good or service, the algorithm doesn’t estimate if you are over 21. Instead, it estimates whether you are over 25. If the algorithm thinks you’re over 25, you’re good to go. If it thinks you’re 24, pull out your ID card.
And if you want to be more accurate, raise the challenge age from 25 to 28.
NIST admits that this procedure results in a “tradeoff between protecting young people and inconveniencing older subjects” (where “older” is someone who is above the legal age but below the challenge age).
You may be asking why the algorithms have to set a challenge age above the lawful age, thus inconveniencing people above the lawful age but below the challenge age.
The reason is simple.
Age estimation is not all that accurate.
I mean, it’s accurate enough if I (a person well above the age of 21 years) must indicate whether I’m old enough to drink, but it’s not sufficiently accurate for a drinker on their 21st birthday (in the U.S.), or a 13 year old getting their first social media account (where lawful).
Not an official document.
If you have a government issued ID, age verification based upon that ID is a much better (albeit less convenient) solution.
But perhaps you would prefer to hear from someone who knows what they’re talking about.
On a webcast this morning, C. Maxine Most of The Prism Project reminded us that the “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is scheduled for publication in May 2025, just a little over a month from now.
As with all other Prism Project publications, I expect a report that details the identity industry’s solutions to battle deepfakes and synthetic identities, and the vendors who provide them.
And the report is coming from one of the few industry researchers who knows the industry. Max doesn’t write synthetic identity reports one week and refrigerator reports the next, if you know what I mean.
At this point The Prism Project is soliciting sponsorships. Quality work doesn’t come for free, you know. If your company is interested in sponsoring the report, visit this link.
While waiting for Max, here are the Five Tops
And while you’re waiting for Max’s authoritative report on deepfakes and synthetic identity, you may want to take a look at Min’s (my) views, such as they are. Here are my current “five tops” posts on deepfakes and synthetic identity.
For many years, the baseline for high-quality capture of fingerprint and palm print images has been to use a resolution of 500 pixels per inch. Or maybe 512 pixels per inch. Whatever.
The crime scene (latent) folks weren’t always satisfied with this, so they pushed to capture latent fingerprint and latent palm print images at 1000 pixels per inch. Pardon me, 1024.
But beyond this, the resolution of captured prints hasn’t really changed in decades. I’m sure some people have been capturing prints at 2000 (2048) pixels per inch, but there aren’t massive automated biometric identification systems that fully support this resolution from end to end.
But that may be changing.
One important truth about infant fingerprints
For about as long as latent examiners have pursued 1000 ppi print capture, people outside of the criminal justice arena have been looking at fingerprints for a very different purpose.
Our normal civil fingerprint processes require us to identify people via fingerprints beginning at the age of 18, or perhaps at the age of 12.
But gow do we identify people in those first 12 years?
More specifically, can we identify someone via their fingerprints at birth, and then authenticate them as an adult by comparing to those original prints?
It’s a dream, but many have pursued this dream. Dr. Anil Jain at Michigan State University has pursued this for years, and co-authored a 2014 paper on the topic.
Given that children, as well as the adults, in low income countries typically do not have any form of identification documents which can be used for this purpose [vaccination], we address the following question: can fingerprints be effectively used to recognize children from birth to 4 years? We have collected 1,600 fingerprint images (500 ppi) of 20 infants and toddlers captured over a 30-day period in East Lansing, Michigan and 420 fingerprints of 70 infants and toddlers at two different health clinics in Benin, West Africa.
At the time, it probably made sense to use 500 pixel per inch scanners to capture the prints, since developing countries don’t have a lot of money to throw around on expensive 1000 ppi scanners. But the use of regular scanners runs counter to a very important truth about infants and their fingerprints. Are you sitting down?
Because infants are smaller than adults, infant fingerprints are smaller than adult fingerprints.
Think about it. The standard FBI fingerprint card assumes that a rolled fingerprint occupies 1.6 inches x 1.5 inches of space. If you were to roll an infant fingerprint, it would occupy much less than that. Heck, I don’t even know if an infant’s entire FINGER is 1.6 inches long.
So the capture device is obtaining these teeny tiny ridges, and these teeny tiny ridge endings, and these teeny tiny bifurcations. Or trying to. And if those second-level details can’t be captured, then you’re not going to get the minutiae, and your fingerprint matching is going to fail.
So a decade later, researchers today are adopting a newer approach, according to a Biometric Update summary of an ID4Africa webinar. (This particular portion is at the very end of the webinar, at around the 2 hour 40 minute mark.)
A video presentation from Judge Lidia Maejima of the Court of Justice of Parana, Brazil introduced the emerging legal framework for biometric identification of infants. Her representative Felipe Hay explained how researchers in Brazil developed 5,000 dpi scanners, he says, which accurately record the minutiae of infants’ fingerprints.
Did you capture that? We’re moving from five hundred pixels per inch to FIVE THOUSAND pixels per inch. (Or maybe 5120.) Whether even that resolution is capable of capturing infant fingerprint detail remains to be seen.
And as Dr. Joseph Atick noted, all this research is still in its…um…infancy. We won’t know for years whether the algorithms can truly match infant fingerprints to child or adult fingerprints.
By the way, when talking about digital images, Adobe notes that the correct term is pixels per inch, not dots per inch. DPI specifically refers to printer resolution, which is appropriate when you’re printing a fingerprint card but not when you’re displaying an image on a screen.
“Delaying marketing your new app, because you’re a developer or a designer and marketing is outside your comfort zone.”
But it’s not just developers or designers who delay product marketing efforts.
Two reasons why product marketers don’t market
While it’s easy to blame the techie, non-techies can also delay a go-to-market effort. Even product marketers can and do delay a go-to-market effort. Not because of comfort zone issues, but for two other reasons.
Reason One: The good is the enemy of the perfect
The first was cited by Shatz in another context:
“Delaying launching your new product, because you want to make sure that it’s absolutely perfect, even though it’s already good enough for your purposes and it would be better to just launch it already.”
In the same way we want our product to be perfect, we often want our product marketing to be perfect. Thus the A version becomes the B version which becomes the C version until we run out of letters at Z and have to employ the Excel solution and create version AA, AB, and so forth.
Reason Two: Being on the wrong level of the three levels of importance
But there’s another reason for the frustratingly endless revision cycles: you can’t get all the reviewers to look at the first version, or the second.
We’ve all encountered situations where things that are critically important to us are merely important to others. I still remember the time when a company executive talked about how important a particular project was…and then left the room, conveying an unintended message.
And when things are relatively unimportant, they don’t happen.
And because of the delay, your product’s impact is diluted.
Bredemarket 
