Author Archives: bredemarket

Marketing and writing services.

Digital Identity: Endorsed, Or Bestowed?

Joel R. McConvey’s recent article in Biometric Update made my head spin.

“Utah’s state legislature has voted unanimously to pass SB 275, the State-Endorsed Digital Identity Program Amendments bill. The law makes Utah unique among states, in that it defines identity as something that is inherent to a person and endorsed by the state rather than bestowed by the state.

“The distinction has implications for discussions about data sovereignty – who gets to control a person’s personal information – as well as for other states pursuing digital identity programs.”

Endorsed? Bestowed? What’s up? An earlier McConvey article quotes from Utah’s Chief Privacy Officer Christopher Bramwell:

“Part of Utah’s history,” Bramwell says – “why we care so much about privacy, and this does translate directly to digital identity – is when pioneers came to Utah, it was literally for autonomy, and it was to be left alone to live their life according to the dictates of their heart. That’s why many people came to America, whether as pilgrims or pioneers or immigrants: because you want something better and you want to do it according to your conscience.”

For those whose history is rusty, Bramwell is referring to the migration of the Mormons out west. As he points out, the Mormons are not the only ones in U.S. history who came to a new land to enjoy freedom from the perceived oppressive state. The original inhabitants of Massachusetts, Rhode Island, Maryland, and Pennsylvania also fall within this tradition.

Bramwell continues:

““And that’s a lot of what we’re talking about with digital ID. You need to engage in the free market, but do it according to your choice without being tracked, without being surveilled, without undue influence on how you’re operating. So you can live your life in the digital realm according to the dictates of your heart and how you and your family see fit.”

“Our approach is to separate identity from any privileges or licenses that are given by government. Identity should be separate, so that it is not something that there’s any reason to ever take away.”

But this is not just a religious issue, as the American Civil Liberties Union points out.

“The philosophical underpinning of the state’s SEDI concept is that “identity” is not something bestowed by the state, but that inherently belongs to the individual; the state merely “endorses” a person’s ID.”

Of the six major underpinnings of SEDI, the third is of interest here:

“Individual control,” in which the state throws its weight behind a movement known as “user-centric” or “self-sovereign” identity, that strives to ensure that government identification systems are used to empower individuals, not to control them.

So what does self-sovereign, endorsed identity mean from a legal standpoint? Let’s look at the opening section of the most recent bill, Utah’s SB 275:

63A-20-101. Digital identity bill of rights.

The following rights constitute the digital identity bill of rights in this state:

(1)An individual possesses an individual identity innate to the individual’s existence and independent of the state, which identity is fundamental and inalienable.

(2)An individual has a right to the management and control of the individual’s digital identity to protect individual privacy.

(3)An individual has a right to choose, receive, and use a physical form of identity assertion that is endorsed by the state.

(4)An individual has a right to not be compelled by the state to possess, use, or rely upon a digital form of identity assertion in place of a physical form of identity assertion that is endorsed by the state.

(5)An individual has a right to state endorsement of the individual’s digital identity upon meeting objective, uniform standards for eligibility and verification established by law, and a right to not have such endorsement arbitrarily or discriminatorily withheld or revoked.

(6)An individual has a right to have the state’s operation of digital identity systems governed by clear standards established by the Legislature, including for eligibility, issuance, endorsement, acceptance, revocation, or interoperability of digital identityassertions.

(7)An individual has a right to transparency in the design and operation of a state digital identity, including the right to access, read, and review the standards and technical specifications upon which the state digital identity is built and operates.

(8)An individual has the right to choose what identity attributes are disclosed by the individual’s state digital identity in accordance with standards established by theLegislature.

(9)An individual has the right to any service or benefit to which the individual is otherwise lawfully entitled based on the individual’s choice of a lawful format or means of identity assertion without denial, diminishment, or condition.

(10)An individual has a right to be free from surveillance, profiling, tracking, or persistent monitoring of the individual’s assertions of digital identity by the state, except as authorized by law.

(11)An individual has a right to not be required by the state to surrender the individual’s device in order to present the individual’s digital identity.

Of course, once you leave the state of Utah and reside in another state, that state will BESTOW an identity upon you.

And while this controls what the state of Utah can do, it does not apply to a FEDERAL digital identity, such as a future digital U.S. passport.

Bash Script Vulnerabilities

I can’t say WHY I’m looking at bash script vulnerabilities, but they’ve been around since…well, this Kaspersky article is based upon CVE-2014-6271.

The “bash bug,” also known as the Shellshock vulnerability, poses a serious threat to all users. The threat exploits the Bash system software common in Linux and Mac OS X systems in order to allow attackers to take potentially take control of electronic devices. An attacker can simply execute system level commands, with the same privileges as the affected services….

“But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.”

An authorization nightmare as a hostile non-person entity runs amok.

And it’s still a threat, as two recent CVEs attest…and that’s all I’ll say.

Today’s Acronym is PADFAA. And It Has Nothing To Do With Liveness Detection or Airplanes.

TAA.

Too many acronyms.

And this one, PADFAA, sounds like a mashup of presentation attack detection and the Federal Aviation Administration.

It isn’t.

PADFAA stands for the “Protecting Americans’ Data from Foreign Adversaries Act of 2024.”

So while it doesn’t involve PAD or the FAA, it does involve PII (personally identifiable information) and the FTC (Federal Trade Commission).

“The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).

“PADFAA prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which include North Korea, China, Russia, and Iran, or any entity controlled by those countries. The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behavior information as well as account or device log-in credentials and government-issued identifiers such as Social Security, passport, or driver’s license numbers.”

Although frankly it’s not a good idea to sell PII to our friends either, but that’s another topic.

Delivering Bad News: How Motorola Overcame the FpVTE 2003 Results Announcement

I just realized that I have never told the FULL story of FpVTE 2003 in the Bredemarket blog. I’ve only told the problem part, but not the solution part. Bad on me.

The problem part

I told parts of this in a 2023 post entitled “The Big 3, or 4, or 5? Through the Years.” One of the pivotal parts of the story was when the “big 4” became the “big 3.”

It happened like this:

These days the U.S. National Institute of Standards and Technology (NIST) is well known for its continuous biometric testing, but one of its first tests was conducted in 2003. At the time, there were four well-recognized fingerprint vendors:

  • Cogent Systems.
  • Motorola, which had acquired Printrak.
  • NEC.
  • Sagem Morpho, which had acquired Morpho.

There were a bunch of other fingerprint vendors, but they were much smaller, including the independent companies Bioscrypt and Identix.

I was a product manager at Motorola at the time, managing the server portion of the company’s automated fingerprint identification system (AFIS), Omnitrak. This featured a modernization of the architecture that was a vast improvement over the client-server architecture in Series 2000. The older product was still in use at the Royal Canadian Mounted Police (RCMP), but Motorola was in the process of installing Omnitrak in Slovenia and upgrading existing systems in Oklahoma and Switzerland.

Yes, I’ve worked in biometrics for a while.

Yes, I am the biometric product marketing expert.

This is the environment in which NIST released its Fingerprint Vendor Technology Evaluation of 2003 (FpVTE 2003).

“FpVTE 2003 consists of multiple tests performed with combinations of fingers (e.g., single fingers, two index fingers, four to ten fingers) and different types and qualities of operational fingerprints (e.g., flat livescan images from visa applicants, multi-finger slap livescan images from present-day booking or background check systems, or rolled and flat inked fingerprints from legacy criminal databases).”

So the companies listed above, among others, submitted their algorithms to FpVTE 2003. After the testing, NIST issued a summary report that included this sentence.

“Of the systems tested, NEC, SAGEM, and Cogent produced the most accurate results.”

You can see how this affected Motorola…and me. We were suddenly second-tier, via independent confirmation.

I’m a loser, baby. Google Gemini.

We first had to go to the RCMP and admit that we weren’t as accurate as other systems. This came at a particularly bad time, since the RCMP was engaged in a massive system upgrade of its own. While Motorola’s FpVTE performance was not the ultimate deciding factor, we lost the massive RCMP system to Cogent.

But Motorola did something else at the same time.

The solution part

The accuracy of an automated fingerprint identification system falls in the laps of the algorithm developers, whether the vendor develops its own algorithms or buys a third-party algorithm from another AFIS vendor.

Motorola developed its own algorithm…and one of the R&D leaders was Guy Cardwell.

Motorola held a User’s Conference after the FpVTE results announcement, and Cardwell spoke to our customers.

  • It wasn’t a flashy presentation with smoke and mirrors.
  • It wasn’t an accusatory presentation calling NIST a bunch of crooks.
  • It was basically Guy, on stage, saying that we didn’t do well.
  • And that we would do better.

Now of course that in itself means nothing unless we actually DID better. The R&D team went to work and improved the algorithm, and continued with other advances such as supporting complete 1000 pixel per inch systems as Sweden demanded.

But from a product marketing perspective, Motorola’s initial messaging to its customers was critically important.

Because if Motorola didn’t publicly address its FpVTE 2003 performance, then the only people talking about it would be Cogent, NEC, and Sagem Morpho.

And you don’t want to let your competitors deliver your message and steal your prospects.

Stop losing prospects! Use Bredemarket content for tech marketers

Lyria…and Fingerprint Matching

Google Gemini has a new capability: artificial intelligence music generation.

It’s called Lyria.

“Since launching the Gemini app, we’ve built tools to encourage creative expression through images and video. Today, we’re taking the next step: custom music generationLyria 3, Google DeepMind’s latest generative music model, is rolling out today in beta in the Gemini app.”

I used this prompt to generate a Lyria tune:

“Create music for a wildebeest using a laptop to compare a latent fingerprint to a tenprint fingerprint”

Google’s response:

“’I’ve created a unique atmospheric track for you that blends electronic data-processing sounds with the deep, resonant textures of a wildebeest’s world. You can play the music directly here in our chat!”

Or I could download it and share it with you.

Lyria.

If the City Fails, Try the County (Milwaukee and Biometrica)

The facial recognition brouhaha in southeastern Wisconsin has taken an interesting turn.

According to Urban Milwaukee, the Milwaukee County Sheriff’s Office is pursuing an agreement with Biometrica for facial recognition services.

The, um, benefit? No cost to the county.

“However, the contract would not need to be approved by the Milwaukee County Board of Supervisors, because there would be no cost to the county associated with the contract. Biometrica offers its services to law enforcement agencies in exchange for millions of mugshots.”

Sound familiar? Chris Burt thinks so.

“Milwaukee Police Department has also attempted to contract Biometrica’s services, prompting pushback, at least some of which reflected confusion about how the system works….

“The mooted agreement between Biometrica and MPD would have added 2.5 million images to the database.

“In theory, if MCSO signs a contract with Biometrica, it could perform facial recognition searches at the request of MPD.”

See Bredemarket’s previous posts on the city efforts that are now on hold.

And counties also.

No guarantee that the County will approve what the City didn’t. And considering the bad press from the City’s efforts, including using software BEFORE adopting a policy on its use, it’s going to be an uphill struggle.

Which Department Handles Biometrics Use Case X in Country Y?

While Bredemarket only conducts business in the United States (with one exception), my clients have no such constraints.

Who are my client’s prospects?

Because of my extensive business-to-government (B2G) experience, I often work with clients that sell products and services to government agencies throughout the world. Well, except to North Korea and a few other places.

And as those clients (or their marketing and writing consultants) identify their public sector prospects, terminology becomes an issue.

And they have to answer questions such as “which government agency or agencies in Country Y potentially use biometric authentication for passengers approaching a gate in an airline terminal?”

Hint: chances are it’s NOT called the “department of transportation.”

Ministry

Add one factor that is foreign (literally) to this United States product marketing consultant.

Many of these countries have MINISTRIES.

No, not religious ministers or preachers.

Billy Graham. By Warren K. Leffler – This image is available from the United States Library of Congress’s Prints and Photographs divisionunder the digital ID ppmsc.03261.This tag does not indicate the copyright status of the attached work. A normal copyright tag is still required. See Commons:Licensing., Public Domain, https://commons.wikimedia.org/w/index.php?curid=905632.

When I say “Minister” here I refer to government officials, often from the country’s legislature, who manage a portfolio of agencies that are the responsibility of a Minister.

Sisa

Let’s take one ministry as an example: Sisäministeriö. Oops, Finland’s Ministry of the Interior. This one ministry is currently headed by Mari Rantanen of the Finns Party (part of a four-party coalition ruling Finland).

From https://kuvapankki.valtioneuvosto.fi/l/6XGsNcFkBjWV.

But Rantanen also has other responsibilities:

“Minister Rantanen is also responsible for matters related to integration covered by the Labour Migration and Integration Unit of the Ministry of Economic Affairs and Employment.”

Back to Interior. One huge clarification for U.S. people: other countries’ ministries of the interior bear no relation to the U.S. Department of the Interior, which concerns itself with parks and Native Americans and stuff. Minister Rantanen’s sphere of responsibility is quite different:

“Under the Government Rules of Procedure, the Ministry of the Interior is responsible for:

  • public order and security, police administration and the private security sector
  • general preconditions for migration and regulation of migration, with the exception of labour migration, as well as international protection and return migration 
  • Finnish citizenship
  • rescue services
  • emergency response centre operations
  • border security and maritime search and rescue services
  • national capabilities for civilian crisis management
  • joint preparedness of regional authorities for incidents and emergencies.”

These responsibilities result in this organization…whoops, organisation.

From https://intermin.fi/en/ministry/management-and-organisation.

There are five departments at the Ministry:

  • Police Department
  • Department for Rescue Services
  • Migration Department
  • Border Guard Department, which is the national headquarters for the Border Guard
  • Administration and Development Department

The units reporting directly to the Permanent Secretary are the International Affairs Unit and Communications Unit.

Directly under the Permanent Secretary are also guidance of Civilian Intelligence and the Finnish Security and Intelligence Service, 
Internal Audit and Advisory Staff to the Permanent Secretary

So, who’s gonna buy your biometric product or service in each of the 200 or so countries in which you may conduct business?

And for those who were waiting for it, here’s the song:

Presentation Attacks vs. Injection Attacks

Since I’m talking about presentation attack detection and injection attack detection a lot lately, I should briefly explain the difference between the two. This is from a Substack post I wrote last June.

Let’s say that you have an app on your smartphone that verifies that you are who you say you are.

  • Maybe it’s a banking app.
  • Maybe it’s an app that provides access to a government benefits account.
  • Maybe it’s an app that lets you enter a football stadium.

As part of its workflow, the app uses the smartphone camera to take a picture of your face.

But is that really YOUR face?

Presentation attack detection

A “presentation attack” occurs when the presented item is altered. In the case of a face presented to a smartphone camera, here are three examples of presentation attacks:

  • Your face is altered by makeup, a mask, or another disguise.
  • Your face is replaced by a printed photo of someone else’s face.
  • Your face is replaced by a digital photo or video on a monitor or screen.

Injection attack detection

But what if the image is NOT from the smartphone camera?

What if it is “injected” from another source, bypassing the camera altogether?

The victim doesn’t care

From the fraud victim perspective, it doesn’t matter whether a presentation attack or an injection attack is used.

The only thing that matters is that some type of deepfake fraud was used to fool the system.