bredemarket

Stand Out From the Identity Crowd

*Dionne Quintuplets – School Days*, painting by Andrew Loomis, 1938. By Andrew Loomis – https://www.flickr.com/photos/lac-bac/7797309642/in/album-72157631099965608/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=56000992

A note to those of you in the identity/biometrics industry.

From Sandeep Kumar, A. Sony, Rahul Hooda, Yashpal Singh, in Journal of Advances and Scholarly Researches in Allied Education | Multidisciplinary Academic Research, “*Multimodal Biometric Authentication System for Automatic Certificate Generation*.”

Gartner has released a new report, “Emerging Tech: Security — How to Stay Relevant as an Identity Verification Vendor.” Because it’s better to be relevant than to be irrelevant.

Anthropological Alphonse Bertillon. By Jebulon – Own work, stitching of archives of Service Regional d’Identité Judiciaire, Préfecture de Police, Paris., CC0, https://commons.wikimedia.org/w/index.php?curid=37546591

When co-author Akif Khan promoted the report on LinkedIn, he made the following comment:

Identity verification (which Gartner defines as the ID-plus-selfie process) is arguably the topic that I get the most inquiry calls about, but I also cover >70 vendors in this space. My end-user clients struggle to differentiate between them, and as the market evolves, it will become tougher to stand out in the crowd.
From LinkedIn.

C. Maxine Most of Acuity Market Intelligence advocates a similar message about the need to stand out. She provides the following to her clients:

Innovate, differentiate, and outmaneuver the competition
From https://www.acuitymi.com/.

It is in the vendors’ interest to keep the identity market from becoming a commodity market. But how can vendors keep the market from becoming commoditized when (almost) everyone is sharing the exact same message?

Why are you in business? To provide trust.
What do you do? Trust stuff.
How do you do this? Trust us.

If all the identity companies are peddling the exact same thing, the cheapest vendor wins.

Which is why certain vendors strive to do things differently.

And I’m here to help.

I ask my clients questions before I start work so that we can craft the client’s unique message. Read Bredemarket’s e-book “Seven Questions Your Content Creator Should Ask You” for more details.

Are you ready to craft a message that looks just like everybody else? Well, I CAN’T help you with that.

Are you ready to craft your own message? Then let me tell you how Bredemarket CAN help you do this.

Drive content results with Bredemarket Identity Firm Services.

Identification Perfection is Impossible

(Part of the biometric product marketing expert series)

There are many different types of perfection.

Jehan Cauvin (we don’t spell his name like he spelled it). By Titian – Bridgeman Art Library: Object 80411, Public Domain, https://commons.wikimedia.org/w/index.php?curid=6016067

This post concentrates on IDENTIFICATION perfection, or the ability to enjoy zero errors when identifying individuals.

The risk of claiming identification perfection (or any perfection) is that a SINGLE counter-example disproves the claim.

If you assert that your biometric solution offers 100% accuracy, a SINGLE false positive or false negative shatters the assertion.
If you claim that your presentation attack detection solution exposes deepfakes (face, voice, or other), then a SINGLE deepfake that gets past your solution disproves your claim.
And as for the pre-2009 claim that latent fingerprint examiners never make a mistake in an identification…well, ask Brandon Mayfield about that one.

In fact, I go so far as to avoid using the phrase “no two fingerprints are alike.” Many years ago (before 2009) in an International Association for Identification meeting, I heard someone justify the claim by saying, “We haven’t found a counter-example yet.” That doesn’t mean that we’ll NEVER find one.

You’ve probably heard me tell the story before about how I misspelled the word “quality.”

In a process improvement document.

While employed by Motorola (pre-split).

At first glance, it appears that Motorola would be the last place to make a boneheaded mistake like that. After all, Motorola is known for its focus on quality.

But in actuality, Motorola was the perfect place to make such a mistake, since it was one of the champions of the “Six Sigma” philosophy (which targets a maximum of 3.4 defects per million opportunities). Motorola realized that manufacturing perfection is impossible, so manufacturers (and the people in Motorola’s weird Biometric Business Unit) should instead concentrate on reducing the error rate as much as possible.

So one misspelling could be tolerated, but I shudder to think what would have happened if I had misspelled “quality” a second time.

Announcing a WhatsApp Channel for Identity, Biometrics, ID Documents, and Geolocation

I’ve previously stated that Bredemarket is present on a bunch of social platforms.

Well, if you’re a subscriber to the Bredemarket mailing list, or to the Bredemarket Threads account, then you already know what I’m about to say. Bredemarket is now on one additional social platform…kinda sorta.

I’ll explain:

What WhatsApp channels are.
How this impacted me.
Most importantly, why this may, or may not, impact you.

(Long-time readers of the Bredemarket blog see what I did there. In reverse.)

What are WhatsApp channels?

Meta, the company that owns Facebook, Instagram, WhatsApp, Threads, and half the known universe, wants to keep people on those social platforms. They can check out any time they like, but they can never leave.

Scanned by Wikipedia user David Fell from the CD cover, Fair use, https://en.wikipedia.org/w/index.php?curid=14790284

So now WhatsApp, the service that was originally intended for PRIVATE communications between people that knew each other’s phone numbers, is now your latest source for Kardashians news. Seriously; there are millions of people who follow the Daily Mail’s “Kardashians News” channel.

No, this is NOT a Kardashian (yet), but this is something that @cultpopcult would post (with a misattribution) so I’m doing it myself. By Office of Congressman Greg Steube – https://twitter.com/RepGregSteube/status/1451579098606620673, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112088903

Some people are kinda sorta breathless about this, if you take the IMM Institute’s LinkedIn article “WhatsApp Channels: Revolutionising Business Communication” as evidence.

WhatsApp, a widely used messaging platform, has recently introduced a revolutionary feature known as WhatsApp Channels. This innovation empowers businesses to thrive by effectively communicating with a broader audience, sharing vital information, and engaging with customers in a more personalised and efficient manner.
From LinkedIn.

Revolutionary? Frankly, this isn’t any more revolutionary than the similar broadcasting feature in Instagram, with one important difference: not everyone can create an Instagram channel, but anyone with WhatsApp channel access can set up their own channel.

Which got me thinking.

How I was impacted by WhatsApp Channels

I began mulling over whether I should create my own WhatsApp channel, but initially decided against it. Bredemarket has enough social media properties already, and the need to put Bredemarket stuff on WhatsApp is not pressing (the “100” WhatsApp group members get enough Bredemarket stuff already). The chances of someone ONLY being on WhatsApp and not on ANY other channel are slim.

I’d just follow the existing WhatsApp channels on identity, biometrics, and related topics.

But I couldn’t find any.

So I created my own channel last Friday entitled “Identity, Biometrics, ID Documents, and Geolocation.”

Why should you care?

Why should you care about my WhatsApp identity channel? Maybe you SHOULDN’T.

If you don’t use WhatsApp, ignore the WhatsApp channel.

If you use WhatsApp but have other sources for identity industry information (such as my Facebook group/LinkedIn page), ignore the WhatsApp channel.

But if you love WhatsApp AND identity, here is the follow link for “Identity, Biometrics, ID Documents, and Geolocation.”

https://whatsapp.com/channel/0029VaARoeEKbYMQE9OVDG3a

Geolocation Identifies People (Who Don’t Want To Be Identified)

A person in Upland, California posted this on the local NextDoor. While anecdotal and not statistical, in this case the geolocation capabilities of a device (in this case AirPods) identified someone in possession of a stolen vehicle.

https://nextdoor.com/p/ks5wW5n_csJB?utm_source=share&extras=NDk4MjIxOTI%3D

Ransomware Doesn’t Celebrate a Holiday

Government Technology posted an article on a ransomware attack that affected Ardent Health Services facilities in multiple U.S. states, including Texas, Idaho, New Mexico, Oklahoma, New Jersey, and Kansas over Thanksgiving Day, requiring some ambulances to be diverted and some services suspended.

By Mangocove – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=133200606

Government Technology observed:

The Thanksgiving timing of the attack is unlikely to be coincidental. Hackers are believed to see holiday weekends as an opportunity to strike while network defenders and IT are likely “at limited capacity for an extended time,” the Cybersecurity and Infrastructure Security Agency (CISA) has noted.
From https://www.govtech.com/security/ransomware-impacts-health-care-systems-in-six-states

And it’s not like the hackers are necessarily having to pass up on their turkey dinner. Few if any holidays are universal, and over 7 billion people (including many hackers) did NOT celebrate Thanksgiving last Thursday.

Does this mean that companies need to INCREASE security staff during holiday periods?

Pardon the Curious Experiment

I just discovered that the Jetpack app lets me add audio to posts.

Since I only have one audio file on the Bredemarket site, this is what you get.

For more information about this song, visit this page.

“For a Meaningful Apocryphal Animation.”

I’m Taking Small Business Saturday Off

Although Bredemarket is a small business, I’m not doing anything for Small Business Saturday.

Why not? Because Bredemarket is a B2B business and not a B2C business, most if not all of my clients have been closed since Wednesday afternoon enjoying the U.S. Thanksgiving holiday.

So I’m celebrating a mostly non-business Saturday. Instead of filming Bredemarket content, I enjoyed a not-so-nutritious breakfast (skipping Starbucks AND Del Taco) and bought TWO birthday cards for my wife. (At 50¢ each, that’s an entire dollar!)

See everyone Monday.

Login.gov and IAL2 #realsoonnow

Back in August 2023, the U.S. General Services Administration published a blog post that included the following statement:

Login.gov is on a path to providing an IAL2-compliant identity verification service to its customers in a responsible, equitable way. Building on the strong evidence-based identity verification that Login.gov already offers, Login.gov is on a path to providing IAL2-compliant identity verification that ensures both strong security and broad and equitable access.
From https://www.gsa.gov/blog/2023/08/18/reducing-fraud-and-increasing-access-drives-record-adoption-and-usage-of-logingov

It’s nice to know…NOW…that Login.gov is working to achieve IAL2.

This post explains what the August 2023 GSA post said, and what it didn’t say.

But first, I’ll define what Login.gov and “IAL2” are.

What is Login.gov?

Here is what Login.gov says about itself:

Login.gov is a secure sign in service used by the public to sign in to participating government agencies. Participating agencies will ask you to create a Login.gov account to securely access your information on their website or application.

You can use the same username and password to access any agency that partners with Login.gov. This streamlines your process and eliminates the need to remember multiple usernames and passwords.
From https://www.login.gov/what-is-login/

From https://www.gsa.gov/about-us/organization/federal-acquisition-service/technology-transformation-services

Obviously there are a number of private companies (over 80 last I counted) that provide secure access to information, but Login.gov is provided by the government itself—specifically by the General Services Administration’s Technology Transformation Services. Agencies at the federal, state, and local level can work with the GSA TTS’ “18F” organization to implement solutions such as Login.gov.

Why would agencies implement Login.gov? Because the agencies want to protect their constituents’ information. If fraudsters capture personally identifiable information (PII) of someone applying for government services, the breached government agency will face severe repurcussions. Login.gov is supposed to protect its partner agencies from these nightmares.

How does Login.gov do this?

Sometimes you might use two-factor authentication consisting of a password and a second factor such as an SMS code or the use of an authentication app.
In more critical cases, Login.gov requests a more reliable method of identification, such as a government-issued photo ID (driver’s license, passport, etc.).

What is IAL2?

At the risk of repeating myself, I’ll briefly go over what “Identity Assurance Level 2” (IAL2) is.

From https://pages.nist.gov/800-63-3/sp800-63a.html

The U.S. National Institute of Standards and Technology, in its publication NIST SP 800-63a, has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.
From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2

So in its simplest terms, IAL2 requires evidence of a verified credential so that an online person can be linked to a real-life identity. If someone says they’re “John Bredehoft” and fills in an online application to receive government services, IAL2 compliance helps to ensure that the person filling out the online application truly IS John Bredehoft, and not Bernie Madoff.

As more and more of us conduct business—including government business—online, IAL2 compliance is essential to reduce fraud.

One more thing about IAL2 compliance. The mere possession of a valid government issued photo ID is NOT sufficient for IAL2 compliance. After all, Bernie Madoff may be using John Bredehoft’s driver’s license. To make sure that it’s John Bredehoft using John Bredehoft’s driver’s license, an additional check is needed.

This has been explained by ID.me, a private company that happens to compete with Login.gov to provide identity proofing services to government agencies.

Biometric comparison (e.g., selfie with liveness detection or fingerprint) of the strongest piece of evidence to the applicant
From https://network.id.me/article/what-is-nist-ial2-identity-verification/

So you basically take the information on a driver’s license and perform a facial recognition 1:1 comparison with the person possessing the driver’s license, ideally using liveness det e ction, to make sure that the presented person is not a fake.

From https://www.nist.gov/news-events/news/2023/09/whats-wrong-picture-nist-face-analysis-program-helps-find-answers

So what?

So the GSA was apparently claiming how secure Login.gov was. Guess who challenged the claim?

The GSA.

Now sometimes it’s ludicrous to think that the government can police itself, but in some cases government actually identifies government faults.

Of course, this works best when you can identify problems with some other government entity.

Which is why the General Services Administration has an Inspector General. And in March 2023, the GSA Inspector General released a report with the following title: “GSA Misled Customers on Login.gov’s Compliance with Digital Identity Standards.”

The title is pretty clear, but Fedscoop summarized the findings for those who missed the obvious:

As part of an investigation that has run since last April (2022), GSA’s Office of the Inspector General found that the agency was billing agencies for IAL2-compliant services, even though Login.gov did not meet Identity Assurance Level 2 (IAL2) standards.

GSA knowingly billed over $10 million for services provided through contracts with other federal agencies, even though Login.gov is not IAL2 compliant, according to the watchdog.
From https://fedscoop.com/gsa-login-gov-watchdog-report/

So now GSA is explicitly saying that Login.gov ISN’T IAL2-compliant.

Which helps its private sector competitors.

Is Your Healthcare Bot Healthy For You?

Robert Young (“Marcus Welby”) and Jane Wyatt (“Margaret Anderson” on a different show). By ABC TelevisionUploaded by We hope at en.wikipedia – eBay itemphoto informationTransferred from en.wikipedia by SreeBot, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16472486

We’ve come a long way since the days of Marcus Welby, M.D. (who was a fictional character).

Back in the days of Marcus Welby, M.D., we trusted the doctor as the sole provider of medical information. Doctor knows best!
Later, we learned about health by searching the Internet ourselves, using sources of varying trustworthiness such as pharmaceutical company commercials.
Now, we don’t even conduct the searches ourselves, but let an artificial intelligence healthcare bot search for us, even though the bot hallucinates sometimes.

A “hallucination” occurs when generative AI is convinced that its answer is correct, even when it is wrong. These hallucinations could be a problem—in healthcare, literally a matter of life or death.

What can go wrong with AI healthcare?

The Brookings Institution details several scenarios in which reliance on artificial intelligence can get messy from a legal (and ethical) standpoint. Here is one of them.

For example, a counselor may tell a patient with a substance use disorder to use an app in order to track cravings, states of mind, and other information helpful in treating addiction. The app may recommend certain therapeutic actions in case the counselor cannot be reached. Setting aside preemption issues raised by Food and Drug Administration regulation of these apps, important questions in tort law arise. If these therapeutic actions are contraindicated and result in harm to the patient or others, is the app to blame? Or does the doctor who prescribed the app bear the blame?
From https://www.brookings.edu/articles/when-medical-robots-fail-malpractice-principles-for-an-era-of-automation/

Who is going to ensure that these bots can be trusted?

Who is concerned? Yes.

It seems to me they give these robot doctors now-a-days very peculiar names. By Public Domain – Snapshot Image – https://archive.org/details/ClassicComedyTeams, Public Domain, https://commons.wikimedia.org/w/index.php?curid=25914575

That’s right. WHO is going to ensure that these bots can be trusted.

A World Health Organization publication…

…underscores the critical need to ensure the safety and efficacy of AI systems, accelerating their availability to those in need and encouraging collaboration among various stakeholders, including developers, regulators, manufacturers, healthcare professionals, and patients.
From https://www.openaccessgovernment.org/who-outlines-responsible-regulations-needed-for-artificial-intelligence-in-healthcare/170622/

According to WHO, its document proposes six areas of artificial intelligence regulation for health.

To foster trust, the publication stresses the importance of transparency and documentation, such as through documenting the entire product lifecycle and tracking development processes.

For risk management, issues like ‘intended use’, ‘continuous learning’, human interventions, training models and cybersecurity threats must all be comprehensively addressed, with models made as simple as possible.

Externally validating data and being clear about the intended use of AI helps assure safety and facilitate regulation.

A commitment to data quality, such as through rigorously evaluating systems pre-release, is vital to ensuring systems do not amplify biases and errors.

The challenges posed by important, complex regulations – such as the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States of America – are addressed with an emphasis on understanding the scope of jurisdiction and consent requirements, in service of privacy and data protection.

Fostering collaboration between regulatory bodies, patients, healthcare professionals, industry representatives, and government partners, can help ensure products and services stay compliant with regulation throughout their lifecycles.

From https://www.who.int/news/item/19-10-2023-who-outlines-considerations-for-regulation-of-artificial-intelligence-for-health

From https://iris.who.int/handle/10665/373421

The 61 page document, “Regulatory considerations on artificial intelligence for health,” is available via https://iris.who.int/handle/10665/373421.

When the Metamessage Contradicts the Message, You Need a Case Study

I recently published a post that asked three questions:

Isn’t it wonderful when a man loves a woman?
And isn’t it great to be born in the U.S.A.?
And didn’t the devil get what he deserved when he went down to Georgia?

I answered those three questions as follows:

Apparently we weren’t paying attention to what these three songs actually SAID.

But what happens when we DO pay attention to the message, but there’s a “metamessage” that is also conveyed that says something COMPLETELY different?

By Rockero at English Wikipedia – Transferred from en.wikipedia to Commons., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=3949535

Gracious city livers of Upland (and others in other cities), read on. This post talks about:

Metamessages.
When metamessages and messages agree.
How case studies help.

Let’s talk about metamessages

There is a popular practice in which people ARE well aware of the original message, but only some of them discern the hidden message, or metamessage, behind those words.

And you don’t have to look to business communication to find examples of this. Take the romantic world, in which the statement “If you go out with me I’ll treat you like the princess you are!” conveys the metamessage of predatory desperation. In the business world, “Let me take that under consideration” means that the speaker is not considering the proposal for a nanosecond.

Sometimes many of us can’t discern the metamessage until long after the message is stated.

Remember the message that Whitney Houston gave to Diane Sawyer?

Whitney Houston on crack, from https://www.youtube.com/watch?v=lqwBYognBzI

Or remember Enron’s message about its values, from its Statement of Human Rights Principles?

Respect: We treat others as we would like to be treated ourselves. We do not tolerate abusive or disrespectful treatment. Ruthlessness, callousness and arrogance don’t belong here.

Integrity: We work with customers and prospects openly, honestly and sincerely. When we say we will do something, we will do it; when we say we cannot or will not do something, then we won’t do it.

Communication: We have an obligation to communicate. Here, we take the time to talk with one another…and to listen. We believe that information is meant to move and that information moves people.

Excellence: We are satisfied with nothing less than the very best in everything we do. We will continue to raise the bar for everyone. The great fun here will be for all of us to discover just how good we can really be.
From Enron’s Statement of Human Rights Principles.

Now to be fair to Houston, the cocaine detected in her toxicology report may not have been CRACK cocaine, and cocaine was not the only substance detected. But now we know that while crack may have been “wack,” cocaine was OK, and marijuana, Xanax, and other things were OK too.

I have no desire to be fair to Enron, but I guess we can say that “the very best in everything we do” can be defined as “maximizing personal value,” that there isn’t an “obligation to communicate” EVERYTHING, and that falsifying records does not necessarily mean ruthlessness or arrogance.

When the metamessage agrees with the message

How often do you roll your eyes in amusement when a business says something?

Conversely, how often do you nod your head in agreement when a business says something?

Now I’ll grant that there’s not universal agreement on whether Company X is truthful in its messaging. For every person who thinks that Apple is the last guardian of privacy on ths planet, there is someone else who is convinced that Apple is an evil corporation who has (and I quote an anonymous source) “become what they accused Microsoft of.”

But it doesn’t matter what the world thinks.

What matters is what your prospect thinks.

Does your prospect think your company is telling the truth?
Does your prospect think your company is lying?
Does your prospect need more information to make a decision?

How case studies help you reach message-metamessage agreement

One powerful way to convince a doubting prospect is via a case study.

No, not that type of case! By Michael Kammerer (Rob Gyp) – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=37604962

It always helps when someone else is singing your company’s praises. Especially when the subject of the case study backs up what you’ve been claiming all along.

If your Inland Empire firm needs a case study, Bredemarket can create it for you. After I ask you some questions, I can craft a case study (with your approval and the approval of the case study subject) that emphasizes WHY your company serves your customers, and HOW the case study demonstrates this.

Let’s talk. Click on the image below.