There are various types of dedicated fingerprint reader devices, including multispectral readers that can examine the subdermal layers of your fingers. Even if your surface fingerprints are worn away by bricklaying, time, or other factors, multispectral fingerprint readers can identify you anyway.
Identity/biometrics firms don’t just create social media channels for the firms themselves. Sometimes they create social media channels dedicated to specific products and services.
That’s the good news.
Here’s the bad news.
[REDACTED]
As I write this, it’s March 3. A firm hasn’t updated one of its product-oriented social media channels since February 20.
That’s February 20, 2020…back when most of us were still working in offices.
It’s not like the product no longer exists…but to the casual viewer it seems like it. As I noted in a previous post, a 2020 survey showed that 76% of B2B buyers make buying decisions primarily based on the winning vendor’s online content.
The Hippocratic Oath imposes duties on medical professionals, including this one:
I will follow that system of regimen which, according to my ability and judgment, I consider for the benefit of my patients, and abstain from whatever is deleterious and mischievous.
As 1NURSE.COM notes, forensic nursing is multidisciplinary, operating “at the critical juncture of medical science and the legal system.”
Forensic nursing is a specialized branch that integrates medical expertise with forensic science to provide comprehensive care for individuals impacted by violence, abuse, or criminal activities. These professionals serve as a crucial link between the realms of healthcare and the legal system, collaborating with law enforcement, attorneys, and other professionals to gather evidence, provide expert testimony, and ensure justice for victims.
When I started my forensic career 29 years ago, I was solely involved in the capture and processing of fingerprints from criminals. If I may be honest, the well-being of the individual who provided the forensic evidence was NOT an overriding concern.
But within a year or two I started to get involved in the capture and processing of fingerprints from NON-criminals who were applying for and receiving government benefits.
For that market we HAD to concern ourselves with the well-being of our clients, to make fingerprint capture as easy as possible, and to treat our clients with the utmost respect.
In the end it didn’t matter, because in the popular mind fingerprinting was associated with criminals, and benefits recipients didn’t want to be treated like criminals no matter how nice we were. To my knowledge, all of the benefits recipient fingerprint programs in the United States have all ceased.
Forensic nursing needs to gather the necessary forensic evidence while preserving the compassionate care that nurses are required to provide.
Invasive forensic techniques
So if we have to take care when gathering information from benefits recipients, imagine the level of care we need to take when gathering information from crime victims. Returning to 1NURSE.COM’s article, here are two of the tasks that forensic nurses must perform:
Sexual Assault Forensics: Specializing in sexual assault examination, forensic nurses provide not only compassionate care but also play a pivotal role in collecting evidence essential for legal proceedings. Their expertise ensures a sensitive approach while preserving the integrity of forensic evidence. Example: A forensic nurse conducting a sexual assault examination may collect biological samples and document injuries to aid in prosecuting the assailant.
Child Abuse Investigation: Forensic nurses are instrumental in assessing and documenting cases of child abuse. They collaborate with child protective services and law enforcement to ensure the safety and well-being of the child. Example: A forensic nurse working on a child abuse case may conduct a thorough examination to document injuries and provide expert testimony in court.
We have focussed a lot on how the investigation works when looking for crimes of a distressing nature but not actually how this investigation process can affect the victim of these crimes and put the victim first. This period can be incredibly distressing for the victim, and the investigation can make this worse as it is making the victim re-live this experience.
As part of their duties, the forensic nurse has to capture evidence from the very parts of the body that were assaulted during the abuse crime itself. No one wants to go through that again. How can evidence capture be less invasive?
Three ways to minimize invasive evidence capture
While it’s not possible to completely erase the pain that crime victims suffer during a forensic investigation, there are ways to minimize it. The Foster+Freeman article highlights three ways to do this:
Capture evidence via non-invasive techniques. As a supplier of alternate light source (ALS) technology, Foster+Freeman notes that its products can discover evidence, even at the subdermal layers, without touching the victim. “Using an ALS is a non-invasive and non-destructive way to examine potential evidence on the skin. This is especially important when dealing with fragile or sensitive skin, as it minimizes the risk of causing further harm during the examination process.”
Capture evidence quickly. Forensic nurses do not want to prolong an examination. There are ways to gather evidence as quickly as possible. For example, rather than using multiple ALS devices, you can use a single one; Foster+Freeman’s Crime-lite® X Serology Search Kit is “a multispectral light source that has been made with five wavelengths of light integrated into one unit.”
Capture evidence thoroughly. What’s the point of putting a victim through the trauma of evidence capture if it doesn’t result in a conviction? Because of this, it’s important to capture as much evidence as possible. A variety of alternate light sources accomplishes this.
Foster+Freeman is just one of a multifarious array of companies that supply evidence collection solutions to forensic nurses and other forensic professionals.
And no, Foster+Freeman didn’t sponsor this post, although Bredemarket is available to provide writing services to Foster+Freeman or to other companies who need to drive content results.
And now that I’ve successfully used “multifarious,” I need to find a way to use “deleterious.” Keep your eyes open.
Years ago, Steve Martin had a routine in which he encouraged his audience to say, in unison, that they promise to be different and they promise to be unique.
No, repeating the canned phrase about standing out from the crowd does NOT make you stand out from the crowd.
But wait. It gets worse.
The authenticity bot
When I reshared Rodriguez’s post, I wanted to illustrate it with an image that showed how many people use the phrase “stand out from the crowd.”
But while I couldn’t get that exact number on my smartphone search (a subsequent laptop search revealed 477 million search results), I got something else: Google Gemini’s experimental generative AI response to the question, bereft of irony just like everything else we’ve encountered in this exercise.
You see, according to Gemini, one way to stand out from the crowd is to “be authentic.”
Yes, Google Gemini really said that.
Google search results, including generative AI results.
Now I don’t know about a bot telling me to “be authentic.”
Rodriguez addresses “how” and “why”
Going back to Taylor “Taz” Rodriguez’s post, he had a better suggestion for marketers. Instead of using canned phrases, we should instead create original answers to these two questions:
HOW do you help your clients stand apart from the competition?
WHY have your past & current clientele chosen to work with you?
BOTH questions are important, both need to be addressed, and it really doesn’t matter which one you address first.
In fact, there are some very good reasons to start with the “how” question in this case. It’s wonderful for the marketer to focus on the question of how they stand apart from the competition.
In a recent project for a Bredemarket client, I researched how a particular group of organizations identified their online customers. Their authentication methods fell into two categories. One of these methods was much better than the other.
Multifactor authentication
Some of the organizations employed robust authentication procedures that included more than one of the five authentication factors—something you know, something you have, something you are, something you do, and/or somewhere you are.
For example, an organization may require you to authenticate with biometric data, a government-issued identification document, and sometimes some additional textual or location data.
Other organizations employed only one of the factors, something you know.
Not something as easy to crack as a password.
Instead they used the supposedly robust authentication method of “knowledge-based authentication,” or KBA.
The theory behind KBA is that if you ask multiple questions of a person based upon data from various authoritative databases, the chance of a fraudster knowing ALL of this data is minimal.
Sadly, Craig himself was recently a victim of fraud, and it took him several hours to resolve the issue.
I’m not going to repeat all of Craig’s story, which you can read in his LinkedIn post. But I do want to highlight one detail.
When the fraudster took over Craig’s travel-related account, the hotel used KBA to confirm that the fraudster truly was Steve Craig, specifically asking “when and where was your last hotel stay?”
Only one problem: the “last hotel stay” was one from the fraudster, NOT from Craig. The scammer fraudulently associated their hotel stay with Craig’s account.
This spurious “last hotel stay” allowed the fraudster to not only answer the “last hotel stay” question correctly, but also to take over Craig’s entire account, including all of Craig’s loyalty points.
And with that one piece of knowledge, Craig’s account was breached.
The “knowledge” used by knowledge based authentication
Craig isn’t the only one who can confirm that KBA by itself doesn’t work. I’ve already shared an image from an Alloy article demonstrating the failures of KBA, and there are many similar articles out there.
The biggest drawback of KBA is the assumption that ONLY the person can answer all the knowledge corrections correctly is false. All you have to do is participate in one of those never-ending Facebook memes that tell you something based on your birthday, or your favorite pet. Don’t do it.
Ease of implementation. It’s easier to implement KBA than it is to implement biometric authentication and/or ID card-based authentication.
Ease of use. It’s easier to click on answers to multiple choice questions than it is to capture an ID card, fingerprint, or face. (Especially if active liveness detection is used.)
Ease of remembrance. As many of us can testify, it’s hard to remember which password is associated with a particular website. With KBA, you merely have to answer a multiple choice quiz, using information that you already know (at least in theory).
Let me add one more:
Presumed protection of personally identifiable information (PII). Uploading your face, fingerprint, or driver’s license to a mysterious system seems scary. It APPEARS to be a lot safer to just answer some questions.
But in my view, the risks that someone else can get all this information (or create spurious information) and use it to access your account outweigh the benefits listed above. Even Fraud.com, which lists the advantages of KBA, warns about the risks and recommend coupling KBA with some other authentication method.
But KBA isn’t the only risky authentication factor out there
We already know that passwords can be hacked. And by now we should realize that KBA could be hacked.
But frankly, ANY single authentication can be hacked.
After Steve Craig resolved his fraud issue, he asked the hotel how it would prevent fraud in the future. The hotel responded that it would use caller ID on phone calls made to the hotel. Wrong answer.
While the biometric vendors are improving their algorithms to detect deepfakes, no one can offer 100% assurance that even the best biometric algorithms can prevent all deepfake attempts. And people don’t even bother to use biometric algorithms if the people on the Zoom call LOOK real.
While the ID card analysis vendors (and the ID card manufacturers themselves) are constantly improving their ability to detect fraudulent documents, no one can offer 100% assurance that a presented driver’s license is truly a driver’s license.
Geolocation has been touted as a solution by some. But geolocation can be hacked also.
In my view, the best way to minimize (not eliminate) fraudulent authentication is to employ multiple factors. While someone could create a fake face, or a fake driver’s license, or a fake location, the chances of someone faking ALL these factors are much lower than the chances of someone faking a single factor.
You knew the pitch was coming, didn’t you?
If your company has a story to tell about how your authentication processes beat all others, I can help.
Whether you’re an employee or a sole proprietor, at some point you’re going to have to play well with others to get things done.
Bredemarket has performed this (fancy phrase: “cross-functional collaboration”), both as part of Bredemarket’s services and outside of it.
As an employee, I’ve managed SaaS proposal projects and other projects that needed the input of many.
Within Bredemarket, I’ve managed proposal and other projects of similar complexity.
Even though I’m not formally certified to do this, I do it anyway.
Pre-Bredemarket: I get SaaSy
Long before I started Bredemarket, I was managing products and proposals associated with an on-premise technology solution.
This solution had a long sales cycle (longer than Cloudflare’s, for example) and a long implementation time. After contract signature, it might take a year or more to lock down the requirements, procure the hardware and third-party software, configure the solution, perform a factory acceptance test, deliver the solution to the customer’s premises, perform one or more rounds of on-site testing, and obtain final acceptance.
But my employer wasn’t lacking in revenue during implementation, because it received partial payments as it passed various milestones. Perhaps a small percentage of the total price would be paid upon requirements completion. Another percentage at delivery. Additional percentages at different points in the implementation, with the final large payment upon acceptance.
But then I was the proposal manager for a prospect desiring a SaaS implementation.
The Request for Proposal (RFP) made it very clear that the prospect would not pay a dime to the successful bidder until AFTER the system was accepted and in productive use. Because that’s how SaaS implementations work.
This would have a major financial impact on my employer, since it would take a much longer time to recoup the initial costs of the implementation.
Without going into details…we didn’t, um, “win” the bid.
Several years later, the, um, SITUATION had changed, and my employer was more willing to accept the financial risks associated with SaaS implementations. I was still a proposal manager at the time and was able to work on my employer’s first successful SaaS bids. But that assumption of risk wasn’t the only barrier to success, because I had to work with a lot of different cross-functional collaborators to get those bids out.
The salespeople who wants to sell the SaaS systems to their prospects.
The engineers who had to do the heavy lifting to transition our on-premise solution to a SaaS solution.
The program managers who had to keep an eye on the costs of the implementation to ensure that our employer’s financial risk was minimized.
The customer support people who had to manage the system after final acceptance, even though much of the system was in a cloud center somewhere instead of at the customer’s site.
The finance and pricing people who had to adjust to this new way of doing business.
The legal people who had to develop a brand new contract that encompassed the new reality.
Finally, the executives who were willing to take the risk to enter the SaaS market and who wanted to succeed without losing money.
I think this is when I made my observation about managers of large proposals. In a large project, the proposal manager is the only one who spends 100% of their time on the project. The salespeople are selling other deals, the engineers are engineering other stuff, and so forth. Therefore, it was up to me to ensure that everything continued to move forward, because while these bids were important to the others, they were critically important to me.
Anyway, these later bids had a much happier ending, the employer successfully entered the SaaS market, and as more customers moved from on-premise to SaaS models, thus evening out my employer’s income stream, the financial risk from SaaS proposals was reduced significantly.
That cross-functional collaboration experience, exercised on these bids and in many other instances over the years, would be put to the test a few years later when I started Bredemarket.
It’s one thing for a company employee to manage a project with a ton of people, none of whom report to you and most of whom outrank you.
It’s another thing when an outside contractor has to manage a project of inside employees.
One of my Bredemarket projects, which happened to be another proposal project, required me to do just that. While the proposal was much simpler than the bids constructed at my former employer, the effort still required a lot of shepherding to get all the pieces put together, obtain all the approvals, and get someone to submit the final proposal since I, as a non-employee, couldn’t do it myself.
Everything worked out, and the employees were great, but there were times when it seemed like I was the only one to keep an eye on all the tasks.
Something that I had never been formally trained to do.
Today’s acronym is PMP
Eventually I (temporarily) stopped working on finger/face projects for Bredemarket because I was employed by a finger/face company. And I found myself managing projects of similar complexity (the 80+ battlecard project, for example).
And that’s when I realized that I was a de facto project manager.
Even though I didn’t have the fancy certification to attest to this.
I toyed around with the idea of starting the certification progression in 2023, and even though my employer didn’t have the rigorous annual goal-setting processes that larger organizations have, I set a personal goal in one of my employer’s Asana projects to advance to CAPM by the end of 2023.
And then…things happened.
Perhaps at some point I’ll get the official piece of paper that I can flash around, but until then I’ll learn on my own, both by coursework and by…well…actual managing projects.
Before you can fully understand the difference between personally identifiable information (PII) and protected health information (PHI), you need to understand the difference between biometrics and…biometrics. (You know sometimes words have two meanings.)
Designed by Google Gemini.
The definitions of biometrics
To address the difference between biometrics and biometrics, I’ll refer to something I wrote over two years ago, in late 2021. In that post, I quoted two paragraphs from the International Biometric Society that illustrated the difference.
Since the IBS has altered these paragraphs in the intervening years, I will quote from the latest version.
The terms “Biometrics” and “Biometry” have been used since early in the 20th century to refer to the field of development of statistical and mathematical methods applicable to data analysis problems in the biological sciences.
Statistical methods for the analysis of data from agricultural field experiments to compare the yields of different varieties of wheat, for the analysis of data from human clinical trials evaluating the relative effectiveness of competing therapies for disease, or for the analysis of data from environmental studies on the effects of air or water pollution on the appearance of human disease in a region or country are all examples of problems that would fall under the umbrella of “Biometrics” as the term has been historically used….
The term “Biometrics” has also been used to refer to the field of technology devoted to the identification of individuals using biological traits, such as those based on retinal or iris scanning, fingerprints, or face recognition. Neither the journal “Biometrics” nor the International Biometric Society is engaged in research, marketing, or reporting related to this technology. Likewise, the editors and staff of the journal are not knowledgeable in this area.
In brief, what I call “broad biometrics” refers to analyzing biological sciences data, ranging from crop yields to heart rates. Contrast this with what I call “narrow biometrics,” which (usually) refers only to human beings, and only to those characteristics that identify human beings, such as the ridges on a fingerprint.
The definition of “personally identifiable information” (PII)
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
Note the key words “alone or when combined.” The ten numbers “909 867 5309” are not sufficient to identify an individual alone, but can identify someone when combined with information from another source, such as a telephone book.
What types of information can be combined to identify a person? The U.S. Department of Defense’s Privacy, Civil Liberties, and Freedom of Information Directorate provides multifarious examples of PII, including:
Social Security Number.
Passport number.
Driver’s license number.
Taxpayer identification number.
Patient identification number.
Financial account number.
Credit card number.
Personal address.
Personal telephone number.
Photographic image of a face.
X-rays.
Fingerprints.
Retina scan.
Voice signature.
Facial geometry.
Date of birth.
Place of birth.
Race.
Religion.
Geographical indicators.
Employment information.
Medical information.
Education information.
Financial information.
Now you may ask yourself, “How can I identify someone by a non-unique birthdate? A lot of people were born on the same day!”
But the combination of information is powerful, as researchers discovered in a 2015 study cited by the New York Times.
In the study, titled “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” a group of data scientists analyzed credit card transactions made by 1.1 million people in 10,000 stores over a three-month period. The data set contained details including the date of each transaction, amount charged and name of the store.
Although the information had been “anonymized” by removing personal details like names and account numbers, the uniqueness of people’s behavior made it easy to single them out.
In fact, knowing just four random pieces of information was enough to reidentify 90 percent of the shoppers as unique individuals and to uncover their records, researchers calculated. And that uniqueness of behavior — or “unicity,” as the researchers termed it — combined with publicly available information, like Instagram or Twitter posts, could make it possible to reidentify people’s records by name.
Now biometrics only form part of the multifarious list of data cited above, but clearly biometric data can be combined with other data to identify someone. An easy example is taking security camera footage of the face of a person walking into a store, and combining that data with the same face taken from a database of driver’s license holders. In some jurisdictions, some entities are legally permitted to combine this data, while others are legally prohibited from doing so. (A few do it anyway. But I digress.)
Because narrow biometric data used for identification, such as fingerprint ridges, can be combined with other data to personally identify an individual, organizations that process biometric data must undertake strict safeguards to protect that data. If personally identifiable information (PII) is not adequately guarded, people could be subject to fraud and other harms.
The definition of “protected health information” (PHI)
Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
Now there’s obviously an overlap between personally identifiable information (PII) and protected health information (PHI). For example, names, dates of birth, and Social Security Numbers fall into both categories. But I want to highlight two things are are explicitly mentioned as PHI that aren’t usually cited as PII.
Physical or mental health data. This could include information that a medical professional captures from a patient, including biometric (broad biometric) information such as heart rate or blood pressure.
Health care provided to an individual. This not only includes written information such as prescriptions, but oral information (“take two aspirin and call my chatbot in the morning”). Yes, chatbot. Deal with it. Dr. Marcus Welby and his staff retired a long time ago.
Robert Young (“Marcus Welby”) and Jane Wyatt (“Margaret Anderson” on a different show). By ABC TelevisionUploaded by We hope at en.wikipedia – eBay itemphoto informationTransferred from en.wikipedia by SreeBot, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16472486
Because broad biometric data used for analysis, such as heart rates, can be combined with other data to personally identify an individual, organizations that process biometric data must undertake strict safeguards to protect that data. If protected health information (PHI) is not adequately guarded, people could be subject to fraud and other harms.
Simple, isn’t it?
Actually, the parallels between identity/biometrics and healthcare have fascinated me for decades, since the dedicated hardware to capture identity/biometric data is often similar to the dedicated hardware to capture health data. And now that we’re moving away from dedicated hardware to multi-purpose hardware such as smartphones, the parallels are even more fascinating.
New York was the state with the largest share of the nation’s tax revenue in the (third) quarter of 2023: $188.53 million or more than 37% of total tax revenue and gross receipts from sports betting in the United States. Indiana ($38.6 million) and Ohio ($32.9 million) followed.
Are you wondering why populous states such as California and Texas don’t appear on the list? That’s because sports betting is only legal in 38 states and the District of Columbia.
Sports betting in any form is currently illegal in California, Texas, Idaho, Utah, Minnesota, Missouri, Alabama, Georgia, South Carolina, Oklahoma, Alaska and Hawaii.
But the remaining states that allow sports betting need to ensure that the gamblers meet age verification requirements. (Even though they have a powerful incentive to let underage people gamble so that they receive more tax revenue.)
I received an email from Spotify for Podcasters (formerly Anchor) last Thursday. Here’s what the pertinent part of the email said.
Beginning June 2024, we are discontinuing Spotify for Podcasters’ proprietary creation capabilities as we refocus our attention on building the next generation of podcast tools. Specifically, the following features from Spotify for Podcasters will no longer be available for use:
Web recording and editing
Mobile recording and editing
Music + Talk
No changes will be made to already published episodes. These changes will only remove the ability to edit content of published episodes, drafts or publish new episodes with these specific features. As always, you can continue to use Spotify for Podcasters to publish upload-ready audio and video episodes on the web.
Bredemarket 