Now that I quantified my proposal service accomplishments, it’s time for the content side

I won’t belabor you with the process of summing up Bredemarket’s content accomplishments for clients. Suffice it to say that I used Toggl Track and other sources, in a manner similar to the way in which I summed up Bredemarket’s proposal accomplishments for clients.

If you don’t want to be bothered with downloading a brochure, here’s a picture.

Or you can download the PDF.

Until I added everything up, I didn’t realize how many case studies I had written.

If you want to receive my 12th case study…

Using Toggl Track to quantify proposal services for marketing purposes

Bredemarket’s slogan should be “better late than never.” It took me a year to print business cards, and it has taken me almost a year to quantify my proposal services work for clients. But Toggl helped me quantify my work.

Incidentally, this post is NOT sponsored by Toggl. If I were smart I would have pitched this post to Toggl and gotten something substantive in return. But I’m not that smart; I’m just a happy Toggl Track user. Sure the service has had a couple of hiccups in April and August, but Toggl responded to these hiccups quickly. In general, Toggl Track has been very useful in tracking time, gathering data to bill clients, and (as I just discovered this week) very useful in quantifying Bredemarket’s work and accomplishments.

Quantifying hours per proposal

The whole Toggl Track quantification exercise started over the last couple of weeks, when I had two separate discussions with firms regarding the number of hours that a contractor usually spends responding to a request for something (proposal, information, comment, etc.). Acronym lovers can use RFx, RFP, RFI, RFC, etc. as needed.

After the second client raised the issue, I realized that my Toggl Track data contained time data on all of my billable proposals work. (Helpful hint: even with the free version of Toggl Track, you can set up project names to keep track of billable hours, although you have to manually calculate the billing yourself.)

So I logged into Toggl Track, selected the billable projects that I knew had Rfx hours, downloaded a comma-separated values (csv) version of all of the data from January 1, 2021 to present, opened the csv file in Excel, filtered out the columns that I didn’t need, filtered out the rows that didn’t pertain to RFx work, sorted the data by description (for example, “AFIS proposal for Noname County”), then subtotaled the hours at each change of description.

And then I realized that I did something wrong.

When the Toggl Track data was loaded into Excel, it used a standard hours-minutes-seconds format. What that meant was that the subtotals also displayed in a standard hours-minutes-seconds format. So if I had three time entries—one for 10:00:00, one for 9:00:00, and one for 8:00:00—the resulting subtotal would be 3:00:00, or only three hours.


I played around a bit with the number formats in the Duration column, and found a format (displayed in Excel as “37:30:55”) that correctly rendered my subtotals—in the example above, yielding the correct value of 27:00:00, or 27 hours.

So once I got the subtotals to work correctly, what did I find, based on my own RFx proposal work data?

  • One of my projects required approximately 20 billable hours of work.
  • Three of the projects required less than 20 billable hours per project.
  • The remaining three required more than 35 billable hours per project.

Obviously my results do not apply to other independent contractors, and certainly do not apply to employees who are involved much more intimately in a company’s proposal process. So don’t try to extrapolate my numbers and make the declaration “Studies show that nearly half of all RFx responses require over 35 hours of work per person.”

But this data gave me the information that I needed in my discussions with the second firm.

But this exercise raised another question that I should have answered long ago.

Quantifying total proposal work

As Bredemarket, I have not only worked on RFx responses, but have also worked on sole source responses, and on proposal templates.

But I’ve never compiled a definitive overview of all of my proposal work.

Now I’ve certainly discussed bits of my proposal work here and there. You’ve probably already seen the testimonial that I received from a client regarding my proposal template work:

“I just wanted to truly say thank you for putting these templates together. I worked on this…last week and it was extremely simple to use and I thought really provided a professional advantage and tool to give the customer….TRULY THANK YOU!”

But after the proposal hours exercise above, I decided that it was time to quantify this work.

  • How many competitive proposals have I worked on for clients?
  • How many sole source responses have I worked on for clients?
  • How many of these “extremely simple to use” (my client’s words, not mine) templates have I assembled?

Obviously I had all the data; I just had to pull it together.

So I went to Toggl Track (and to other sources) to quantify my total proposal work, searching for billable (and in the cases of Bredemarket’s own proposals, nonbillable) work and identifying all the projects.

Sharing the quantification

Once that was done, I was able to create a neat handy dandy summary.

Which I put into a brochure.

Which I then added to various pages on the Bredemarket website.

September 10, 2021 iterative revision to

And, of course, I’ll share the information in this blog post when I publish it and distribute it via my social media outlets-not forgetting Instagram, of course. (Did you notice that my statistical graphic is square? Now you know why.)

And I need to share this information in one more place, but that’s a topic for another time.

Can my proposal services help you?

If my experience (now with better quantification!) can help you with your proposal work, then please contact me.

Three reasons why Bredemarket doesn’t need its own Instagram account (and why I created one anyway)

In the course of doing business, Bredemarket has created some dedicated social media accounts, while also using some existing social media accounts of my own.

  • As I’ve mentioned ad nauseum, Bredemarket has its own dedicated LinkedIn page, LinkedIn showcase pages (including my new one), Facebook page, and Facebook groups.
  • Bredemarket doesn’t have its own Twitter account, but Bredemarket content is posted on the “professional” of my two Twitter accounts, @jebredcal.
  • Finally, as of yesterday Bredemarket didn’t have its own Instagram account.

Why didn’t Bredemarket have its own Instagram account? For three reasons:

  1. Reason 1: Bredemarket is a TEXT creation service, and that doesn’t lend itself to Instagram’s image-heavy environment. Let’s face it: if I were to take a picture of myself typing away at my computer right now, it would be VERY boring.
  2. Reason 2: Instagram is primarily an environment for influencers, viral content, and the like. Bredemarket wouldn’t really create content that fits into that environment.
  3. Reason 3: If I were to create an Instagram account, that would be just one more social media mouth to feed. And I as well as anyone else know that if you don’t feed the content beast, people will think you no longer exist.

Well, that sounds like three pretty convincing reasons NOT to start a Bredemarket Instagram account.

So why did I do it?

Because I looked at those three reasons right now, and decided that I was wrong on all three of them.

Start with reason 1, content creation. As time has gone on, I have created more and more visual content, including images of my (finally received) business card, brochure images with QR codes, and pictures of locations relevant to Bredemarket’s markets.

True, but as reason 2 asks, would this content fit into Instagram’s environment? Actually it would if used properly. After all, while perhaps the influencers receive the primary attention on Instagram, many of my people are there too, including biometrics companies, technologists, and (becoming more important) local businesses and organizations. My personal account has been interacting more and more with these accounts.

Finally, reason 3 and the whole “feed the beast” issue. Well, I’m already feeding the beast, because I’ve been creating Bredemarket posts on my personal Instagram account @johnebredehoft. So many Bredemarket posts, in fact, that I started a highlights category on my personal Instagram account for Bredemarket content. I’ve highlighted blog posts, podcasts, a video, Instagram posts from others, and related content.

Interestingly enough, one of the stories in that highlights category reminded me of something I had forgotten about. Obviously I’ve been weighing the question of a Bredemarket Instagram account for some time. About twenty weeks ago, I asked my personal Instagram account followers if I should create a separate Bredemarket account, and 60% of them said yes.

Of course, I’ve concentrated more on local business in the last twenty weeks (although I’m still addressing identity/biometrics/secure documents), so the case to market on Instagram is even more compelling.

So look for @bredemarket on Instagram. I’m just getting started.

(But I still wish that links in Instagram posts were clickable…)

A view of 9/11 from the 9/11 Commission’s border counsel

There are different ways to look at 9/11. I’m familiar with the reconstructions of Vice President Cheney’s actions in Washington on that day, and of President Bush as he flew around the country on that day (the only plane in the sky).

But what about the activities of the hijackers on that day, and in the months preceding that day?

All of this was examined by the 9/11 Commission. As a result of its investigation, this body made significant recommendations, some of which have only taken nearly two decades to implement, assuming they ARE implemented as (re) scheduled.

By Cleanup by Andrew_pmk (talk · contribs); straightened and cropped by Holek (talk · contribs) –, Public Domain,

Janice Kephart was border counsel to the 9/11 Commission, and has been involved in homeland security ever since that time. She is currently CEO and Owner of Identity Strategy Partners.

As the 20th anniversary of 9/11 approaches, Kephart has released a documentary. As she explains, the documentary contains a wealth of information from the 9/11 Commission’s investigation of the hijackers, much of which was never officially released. Her hope:

If we are never to forget, we must educate. That is the purpose of this documentary. It is history, it is legacy, from the person who knows the details of the hijacker’s border story and has continued to live it for the past 20 years. I hope it resonates and educates.

When listening to Kephart’s documentary, keep in mind how much our world has changed since 9/11. Yes, you went through a security screening before you boarded a plane, but it was nothing like the security screenings that we’ve gotten used to in the last 20 years. Before 9/11, you could walk all the way up to the gate to send off departing passengers or greet arriving ones. And identity documents were not usually cross-checked against biometric databases to make sure that applicants were telling the truth.

I personally was not as familiar with the stories of the hijackers as I was with the stories of Bush and Cheney. The documentary provides a wealth of detail on the hijackers. (Helpful hint: don’t be afraid to pause the video when necessary. There’s a lot of visual information to absorb.)

Toward the end of the documentary, Kephart concentrates on Mohamed Atta’s return to the U.S. in January 2001, when his tourist visa had already expired and his student visa application was still pending. Kephart notes that Atta shouldn’t have been allowed back into the country, but that he was let in anyway. The details regarding Atta’s January 2001 entry are discussed in detail in a separate report (see section III.B).

(Incidentally, Atta’s student visa application wasn’t approved until July 2001, and his flight school wasn’t notified until 2002.)

Kephart wonders what might have happened if Mohamed Atta had been denied re-entry into the United States in January 2001 because of the visa irregularities. Since Atta was the ringleader and the driving force behind the attack, would the denial of entry have delayed or even terminated the 9/11 attack plans?

If you want to view the documentary, it is hosted on YouTube.

Shattering my assumptions by using LinkedIn for local marketing

At the same time that Bredemarket helps other firms to market themselves, Bredemarket has to market ITSELF, including social media marketing. And for the past year I’ve subscribed to the following formula:

  • Use LinkedIn for professional marketing to biometric/identity and technology clients.
  • Use Twitter as a supplement to this.
  • Use Facebook as a supplement to this, and also use Facebook as Bredemarket’s sole foray into “general business” marketing.

It sounded like a good formula at the time…but now I’m questioning the assumptions behind it. And I’m hoping that I can prove one of my assumptions wrong.

My initial assumptions about marketing to local businesses

As I write this, Bredemarket has no clients in my hometown of Ontario, California, or in any of the nearby cities. In fact, my closest clients are located in Orange County, where I worked for 25 years.

It’s no secret that I’ve been working to rectify that gap and drum up more local business.

So this was an opportune time for me to encounter Jay Clouse’s September 2021 New Client Challenge. (It’s similar to a challenge Clouse ran in August 2020. Repurposing is good.) Clouse’s first question to all participants asked which market we would be targeting, and in my case the local small business market seemed an obvious choice.

And this dialogue played in my mind…

So when I market to local businesses, I’ll want to do that via relevant Facebook Groups. Obviously I won’t market the local services via LinkedIn or Twitter, because those services are not tailored to local service marketing.

Questioning my assumptions

Then I realized that I was wrong, for two reasons.

  1. First, there are LinkedIn groups that concentrate on my local area, just as there are LinkedIn groups that concentrate on biometrics. I had already quit a number of the dormant Inland Empire LinkedIn groups, but I was still a member of two such groups and could (tastefully) market there.
  2. If LinkedIn doesn’t provide an opportunity for me to do something, why don’t I tailor my use of LinkedIn and provide myself the opportunity?

Specifically, some of you may recall that I only have two LinkedIn showcase pages, but I have three Facebook groups.

  • “Bredemarket Identity Firm Services” is present on both LinkedIn and Facebook.
  • “Bredemarket Technology Firm Services” is present on both LinkedIn and Facebook.
  • “Bredemarket General Business Services” is only present on Facebook.

I explained the rationale for the lack of a third LinkedIn showcase page in a nice neat summary:

Using myself as an example, I have segmented my customers into markets: the identity (biometrics / secure documents) specific market (my primary market), the general technology market, and the general business market. I don’t even target the general business market on LinkedIn (I do on Facebook), but I’ve created showcase pages for the other two.

If you consider that “local business services” is a subset of “general business services,” some of you can see where this is going.


But it took a while for the thought to pound its way into my brain:

Why DON’T you target the (local) general business market on LinkedIn?

I could just create a new showcase page, a process that would only take a few minutes. I wouldn’t even have to create any new artwork, since I could simply repurpose the Facebook general business artwork and use it for a LinkedIn local business showcase page. (Repurposing is good.)

(As an aside, my approach to artwork for Bredemarket’s marketing segments was dictated by LinkedIn Stories. Which is now disappearing. Oh well.)

So anyway, LinkedIn is now the home of Bredemarket Local Firm Services.

Now I just have to populate the showcase page with content (and continue to do so), invite people to follow the new showcase page, and proceed on my plan for world domination, one loft at a time.

Call to action time

And if you’re a small business in the Ontario, California area, here’s some information on the services I can provide to you.

And if you want more detailed information, please visit (Read to the end.)

And if you want even more detailed information, contact me.

So which assumption will I shatter next?

I’d like to prove THIS assumption wrong:

(Still waiting for that $10,000 per hour client.)

A tool is not a way of…bad things

For years I’ve uttered the phrase “a tool is not a way of life,” and a recent statement from Rank One Computing reminded me of this fact. In a piece on the ethical use of facial recognition, Rank One Computing stated the following in passing:

[Rank One Computing] is taking a proactive stand to communicate that public concerns should focus on applications and policies rather than the technology itself.

I emphatically believe that all technologies are neutral. They can be used for good, or they can be used for…bad things.

And yes, facial recognition has been misused.

It is an undeniable fact that a police jurisdiction used a computerized facial recognition result as a justifiable reason for arrest, rather than as an investigative lead that would need to be supported by additional evidence.

But that incident, or ten incidents, or one hundred incidents, does NOT mean that ALL uses of facial recognition should be demonized, or even that SELECTED uses of facial recognition should be demonized (Amazon bad; Apple good).

Policies are not foolproof

Now I will grant that establishment of a policy or procedure does NOT necessarily mean that people will always act in compliance with that policy/procedure.

As an example, one accepted practice in lineup generation is double-blind lineup generation, in which you have different people involved in different parts of the lineup generation and witness viewing process. For example, these two roles can be distinct:

  • A person who knows who the arrested individual is creates the lineup (with additional safeguards to ensure that the created lineup isn’t biased).
  • A second person who DOESN’T know who the arrested individual is shows the lineup to the witness and records what the witness says and doesn’t say when viewing the lineup. The reason for the presence of a separate person is to ensure that the person administering the lineup doesn’t provide subconscious (or conscious) hints as to who the “right” person would be.

Now you can set up your police department’s procedures to require this, and your software vendor could design its software to support this. But that doesn’t prevent a corrupt Chief of Police from saying, “Jane, I want you to create the lineup AND show it to the witness. And make sure the witness chooses the RIGHT guy!”

But policy-based facial recognition is better than no facial recognition at all

But…if I may temporarily allow myself to run a tired cliché into the ground, that doesn’t mean you throw out the baby with the bathwater.

From 1512. Old clichés are old. Public Domain,

Rather than banning facial recognition, we should concentrate on defining ethical uses.

And there’s one more thing to consider. If you ban computerized facial recognition, how are you going to identify people? As I’ve noted elsewhere, witness (mis)identification is rampant with biases that make even the bottom-tier facial recognition algorithms seem accurate.

Bredemarket content marketing services for small businesses in and around Ontario, California (The September 1 iteration)

There’s a sentence on the home page for Bredemarket that you may have glossed over, but it’s one that’s been on my mind for the past year.

Bredemarket presently offers its services to identity/biometrics, technology, and general business firms, as well as to nonprofits.

In this post, I’m going to zero in on a small subset of the third market, “general business firms,” and see how Bredemarket can help them.

Read on if you own a small, arty business in the Emporia Arts District of Ontario, or perhaps a larger, less arty business north of Holt in Ontario, or perhaps even a business in Upland or Montclair.

Identity/biometrics and technology are good to go

These markets are intentionally expressed in a particular order.

  • It’s no surprise to anyone that reads my content that I’ve listed identity/biometrics first. After all, I’ve spent over 25 years in the identity/biometrics space, and therefore feel justified to self-reference as the biometric content marketing expert and the biometric proposal writing expert.
  • Technology is second on the list. As a matter of fact, Bredemarket’s first customer was a technology firm. And while I can’t necessarily speak to technology in the same depth that I can devote to identity and biometrics, I can clearly help technology clients with their content marketing and their proposals.

Getting more specific about “general business”

Which brings us to general business firms. (This post won’t even touch the fourth market, nonprofits.) This is obviously a broad category. Even if you don’t count sole proprietors (such as myself) or freelancers, there are somewhere around 7.7 million businesses in the United States. (This figure is from 2016; I’m not sure if it’s gone up or gone down in the last five years.) Now if you include sole proprietors in the total, then you’re talking about 32 million businesses. (This particular number may have actually increased over time.)

And the vast majority of those millions of businesses aren’t working in identity, biometrics, or even technology.

Obviously I can’t target them all. Well, I could try, but it would be a little ridiculous.

So what if I took a subset of those 32 million businesses and tried to see if Bredemarket could serve that subset?

The local small business persona

When you want to market to a particular group, you develop a persona that represents that group. You can then develop a profile of that persona: the persona’s needs, aspirations, and expectations; the persona’s underlying goals and values; and perhaps some other elements. The persona may be developed via extensive research, or perhaps via…a little less quantification.

So I began musing about a small business owner in my hometown of Ontario, California. Perhaps someone whose business is located here.

For those who aren’t from around here, the Emporia Arts District is in downtown Ontario, California, west of Euclid and south of Holt. While much of the activity is concentrated in the set of lofts/working spaces whose entrance is pictured here, there are also surrounding businesses that can be considered part of the district. And of course you can walk east of Euclid and north of Holt and find a wider variety of businesses.

But I concentrated on the businesses in the Emporia Arts District, noting that they’re…well, they’re arty. Let’s put it this way: my stick figures would not be attractive to them.

I did not draw this myself. Originally created by Jleedev using Inkscape and GIMP. Redrawn as SVG by Ben Liblit using Inkscape. – Own work, Public Domain,

Looking at my two general offerings, proposal services and content marketing, it’s fairly unlikely that my proposal services would interest this crowd. If these business ARE submitting proposals, they are most likely applying for federal, state, or local grants, and that’s somewhat outside of my area of expertise.

(Tangential comment to those who click on links: having fun is good.)

But can my content marketing services provide value to the businesses in the Emporia Arts District (and elsewhere in Ontario and the surrounding cities)?

I realized that I DID have something to offer here.

What if your local business needs a short text piece?

After all, my writing services can be fairly flexible. While I originally envisioned that my Bredemarket 400 Short Writing Service could apply to content such as blog posts or LinkedIn posts, it could just as easily apply to a general brochure of 400 to 600 words with customer-provided pictures of artwork, classes, clothing, haircuts, or whatever.

Chances are it will be a little more exciting than this.

Or maybe not. (The story behind the piece of content above, developed when my business card order got delayed, is told here. Storytelling is good.)

The same overall process can apply to a small craft brochure just as it can apply to a discussion of the benefits of using an Adobe-trained marketing systems consultant. In either case, the engagement would start with a series of questions:

  • What is the topic of the content?
  • What is the goal that you want to achieve with the content?
  • What are the benefits (not features, but benefits) that your end customers can realize by using your product or service?
  • What is the target audience for the content? (I’m not the only one who’s establishing personas.)
  • There are other questions that I may ask, but you can see the whole process here.

Once these major items are established (starting off a project correctly is good), I can get writing, you can get reviewing, and I can provide you with the final product. You can then post an electronic version of the content on your website, or you can hand it out to people who stop by your business or loft or farmer’s market stall or whatever. (Intangible and tangible content are BOTH good.)

What if your local business needs a longer text piece?

Maybe 400 to 600 words isn’t enough. Maybe you want a longer piece, such as an entire product/service catalog, or a catalog listing a whole slew of businesses (maybe all the businesses at a farmer’s market).

I can help with that too. My Bredemarket 2800 Medium Writing Service, originally intended for longer white papers, can be repurposed for other types of content.

As you can guess, the target number of words for my service is 2800 words, or up to 3200 words.

The process can be a little more intricate also. Because there is more text to review, the review cycles can be longer. And I may ask a few more questions at the beginning. But in essence it’s similar to the process for the shorter writing service, with basic questions about the topic, goal, benefits, and target audience. You can see the entire process here.

What if you want more than 600 words, but less than 2800 words?

I’ll work with you. (Flexibility is good.)

If you can use one of my content marketing services, what are the next steps?

The next step is to contact me.

So what is Bredemarket going to do next?

Share this online in places where you may see it. (Targeted content distribution is good.)

After that, repurpose (repurposing is good) this long, meandering blog post into some other type of content that I can distribute to businesses in the Emporia Arts District…or north of Holt…or in Upland or Montclair. Blog posts are transitory, and I’ll often express something in blog form and then pin it down in another format later.

Perhaps you can do the same, once I’ve created content for you.

IATA endorses the EUDCC. But will it matter?

In a Bredemarket blog post in February 2021, I quoted something that I wrote in 2013 in one of my personal blogs, Empoprise-BI.

I’m sure that many people imagine that standards are developed by a group of reasonable people, sitting in a room, who are pursuing things for the good of the world.

You can stop laughing now.

As I noted back in 2013, and again in February, there are many instances in which standards do not evolve from a well-designed process. In reality, standards emerge via that process that I referred to in February as “brute force.”

By イーストプレス – 「ゴング格闘技」=1951年のブラジル地元新聞からの転載, Public Domain,

For those who are not familiar with the “brute force” process, I’ll provide two illustrations.

  • If a lot of people like something, it’s a standard.
  • If a trillion dollar company likes something, and I like something different, then the thing that the trillion dollar company likes is a standard.

If two trillion dollar companies like two different things…it can get messy.

Back in February, I was just beginning to talk about something that I called “health passports” at the time. Later, I personally decided that “health passports” is a poor choice of words, and have instead gravitated to using the phrase “vaccine certificate.”

Regardless, my concern back in February was that there were all sorts of these things floating around. Even back then, Clear had its own solution, IATA had one, IBM had one, iProov had one, Daon had one, and there were many, many more.

So what happens if I have a Clear vaccine certificate but the airline or building that I’m approaching supports the iProov certificate? Can the iProov certificate read the Clear certificate? Or do I have to get multiple certificates?

This post looks at a new development in the vaccine certificate brouhaha. I’m not talking about what vaccines are honored by the vaccine certificate, but about acceptability of the vaccine certificates themselves. In particular, I’m talking about acceptance of one certificate, the EU Digital COVID Certificate (EUDCC).

Because one big player is getting behind it.

How do international air transport folks feel about the EUDCC?

While the EUDCC can conceivably be used for a number of use cases, such as entering a private business like a restaurant, one of the most popular use cases for the EUDCC is to board an airplane that is crossing an international border.

So if there was an organization that was dedicated to the business of flying airplanes across international borders, and if that organization thought that the EUDCC was pretty cool, then that endorsement would have as much pull as Google (and Facebook) endorsing a web image format.

Enter the (drumroll) International Air Transport Association, which issued a press release on 26 August.

The title?

“IATA Backs European Digital Covid Certificate as Global Standard.”

Now those who read my February post will recall that IATA was one of those groups that was already developing its own vaccination certificate. So how does the EUDCC compare with the the IATA Travel Pass?

The DCC…is fully supported by IATA Travel Pass.

But in addition to mere self-interest, there is another reason why IATA is endorsing the EUDCC: it’s supported by a lot of countries inside the EU, and other countries are looking at the EUDCC as a model.

The EU DCC is implemented in the 27 EU Member states and a number of reciprocal agreements have been agreed with other states’ own vaccination certificates, including Switzerland, Turkey, and Ukraine. In the absence of a single global standard for digital vaccination certificates, up to 60 other countries are looking to use the DCC specification for their own certification. 

Oh no, I’m just looking

However, it’s one thing to be “looking” at something, and another thing entirely to actually “do” something.

Before assuming that the EUDCC will become the de facto DCC, consider how two countries in particular will approach it.

This image or media was taken or created by Matt H. Wade. To see his entire portfolio, click here. @thatmattwade This image is protected by copyright! If you would like to use it, please read this first. – Own work, CC BY-SA 3.0,

One of those countries is my own, the United States of America. While one can argue whether or not the U.S. enjoys the same level of power that it enjoyed immediately after the end of the Cold War, it is still a major player in world economic and travel affairs. And regardless of who the President of the United States is at any given time, the U.S. has often decided to go its own way. Couple this with the power of individual U.S. states in my country’s federal system, and it’s quite possible that even if the U.S. goes along with IATA, and some form of the EUDCC is adopted by our Transportation Security Administration, that does not necessarily mean that the same certificate can be used as it is in Europe to grant access to museums, sporting events, and concerts.

The other country that may have an issue with the EUDCC is China. If the United States is potentially a waning world power, China is potentially a gaining world power. The relationship between China and the rest of the world varies from time to time and from issue to issue. China may decide that it’s not in its best interest to adhere to an international standard for certifications of COVID vaccination, testing, or contraction. And if it’s not in China’s best interest, China won’t do it.

So before declaring that IATA endorsement of the EUDCC settles the issue…we’ll see.

The (possible) Afghan data treasure trove doesn’t just threaten the Taliban’s enemies

Recent events in Afghanistan have resulted in discussions among information technology and security professionals.

Taliban fighters in Kabul, Afghanistan, 17 August 2021. By VOA –, Public Domain,

One August 17 article from the Intercept hit close to home for me:

THE TALIBAN HAVE seized U.S. military biometrics devices that could aid in the identification of Afghans who assisted coalition forces, current and former military officials have told The Intercept.

This post talks about the data the Taliban could POTENTIALLY get from captured biometric devices and other sources, and how that data could conceivably pose a threat to the Taliban’s enemies AND the Taliban itself.

What data could the Taliban get from biometric devices?

The specific device referenced by the Intercept article was HIIDE…and let’s just say that while I don’t know as much about that device as I should, I do know a little bit about it. (It was manufactured by a company that was subsequently acquired by Safran.)

Another source implies that the Taliban may have acquired another device that the Intercept DIDN’T reference. The Taliban may not only have acquired live HIIDE devices, but also may have acquired devices from another company called SEEK.

(Yes, folks, these devices are called HIIDE and SEEK.)

At the time that this was revealed, I posted the following comment on LinkedIn:

Possession is not enough. Can the Taliban actually access the data? And how much data is on the devices themselves?

Someone interviewed by the Intercept speculated that even if the Taliban did not have the technological capability to hack the devices, it could turn to Pakistan’s Inter-Service Intelligence to do so. As we’ve learned over the years, Pakistan and the Taliban (and the Taliban’s allies such as al Qaeda) are NOT bitter enemies.

As I said, I don’t know enough about HIIDE and SEEK, so I’m not sure about some key things.

  • For example, I don’t know whether their on-board biometric data is limited to just biometric features (rather than images). While there’s the possibility that the devices stored biometric images, that has a drawback because of the large size of the images. Features derived from the images (which are necessary in matching anyway) take up much less storage space. And while biometric images are necessary in some cases (such as forensic latent fingerprint examination), there’s no need for images in devices that make a hit/no-hit decision without human intervention.
  • In addition, I don’t know what textual data is linked to the features (or images) on these devices. Obviously the more textual information that is available, such as a name, the more useful the data can be.
  • Also, the features stored on the devices may or may not be useful. There is no one standard for the specification of biometric features (each vendor has its own proprietary feature specification), and while it may be possible to convert fingerprint features from one vendor system to be used by another vendor’s system, I don’t know if this is possible for face and iris features.

Best-case scenario? Even if the Taliban or its friends can access the data on the devices, the data does not provide enough information for it to be used.

Worst-case scenario? The data DOES provide enough information so that EVERY PERSON whose data is stored on the device can be identified by a Taliban-equivalent device, which would presumably be called FIND (Find Infidels, Neutralize, Destroy).

I’ll return to that “every person” point later in this post.

But biometric data isn’t the only data that might have fallen into the Taliban’s hands.

What data could the Taliban get from non-biometric devices?

Now Politico has come out with its own article that asserts that the Taliban can potentially acquire a lot of other data. And Politico is not as pessimistic as the Intercept about the Taliban’s tech capabilities:

That gives today’s technologically adept Taliban tools to target Afghans who worked with the U.S. or the deposed Afghan government with unprecedented precision, increasing the danger for those who don’t get out on evacuation flights.

Before looking at the data the Taliban may have acquired, it’s useful to divide the data sources between data acquired from clients and data acquired from on-premise servers. HIIDE and SEEK, for example, are clients. (I’m only talking about on-premise servers because any data stored in a US government cloud can hopefully be secured so that the Taliban can’t get it. Hopefully.)

Unlike HIIDE and SEEK, which are mobile client devices, the Politico article focuses on data that is stored on on-premise Afghan government servers. It notes that American IT officials were more likely than Afghan IT officials to scrub their systems before the Taliban takeover, and one would hope that any data stored in US government cloud systems could also be secured before the Taliban could access it.

So what types of data would the Afghan government servers store?

Telecom companies store reams of records on who Afghan users have called and where they’ve been. Government databases include records of foreign-funded projects and associated personnel records.

More specifics are provided regarding telecom company data:

Take call logs. Telecommunications companies keep a record of nearly every phone call placed and to whom. U.S. State Department officials used the local cell networks to make calls to those who were working with the United States, including interpreters, drivers, cooks and more…

And mobile phone data is even more revealing:

Cell phones and mobile apps share data about users with third-party apps, such as location data, that the Taliban could easily get…

The geolocation issue has been known for years. Remember the brouhaha when military users of a particular fitness app effectively revealed the locations of secret U.S. military facilities?

Helmand province in Afghanistan. Photograph: Strava heatmap. Reproduced at

In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.

Now perhaps enemy forces already knew about these locations, but it doesn’t help to broadcast them to everyone.

Back to Afghanistan and other data sources.

Afghan citizens’ ethnicity information can also be found in databases supporting the national ID system and voter registration.

This can be used by digital identity opponents to argue that digital identity, or any identity, is dangerous. I won’t dive into that issue right now.

Politico mentions other sources of data that the Taliban could conceivably access, including registration information (including identity documents) for non-governmental organization workers, tax records, and military commendation records.

So if you add up all of the data from all of the Afghan servers, and if the Taliban or its allies are able to achieve some level of technical expertise, then the data provides enough information so that EVERY PERSON whose data is stored on the servers can be identified by the Taliban.

Before we completely panic…

Of course it takes some effort to actually EMPLOY all of this data. In the ideal world, the Taliban would create a supercomputer system that aggregates the data and creates personal profiles that provide complete pictures of every person. But the world is not ideal, even in technologically advanced countries: remember that even after 9/11, it took years for the U.S. Departments of Justice, Homeland Security, and Defense to get their biometric systems to talk to each other.

Oh, and there’s one more thing.

Remember how I’ve mentioned a couple of times that the Taliban could conceivably get information on EVERY PERSON whose data is stored on these devices and servers?

One thing that’s been left unsaid by all of these commentaries is that this data trove not only reveals information about the enemies of the Taliban, but also reveals information about the Taliban itself.

  • The HIIDE and SEEK devices could include biometric templates of Taliban members (who would be considered “enemies” by these devices and may have been placed on “deny lists”).
  • The telecommunications records could reveal calls placed and received by Taliban members, including calls to Afghan government officials and NATO members that other Taliban members didn’t know about.
  • Mobile phone records could reveal the geolocations of Taliban members at any time, including locations that they didn’t want their fellow Taliban members to know about.
  • In general, the records could reveal Taliban members, including high-ranking Taliban members, who were secretly cooperating with the Taliban’s enemies.

With the knowledge that all of this data is now available, how many Taliban members will assist in decrypting this data? And how many will actively block this?

Oh, and even if all of the Taliban were completely loyal, any entity (such as the Pakistani Inter-Service Intelligence) that gets a hold of the data will NOT restrict its own data acquisition efforts to American, NATO, and former Afghan government intelligence. No, it will acquire information on the Taliban itself.

After all, this information could help the Pakistanis (or Chinese, or Russians, or whoever) put the, um, finger on Taliban members, should it prove useful to do so in the future.

Then again, Pakistan may want to ensure that its own digital data treasure trove is safe.

And now I’m unboxing tangible collateral

Yes, this is post five in a series.

We”ll start with the end result, and then detail how it got here.

(Yes, I know an unboxing post is supposed to save the final result of the unboxing until the end, but I got excited. I’ll repeat this picture at the end to keep the story straight.)

I created tangible collateral

As I detailed in the third post in the series, back on August 9 I was preparing to attend my first in-person event in a long time.

I’m going to an in-person event next week. For my younger readers (i.e. those who developed awareness after 2019), an “in-person event” is something where you are actually in the same room as the people that you are meeting, rather than looking at them in boxes on your computer screen

Who knew that this was the future of communication? By screenshot, Fair use,

After registering for the event, I realized that I had never printed business cards for Bredemarket. So I designed one on Canva and ordered it that same day, August 9.

I waited for tangible collateral

Canva filled the order and turned it over to a delivery service on August 10. I won’t name the delivery service, but it does business with the federal government and has an express business in addition to its ground business.

And the delivery service provides some good tracking of all the packages that it handles. I’d simply reproduce the tracking entries, but the most recent stops are first, which doesn’t lend itself to storytelling. So I’ll just reproduce selected stops on the way.

Tuesday, August 10, 2021
8:30 PMHENDERSON, NVLeft FedEx origin facility
6:32 PMHENDERSON, NVShipment exceptionBarcode label unreadable and replaced
6:05 PMHENDERSON, NVArrived at FedEx location
3:06 PMHENDERSON, NVPicked up
8:05 AMShipment information sent to FedEx

That’s actually pretty nice, I thought at the time. The order was fulfilled within a few hundred miles of Bredemarket’s world headquarters in Ontario, California, and would certainly arrive in time for my in-person meeting.

Wednesday, August 11, 2021
1:05 AMBLOOMINGTON, CAArrived at FedEx location

Very nice. Bloomington is within 20 miles of Ontario, so obviously I should expect my business cards to be delivered by the end of the week.

Friday, August 13, 2021
11:55 PMDEMING, NMIn transit
10:52 AMBLOOMINGTON, CADeparted FedEx location

Um, wait a minute. (Only now did I realize that this transit happened on Friday the 13th. Figures.)

I won’t reproduce the next few entries, but suffice it to say that as of 3:12 pm Central Time on Saturday, August 14, the package arrived at a location in Fort Worth, Texas.

By Tuesday, August 17, my package was still in Texas, and obviously wasn’t going to make it in time for my Wednesday night meeting. As I noted in the fourth post in the series, however, I had a workaround.

So that’s what I handed out on Wednesday, August 18. (Well, the first person only took a picture of the handout rather than taking the handout himself, because he prefers intangible things.)

At one point my expected delivery date was Thursday, August 19. That date came and went without business cards, but at least I got a podcast episode out of it.

Late that night, with my package still in Texas and no updated arrival date, I contacted Canva (even though it wasn’t Canva’s fault) because there wasn’t an efficient way to contact the delivery service. At the time I wondered if the package were truly lost and if I’d need Canva to replace it. I received an email from Canva that pretty much said to wait and see what happened.

Our records show that your print order…is currently in transit to your shipping address….

For a more detailed information about the delivery status, we highly suggest reaching out to the carrier since the order was already dispatched.

However, at the same time that I was filing things with Canva, I was also tweeting about it. And for those who don’t realize this, the social media people for many companies are proactive and really want to help.

Here to sort this out for you, John! Could you DM us your ticket ID (JTP-###…)? We’ll take a look! ^cv

The tweet actually contradicted the email (which said to contact the delivery service). But by the time Canva tweeted the request for my ticket ID, the delivery service had updated my status.

(And yes, I was checking Twitter before 5:00 am. Normally I don’t, but by this time I was really getting bugged about my wandering business cards.)

Later that day, my package finally left its Texas location. I had a momentary fear when it departed…a fear that people who live in Ontario, California will easily understand. Was my package headed back toward Ontario, California…or on its way to Ontario, Canada?

Thankfully, my package was in Deming, New Mexico on Friday evening, so at least it was headed in the right direction.

By Saturday, August 21, the package was back in Bloomington, California. But where would it go next?

Oh, and to top things off, in the middle of this I received a phishing attempt at one of my non-Bredemarket email addresses. Obviously this had nothing to do with my REAL shipment, but I still found it pretty funny.

Just in case anyone is unclear about this, the email DIDN’T really come from DHL. And if DHL were to ask US customers to pay a fee over the Internet, that fee wouldn’t be charged in Australian dollars.

Back to the question of where my package would go when it left Bloomington. Did my package have a lover in Deming, New Mexico that it wanted to visit for a third time?

Sunday, August 22, 2021
8:51 AMCHINO, CADelivery exceptionFuture delivery requested
7:46 AMCHINO, CAAt local FedEx facility
5:35 AMBLOOMINGTON, CADeparted FedEx location

Chino is even closer to Ontario than Bloomington. This was a positive move.

Let me explain the “future delivery requested” part. I was promised at one point that the package would be delivered on Sunday, August 22. Unfortunately, my business address (a UPS Store, competitor to the delivery service) is closed on Sunday.

Apparently the delivery service realized this too late, and told me that the package would be delivered Tuesday.

Then I was told that the package would be delivered Monday.

Monday, August 23, 2021
1:24 PMOntario, CADeliveredSignature on file
5:41 AMCHINO, CAOn FedEx vehicle for delivery
4:20 AMCHINO, CAAt local FedEx facility

I drove to my business address and proceeded with the unboxing.

Remember the August 10 entry that mentioned the replacement of the unreadable barcode label.
As is usual for shipments, the actual shipment box was placed in a larger box. This time I was thankful for this.
Completing the story, here’s the business card again.

So that’s done. And since I’ve never really used business cards all that frequently, this order should last me a while.

When is my next in-person event?