Modern “journalism” often consists of reprinting a press release without subjecting it to critical analysis. Sadly, I see a lot of this in publications, including both biometric and technology publications.
This post looks at the recently announced master faces study results, the datasets used (and the datasets not used), the algorithms used (and the algorithms not used), and the (faulty) conclusions that have been derived from the study.
Oh, and it also informs you of a way to make sure that you don’t make the same mistakes when talking about biometrics.
Vulnerabilities from master faces
In facial recognition, there is a concept called “master faces” (similar concepts can be found for other biometric modalities). The idea behind master faces is that such data can potentially match against MULTIPLE faces, not just one. This is similar to a master key that can unlock many doors, not just one.
This can conceivably happen because facial recognition algorithms do not match faces to faces, but match derived features from faces to derived features from faces. So if you can create the right “master” feature set, it can potentially match more than one face.
Ever thought you were being gaslighted by industry claims that facial recognition is trustworthy for authentication and identification? You have been.
The article goes on to discuss an Israeli research project that demonstrated some true “master faces” vulnerabilities. (Emphasis mine.)
One particular approach, which they write was based on Dlib, created nine master faces that unlocked 42 percent to 64 percent of a test dataset. The team also evaluated its work using the FaceNet and SphereFace, which like Dlib, are convolutional neural network-based face descriptors.
They say a single face passed for 20 percent of identities in Labeled Faces in the Wild, an open-source database developed by the University of Massachusetts. That might make many current facial recognition products and strategies obsolete.
Sounds frightening. After all, the study not only used dlib, FaceNet, and SphereFace, but also made reference to a test set from Labeled Faces in the Wild. So it’s obvious why master faces techniques might make many current facial recognition products obsolete.
Let’s look at the datasets
It’s always more impressive to cite an authority, and citations of the University of Massachusetts’ Labeled Faces in the Wild (LFW) are no exception. After all, this dataset has been used for some time to evaluate facial recognition algorithms.
But what does Labeled Faces in the Wild say about…itself? (I know this is a long excerpt, but it’s important.)
Labeled Faces in the Wild is a public benchmark for face verification, also known as pair matching. No matter what the performance of an algorithm on LFW, it should not be used to conclude that an algorithm is suitable for any commercial purpose. There are many reasons for this. Here is a non-exhaustive list:
Face verification and other forms of face recognition are very different problems. For example, it is very difficult to extrapolate from performance on verification to performance on 1:N recognition.
Many groups are not well represented in LFW. For example, there are very few children, no babies, very few people over the age of 80, and a relatively small proportion of women. In addition, many ethnicities have very minor representation or none at all.
While theoretically LFW could be used to assess performance for certain subgroups, the database was not designed to have enough data for strong statistical conclusions about subgroups. Simply put, LFW is not large enough to provide evidence that a particular piece of software has been thoroughly tested.
Additional conditions, such as poor lighting, extreme pose, strong occlusions, low resolution, and other important factors do not constitute a major part of LFW. These are important areas of evaluation, especially for algorithms designed to recognize images “in the wild”.
For all of these reasons, we would like to emphasize that LFW was published to help the research community make advances in face verification, not to provide a thorough vetting of commercial algorithms before deployment.
While there are many resources available for assessing face recognition algorithms, such as the Face Recognition Vendor Tests run by the USA National Institute of Standards and Technology (NIST), the understanding of how to best test face recognition algorithms for commercial use is a rapidly evolving area. Some of us are actively involved in developing these new standards, and will continue to make them publicly available when they are ready.
So there are a lot of disclaimers in that text.
LFW is a 1:1 test, not a 1:N test. Therefore, while it can test how one face compares to another face, it cannot test how one face compares to a database of faces. The usual law enforcement use case is to compare a single face (for example, one captured from a video camera) against an entire database of known criminals. That’s a computationally different exercise from the act of comparing a crime scene face against a single criminal face, then comparing it against a second criminal face, and so forth.
The people in the LFW database are not necessarily representative of the world population, the population of the United States, the population of Massachusetts, or any population at all. So you can’t conclude that a master face that matches against a bunch of LFW faces would match against a bunch of faces from your locality.
Captured faces exhibit a variety of quality levels. A face image captured by a camera three feet from you at eye level in good lighting will differ from a face image captured by an overhead camera in poor lighting. LFW doesn’t have a lot of these latter images.
I should mention one more thing about LFW. The researchers allow testers to access the database itself, essentially making LFW an “open book test.” And as any student knows, if a test is open book, it’s much easier to get an A on the test.
Now let’s take a look at another test that was mentioned by the LFW folks itself: namely, NIST’s Face Recognition Vendor Test.
This is actually a series of tests that has evolved over the years; NIST is now conducting ongoing tests for both 1:1 and 1:N (unlike LFW, which only conducts 1:1 testing). This is important because most of the large-scale facial recognition commercial applications that we think about are 1:N applications (see my example above, in which a facial image captured at a crime scene is compared against an entire database of criminals).
In addition, NIST uses multiple data sets that cover a number of use cases, including mugshots, visa photos, and faces “in the wild” (i.e. not under ideal conditions).
It’s also important to note that NIST’s tests are also intended to benefit research, and do not necessarily indicate that a particular algorithm that performs well for NIST will perform well in a commercial implementation. (If the algorithm is even available in a commercial implementation: some of the algorithms submitted to NIST are research algorithms only that never made it to a production system.) For the difference between testing an algorithm in a NIST test and testing an algorithm in a production system, please see Mike French’s LinkedIn article on the topic. (I’ve cited this article before.)
With those caveats, I will note that NIST’s FRVT tests are NOT open book tests. Vendors and other entities give their algorithms to NIST, NIST tests them, and then NIST tells YOU what the results were.
So perhaps it’s more robust than LFW, but it’s still a research project.
Let’s look at the algorithms
Now that we’ve looked at two test datasets, let’s look at the algorithms themselves and evaluate the claim that results for the three algorithms Dlib, FaceNet, and SphereFace can naturally be extrapolated to ALL facial recognition algorithms.
This isn’t the first time that we’ve seen such an attempt at extrapolation. After all, the MIT Media Lab’s Gender Shades study (which evaluated neither 1:1 nor 1:N use cases, but algorithmic attempts to identify gender and race) itself only used three algorithms. Yet the popular media conclusion from this study was that ALL facial recognition algorithms are racist.
Compare this with NIST’s subsequent study, which evaluated 189 algorithms specially for 1:1 and 1:N use cases. While NIST did find some race/sex differences in algorithms, these were not universal: “Tests showed a wide range in accuracy across developers, with the most accurate algorithms producing many fewer errors.”
In other words, just because an earlier test of three algorithms demonstrated issues in determining race or gender, that doesn’t mean that the current crop of hundreds of algorithms will necessarily demonstrate issues in identifying individuals.
So let’s circle back to the master faces study. How do the results of this study affect “current facial recognition products”?
The answer is “We don’t know.”
Has the master faces experiment been duplicated against the leading commercial algorithms tested by Labeled Faces in the Wild? Apparently not.
Has the master faces experiment been duplicated against the leading commercial algorithms tested by NIST? Well, let’s look at the various ways you can define the “leading” commercial algorithms.
Now you can play with the sort order in many different ways, but the question remains: have the Israeli researchers, or anyone else, performed a “master faces” test (preferably a 1:N test) on the IDEMIA, Paravision, Sensetime, NtechLab, Anyvision, or ANY other commercial algorithm?
Maybe a future study WILL conclude that even the leading commercial algorithms are vulnerable to master face attacks. However, until such studies are actually performed, we CANNOT conclude that commercial facial recognition algorithms are vulnerable to master face attacks.
So naturally journalists approach the results critically…not
But I’m sure that people are going to make those conclusions anyway.
While Matt Schneier doesn’t go to the extreme of saying that all facial recognition algorithms are now defunct, he does classify the research as “fascinating” WITHOUT commenting on its limitations or applicability. Schneier knows security, but he didn’t vet this one.
Does anyone even UNDERSTAND these studies? (Or do they choose NOT to understand them?)
How can you avoid the same mistakes when communicating about biometrics?
As you can see, people often write about biometric topics without understanding them fully.
Even biometric companies sometimes have difficulty communicating about biometric topics in a way that laypeople can understand. (Perhaps that’s the reason why people misconstrue these studies and conclude that “all facial recognition is racist” and “any facial recognition system can be spoofed by a master face.”)
Are you about to publish something about biometrics that requires a sanity check? (Hopefully not literally, but you know what I mean.)
This meeting (which also happened to be the national Freelancers Union meeting for the month; our chapter rules!) was led by Cara Raffele, who spoke about “The Power of Storytelling.”
I’m not going to talk about the ENTIRE meeting, but will focus on the last part of the meeting, during which Raffele discussed “understanding your brand for maximum impact,” or brand archetypes.
The idea of archetypes started with Carl Jung, who defined them as images and themes that derive from the collective unconscious.
Jung claimed to identify a large number of archetypes but paid special attention to four. Jung labeled these archetypes the Self, the Persona, the Shadow and the Anima/Animus.
In modern-day marketing, this “large number of archetypes” has been boiled down to twelve, and it was these twelve that Raffele referenced in her presentation.
Raffele encouraged all of us freelancers to listen to all twelve, and then to select multiple archetypes (not just one) that seemed to reflect our freelance brands. So I iterated a first cut at the archetypes that I believed applied to Bredemarket; my preliminary list included Sage, Creator, and Explorer.
Why Sage? That particular one resonated with me because of my experiences with my clients (educating on benefits vs. features, expanding the understanding of law enforcement agency stakeholders), and because of the way I’ve been marketing myself anyway. After all, when I self-reference as the biometric content marketing expert and the biometric proposal writing expert, then it’s obvious that I can add the sage to my clients’ parsley, rosemary, and thyme. (Sorry, couldn’t resist, even though I know it’s bad.)
But after guessing that Bredemarket is Sage with a pinch of Creator and Explorer, I realized that I might not know myself as well as I thought, so I asked if there were some type of online “archetypes test,” similar to the online Meyers-Briggs personality tests, that could help you semi-independently discern your archetypes.
(One aside before moving on to Putnam’s test. A few of you realize that I did not come up with the section title “Jung and the restless” on my own. Yes, I stole it from a Steve Taylor song title (and he stole it from a soap opera). I used the title even though Taylor is frankly not that positive about secular psychology. But he did say “some of my best friends are shrinks.” Oh, and that’s obviously Gym Nicholson of Undercover fame on guitar.)
My “Brand Personality Quiz” results, and Kaye Putnam’s recommendations
If you’ve taken an online Meyers-Briggs personality test, or any other similar online test, the process of the Brand Personality Quiz will seem familiar to you. Putnam’s quiz asks you a series of independent questions, some of which have as many as twelve options. It then tabulates your answers against attributes of the twelve brand archetypes, and produces a final result listing a primary brand archetype and some secondary archetypes.
Here are my results.
So if you take Putnam’s quiz as gospel, I was somewhat accurate in my initial self-assessment.
Note that “Sage” came first and “Explorer” came second in the quiz results, and those were two of the archetypes I initially tweeted about before taking the quiz.
Considering the personal writing style I use in my blog, tweets, and elsewhere, “Entertainer” wasn’t much of a surprise either.
Upon further personal reflection, “Royalty” makes sense also. (So bow before me, serfs.)
And after reading Putnam’s description of “Creator” and its emphasis on visual presentation (rather than textual presentation), I can see why this was NOT on the list.
Along with my results, Putnam provided a link that allowed me to download a brief description of my primary archetype, Sage. Now this brief description doesn’t include all of the detail found in Putnam’s 12 Brandfluency courses (one for each archetype), but it does include many actionable items.
The “Sage Inspiration Kit” provides useful tips for Sage businesspeople to include in their brand marketing. The kit asserts that if the tips are followed, the results will produce emotional responses in potential clients that will increase brand attractiveness, thus allowing businesspeople to win more business (and win better business).
Tips are provided on the following:
Obviously that’s a lot of stuff to absorb, even in this brief kit. (The paid course offers tips in additional areas.) And even if I wanted to, I couldn’t change all the colors and fonts in my marketing overnight.
But I could look at Putnam’s word suggestions.
Ignoring the expert
Now Kaye Putnam’s word suggestions are freely available to anyone, but I’m not going to just copy all of them and reproduce them here. Request them yourself. (The link is for the Sage archetype)
But I’ll offer comments on a few of the 18 words and phrases in the kit.
First off, I’m NOT going to use “think tank” in Bredemarket’s marketing. Perhaps this phrase may resonate for a larger firm, or even for a smaller firm with a team of people addressing their clients’ needs. But it would take a lot of stretching to describer a solopreneur think tank.
Another term that DOESN’T make sense for Bredemarket is “engineering.” Now obviously engineering is a good thing, although I’ve seen cases where engineering is overemphasized. But it doesn’t really make sense for my business, in which I make a point of emphasizing my ability to communicate engineering concepts to non-engineers. The same issues apply with the phrase “the code.”
I won’t go into all of my concerns, but there are several “Sage words” in the list that I would never use for Bredemarket, or would use very sparingly.
When someone gives you advice, whether it’s Kaye Putnam or John Bredehoft, you have to judge whether the advice is good for YOU.
Even if you narrow a brand down to one archetype, there are innumerable differences between individuals who align with this archetype. One size does not fit all, and I personally may love the term “experiment” but hate the terms listed above.
Now perhaps I may be wrong in rejecting Putnam’s advice. Perhaps there’s a really, really good reason why I should sprinkle the phrase “think tank” through all of my marketing materials.
But in the end it’s up to the recipient to decide whether or not to follow the advice of the expert. That applies to people giving advice to me, and that also applies to the advice that I give to my clients. (If a client insists on using the phrase “best of breed,” I can’t stop the client from doing so.)
But several of those words and phrases DO seem like good ideas, and I’ll probably make a concerted effort to sprinkle the GOOD words and phrases throughout Bredemarket’s website, social media channels, proposals, and other marketing.
Even though this might require me to re-revise the content creation process that I just revised.
Oh well. It’s good to…experiment with things. After all, Bredemarket is in effect a laboratory in which I like to try solutions out myself before I try to make a case for them with my clients. It’s easier to speak to research-based proven solutions than ones with which I have no experience at all.
Did that paragraph sound sage-like? I got six of the words/phrases into that paragraph!
Oh, and if you’re looking for a Royally Entertaining and Exploring Sage…
You can read here about how my content creation process ensures that the final written content (a) advances your GOAL, (b) communicates your BENEFITS, and (c) speaks to your TARGET AUDIENCE.
If Bredemarket can fill a gap in your company’s needs (NOTE TO SELF: DO NOT MENTION PARSLEY. DO NOT MENTION PARSLEY. DO NOT MENTION PARSLEY.), then feel free to contact me and we can discuss your needs and possible solutions.
This post is a follow-up to a prior post. In that post, I looked at the different ways in which I described Bredemarket’s content creation process, compared that to other content creation processes, and decided what I would like to include in Bredemarket’s new content creation process.
But I didn’t actually publish my new content creation process in that post, because I wanted to think about it. Oh, and there was another reason. (Hint: 4.5X.)
Well, I’ve slept on it, thought about it, wrote it, and rewrote it.
So let’s see the (probably not) final result. It’s longer than I’d like, but at least it’s (hopefully) thorough. And yes, I left out “accelerate,” but I included just about everything else.
Now that I’ve posted it here, I’ll roll it out to the rest of the Bredemarket website.
Bredemarket’s content creation process as of August 4, 2021
Bredemarket’s content creation process ensures that the final written content (a) advances your GOAL, (b) communicates your BENEFITS, and (c) speaks to your TARGET AUDIENCE. It is both iterative and collaborative.
Here is the general content creation process (which may vary depending upon content complexity and your preferences):
You and Bredemarket agree upon the topic, goal, benefits, and target audience (and, if necessary, outline, section sub-goals, relevant examples, and relevant key words/hashtags, and interim and final due dates).
For complex content requiring input and approval of multiple subject matter experts, you and Bredemarket agree on a preliminary list of tasks, assigned persons, and due dates.
For content that must be incorporated into your content management system, you and Bredemarket agree on the necessary format and other parameters. Otherwise, the final copy will be provided in Microsoft Word docx format, including (as appropriate) callout indicators, hyperlinks, key words, and/or hashtags.
For projects requiring multiple related pieces of content, you and Bredemarket agree upon the desired frequency of content.
You provide relevant technical details (and, for selected longer content, access to the end customer for a 30 minute interview).
Bredemarket conducts any necessary research (or interviews).
Bredemarket iteratively provides the specified number of review copies of the draft content within the specified number of days per review. (The number of review cycles and review time must agree with any due dates.) The draft content advances your goal, communicates your benefits, and speaks to your target audience in your preferred tone of voice. Relevant examples and key words/hashtags are included.
You return comments on each review copy within the specified number of days. For longer content, you may provide the draft formatted copy for the final review.
After all reviews and comments, Bredemarket provides the final copy.
Back on July 20, I shared my thoughts on the brouhaha over the proposed renaming of the Association of Proposal Management Professionals to become the Association of Winning Business Professionals, and how that might impact the APMP conference in Denver later this year. (This was posted before I re-rejoined the APMP.)
Well, there’s an update.
On August 2, the APMP posted a video on its YouTube channel. But the video is marked as “unlisted,” which means that the APMP probably doesn’t want everyone to see it. So I’m not going to link to it.
And the APMP has posted information on its website, but it’s behind the login firewall. So I’m not going to link to it.
I will, however, summarize it.
The Association of Winning Business Professionals is no more. It has ceased to be, bereft of life, it rests in peace, it has kicked the bucket, hopped the twig, bit the dust, snuffed it, breathed its last, and gone to meet the Chief Renaming Officer in the sky. (Adapted from Cleese and Chapman’s Dead Parrot Sketch.)
Actually, there is a public discussion of this, posted by Robin Davis.
It’s official, your efforts to #SaveAPMP paid off! The name stays—and everything it stands for. Thanks for your passion—that’s the kind of energy that can change the world!
Perhaps I should revisit this topic five years from now. Not seven years from now.
As Bredemarket passes its one-year anniversary, I’m intentionally trying to re-evaluate what I do in order to improve my services to you.
When I say “you,” by the way, I’m speaking of clients or potential clients of Bredemarket. If you’re not interested in Bredemarket’s services, but are instead reading this hoping for a discussion of fingerprint third-level detail, this is NOT the post for you.
Back to my re-evaluation of my services. One thing that I’m doing is re-examining Bredemarket’s content creation process.
I work with you. Bredemarket uses an iterative, collaborative process with multiple reviews to make sure that your needs are expressed in what I write, and that the writing reflects your firm’s tone of voice. The final product needs to make me happy, it needs to make you happy, and it needs to make your potential client(s) happy.
That page was created just a few months ago, but it’s a rewrite of the specific processes that I created almost a year ago. While these vary from offering to offering (and from client to client), here’s how I stated my “iterative, collaborative process” in my description of the Bredemarket 2800 Medium Writing Service.
Agree upon topic (and, if necessary, outline) with client.
Client provides relevant technical details.
Bredemarket conducts any necessary research and provides the first review copy within seven (7) calendar days.
Client provides changes and any additional requested detail within seven (7) calendar days.
Bredemarket provides the second review copy within seven (7) calendar days.
Client provides changes and any requested detail within seven (7) calendar days.
Bredemarket provides the third review copy within seven (7) calendar days.
Client prepares the final formatted copy and provides any post-formatting comments within seven (7) calendar days.
Bredemarket provides the final version within seven (7) calendar days.
In addition to the words “iterative” and “collaborative,” I think that the two other words that are implicitly associated with my content creation process are “benefits” and “goals.”
I haven’t been so explicit on goals (other than my own goals for Bredemarket), but that has become more important to me as Bredemarket has acquired experience.
While goals have been implicit with some of my clients—we all assume that the content that I have created will win more business in some generic way—my work with other clients has required me to be more explicit about the goals the content must achieve.
These goals not only affect the final call to action, but also affect the entire content creation and placement process.
For example, if the goal of a piece of content is to move an end customer to request a proposal from my client, where does that content have to be placed to elicit that request? In my line of work, it’s not Instagram.
So I concluded that I probably need to iterate my descriptions of my process to ensure that all aspects of the Bredemarket website, as well as all external communications, provide a concise and unified description of the benefits of how I work with you.
But before I did that rewrite, I wanted to see how others described a content creation process, to see what I could steal…I mean appropriate from those other descriptions.
The content creation processes of others
Obviously, I’m not the only entity that has communicated a process for content creation. Here are some others.
So if I add 4 plus 6 plus 6 plus 17, the resulting 33 step content creation process will be perfect, right?
Actually, I scanned these disparate processes to see what I’m missing in my iterative, collaborative, benefit-oriented, goal-oriented current process. These things came to mind.
Sub-goals. GatherContent makes a point of talking about multiple goals, one for “each piece of your content” or each topic addressed by your content. While this may be overkill for a tweet, it makes sense for longer content, such as a multi-section blog post.
Audience. This is an implicit thing that should be addressed explicitly, as ClearVoice and HubSpot suggest. There are a number of stakeholders who may potentially see your content, and you need to figure out which stakeholder(s) are the intended audiences for your content and plan accordingly. For example, this very post uses the word “you” to refer to an existing or potential client of Bredemarket, and I have had to shape this content to ensure that this is clear, and to warn other potential readers in advance that this post might not interest them.
When I say “you,” by the way, I’m speaking of clients or potential clients of Bredemarket. If you’re not interested in Bredemarket’s services, but are instead reading this hoping for a discussion of fingerprint third-level detail, this is not the post for you
Voice. HubSpot also suggests that the voice used in content creation is important. I happen to use a specific voice when I write these blog posts for Bredemarket, but you better believe I use a different voice when rewriting a chapter for a scientific book.
Frequency. If creating a series of content pieces, it’s wise to settle upon the frequency with which these pieces will appear. ClearVoice cites a HubSpot study in this regard.
A HubSpot study of blogging data accumulated from 13,500+ of their customers found, “companies that published 16+ blog posts per month got about 4.5X more leads than companies that published between 0 – 4 monthly posts.”
Now this is only one study, and it may not apply to content other than blog posts; do your customers really want to get 16+ emails per month from you?
Frequency of course affects multiple aspects of the content creation process, including the review cycle. If you are only able to review my draft content once every two weeks, then perhaps a daily content release cycle isn’t good for you.
(One more thing. Bear in mind that I as a consultant have a financial interest in creating content as frequently as possible, since this increases the consulting rate. So if I propose something outrageous that exceeds your budget without providing tangible benefits, feel free to push back.)
Search Needs. Steps 5 and 6 in Orbit Media’s 17 step process, as well as HubSpot’s process, ask if people will search for the content in question. If so, it’s important to make sure that people will find it. The…um, goal is to “plan to make it the best page on the web for the topic.” (If people won’t search for it, then content distribution via the regular social media outlets is satisfactory.)
Tasks. GatherContent puts great emphasis on the tasks needed to produce the final content. This is NOT relevant for some of the content that I create with you, but it was EXTREMELY relevant when I managed the RFI response for a client a couple of months ago. Even though the response had a 20-page limit, a lot of information was packed into those 20 pages, and I had to work with a lot of subject matter experts to pull everything together and get it approved.
Examples. Orbit Media Studios discusses a number of items that are outside of the scope of textual content creation, and thus outside of my (current) scope (although I have suggested visual content that can be created by more talented people). One thing that does fall within my scope is to support the content with examples. Of course, a case study is just one big example, but in other cases some examples may be beneficial.
Promotional Considerations. No, I’m not talking about the game show language in which Montgomery Ward provides money and/or goods to a game show in exchange for a mention at the end of the show. Here, Orbit Media Studios is talking about how the content will be promoted once it is created. I address these questions all the time in my own self-promotion. If I’m re-sharing a link to content on social media, what excerpt should I include, and what hashtags should I use?
Due Dates. GatherContent also talks about due dates and how they affect the content creation process. Some of my clients don’t have due dates at all. Some have very vague due dates (“we’d like to go live with the content next month”). Other dates are very explicit; when you’re dealing with RFP and RFI responses, the end customer has a specific due date and time.
Content Inventory. GatherContent also talks about this. My content is often not stand-alone. It needs to integrate with other client content. The client’s content inventory needs not only affect the delivery of the final content, but may affect the format of the content itself. For example, if something is only going to be available in hardcopy, I can do away with the hyperlinks.
In addition to the information that I appropriated from these sources, perhaps it’s worthwhile to fit the whole thing into a needs / solution / results framework. Although in this case, the “results” would be “expected results.”
Oh, and there’s one more word that I’d like to work in there somewhere. Did you see that the title of this post started with the word “accelerating”? I, um, appropriate that from a source that I cannot discuss publicly, but it may make sense here also. If not for accelerating the content creation, at least for accelerating the expected results.
Bredemarket’s new and improved content creation process is…
Wow, that’s a lot of stuff.
Some of it is too detailed to include in a succinct statement of Bredemarket’s content creation process, and some of it should be included, even if I only include a single word.
So after that review, I can announce that Bredemarket’s new content creation process is…
TO BE DETERMINED.
I still need to think through this, write up a new succinct version, iterate it, and share the new version in a future post.
After all, a higher frequency of blog posts DOES lead to a greater number of leads. See “Frequency,” above.
I can’t recall who recorded it, but there’s a radio commercial heard in Southern California (and probably nationwide) that intentionally ridicules people who willingly give up their own personally identifiable information (PII) for short-term gain. In the commercial, both the husband and the wife willingly give away all sorts of PII, including I believe their birth certificates.
While voluntary surrender of PII happens all the time (when was the last time you put your business card in a drawing bowl at a restaurant?), people REALLY freak out when the information that is provided is biometric in nature. But are the non-biometric alternatives any better?
If you think that the article details an insanely great way to make some easy money from Amazon, then you haven’t been paying attention to the media these last few years.
The article begins with a question:
How much is your palm print worth?
The article then describes how Amazon’s brick-and-mortar stores in several states have incorporated a new palm print scanner technology called “Amazon One.” This technology, which reads both friction ridge and vein information from a shopper’s palms. This then is then associated with a pre-filed credit card and allows the shopper to simply wave a palm to buy the items in the shopping cart.
There is nothing new under the sun
Amazon One is the latest take on processes that have been implemented several times before. I’ll cite three examples.
Pay By Touch. The first one that comes to my mind is Pay By Touch. While the management of the company was extremely sketchy, the technology (provided by Cogent, now part of Thales) was not. In many ways the business idea was ahead of its time, and it had to deal with challenging environmental conditions: the fingerprint readers used for purchases were positioned near the entrances/exits to grocery stores, which could get really cold in the winter. Couple this with the elderly population that used the devices, and it was sometimes difficult to read the fingers themselves. Yet, this relatively ancient implementation is somewhat similar to what Amazon is doing today.
University of Maryland Dining Hall. The second example occurred to me because it came from my former employer (MorphoTrak, then part of Safran and now part of IDEMIA), and was featured at a company user conference for which I coordinated speakers. There’s a video of this solution, but sadly it is not public. I did find an article describing the solution:
With the new system students will no longer need a UMD ID card to access their own meals…
Instead of pulling out a card, the students just wave their hand through a MorphoWave device. And this allows the students to pay for their meals QUICKLY. Good thing when you’re hungry.
This Pay and That Pay. But the most common example that everyone uses is Apple Pay, Google Pay, Samsung Pay, or whatever “pay” system is supported on your smartphone. Again, you don’t have to pull out a credit card or ID card. You just have to look at your phone or swipe your finger on the phone, and payment happens.
Amazon One is the downfall of civilization
I don’t know if TechCrunch editorialized against Pay By Touch or [insert phone vendor here] Pay, and it probably never heard of the MorphoWave implementation at the University of Maryland. But Amazon clearly makes TechCrunch queasy.
While the idea of contactlessly scanning your palm print to pay for goods during a pandemic might seem like a novel idea, it’s one to be met with caution and skepticism given Amazon’s past efforts in developing biometric technology. Amazon’s controversial facial recognition technology, which it historically sold to police and law enforcement, was the subject of lawsuits that allege the company violated state laws that bar the use of personal biometric data without permission.
OK, back to Amazon and Amazon One. TechCrunch also quotes Albert Fox Cahn of the Surveillance Technology Oversight Project.
“The dystopian future of science fiction is now. It’s horrifying that Amazon is asking people to sell their bodies, but it’s even worse that people are doing it for such a low price.”
“Sell their bodies.” Isn’t it even MORE dystopian when people “give their bodies away for free” when they sign up for Apple Pay, Google Pay, or Samsung Pay? While the Surveillance Technology Oversight Project (acronym STOP) expresses concern about digital wallets, there is a significant lack of horror in its description of them.
Digital wallets and contactless payment systems like smart chips have been around for years. The introduction of Apple Pay, Amazon Pay, and Google Pay have all contributed to the e-commerce movement, as have fast payment tools like Venmo and online budgeting applications. In response to COVID-19, the public is increasingly looking for ways to reduce or eliminate physical contact. With so many options already available, contactless payments will inevitably gain momentum….
Without strong federal laws regulating the use of our data, we’re left to rely on private companies that have consistently failed to protect our information. To prevent long-term surveillance, we need to limit the data collected and shared with the government to only what is needed. Any sort of monitoring must be secure, transparent, proportionate, temporary, and must allow for a consumer to find out about or be alerted to implications for their data. If we address these challenges now, at a time when we will be generating more and more electronic payment records, we can ensure our privacy is safeguarded.
So STOP isn’t calling for the complete elimination of Amazon Pay. But apparently it wants to eliminate Amazon One.
Is a world without Amazon One a world with less surveillance?
Whenever you propose to eliminate something, you need to look at the replacement and see if it is any better.
In 1998, Fox fired Bill Russell as the manager of the Los Angeles Dodgers. He had a win-loss percentage of .538. His replacement, Glenn Hoffman, lasted less than a season and had a percentage of .534. Hoffman’s replacement, true baseball man Davey Johnson, compiled a percentage of .503 over the next two seasons before he was fired. Should have stuck with Russell.
Anyone who decides (despite the science) that facial recognition is racist is going to have to rely on other methods to identify criminals, such as witness identification. Witness identification has documented inaccuracies.
And if you think that elimination of Amazon One from Amazon’s brick-and-mortar stores will lead to a privacy nirvana, think again. If you don’t use your palm to pay for things, you’re going to have to use a credit card, and that data will certainly be scanned by the FBI and the CIA and the BBC, B. B. King, and Doris Day. (And Matt Busby, of course.) And even if you use cash, the only way that you’ll preserve any semblance of your privacy is to pay anonymously and NOT tie the transaction to your Amazon account.
And if you’re going to do that, you might as well skip Whole Foods and go straight to Dollar General. Or maybe not, since Dollar General has its own app. And no one calls Dollar General dystopian. Wait, they do: “They tend to cluster, like scavengers feasting on the carcasses of the dead.”
I seemed to have strayed from the original point of this post.
But let me sum up. It appears that biometrics is evil, Amazon is evil, and Amazon biometrics are Double Secret Evil.
Years before COVID became a thing, the U.S. government had a desire to encourage touchless fingerprint technologies. This began many years ago with a concerted effort to capture a complete set of fingerprints in less than 15 seconds. By 2016, this had evolved to a set of Cooperative Research and Development Agreements (CRADA) entered into by the National Institute of Standards and Technology and several private companies.
For purposes of this post, I’m going to concentrate on just one of the listed mobile fingerprint capture technology solutions. The mobile fingerprint capture technologies from these companies were intended to support the capture of fingerprints from a standard smartphone without any additional capture equipment. (Compare this to the portal/kiosk category, which employed specialized capture equipment.)
Via our CRADA relationship (Cooperative Research and Development Agreement), Diamond Fortress is currently working with NIST to develop standards dealing with best practices, certification methodology, data formatting and interoperability with legacy contact-based and inked print databases for optical acquisition systems. This will support future certification for purchase on the Government Certified Products lists.
Fast forward a few years, and Diamond Fortress Technologies’ offering is back in the news again.
Now that happened to catch my eye for one particular reason.
You see, my former employer IDEMIA used to have a monopoly on the TSA PreCheck program. If you wanted to enroll in TSA PreCheck, you HAD to go to IDEMIA. This provided a nice revenue stream for IDEMIA…well, perhaps not so nice when all of the airports lost traffic due to COVID.
Anyway, the Congress decided that one provider wasn’t optimal for government purposes, so in early 2020 other vendors were approved as TSA PreCheck providers.
WASHINGTON – Transportation Security Administration (TSA) today announced that TSA PreCheck™ enrollment services will now be provided by Alclear, LLC; Telos Identity Management Solutions, LLC; and Idemia Identity & Security USA, LLC, expanding the opportunities that enable travelers to apply for TSA PreCheck.
Just to clarify, the company then known as Alclear is better known to the general public as CLEAR.
When I first joined the biometrics industry in the 1990s, biometric benefits (welfare) applications were hot in the United States as states and localities deployed biometric verification solutions for benefits recipients.
However, the landscape changed over the years, and most of those biometric systems have since been shut down.
Of course, new markets also appear.
If someone had told me in 1994 that we would use biometrics to “unlock” our phones, I would have had no idea what the person was talking about. Why would we need to unlock our phone, anyway? Sure, if a thief grabbed my cell phone, the thief could make a long distance call to another state. But it’s not like the thief could access my bank account via an unlocked cell phone, right?
And there are other markets.
Subscribe to get access
Subscribe to Bredemarket Premium to access this premium content.
Subscriptions just $5 per month.
Access Bredemarket’s expertise without spending hundreds or thousands of dollars.
At Bredemarket, I work with a number of companies that provide biometric systems. And I’ve seen a lot of other systems over the years, including fingerprint, face, DNA, and other systems.
The components of a biometric system
While biometric systems may seem complex, the concept is simple. Years ago, I knew a guy who asserted that a biometric system only needs to contain two elements:
An algorithm that takes a biometric sample, such as a fingerprint image, and converts it into a biometric template.
An algorithm that can take these biometric templates and match them against each other.
If you have these two algorithms, my friend stated that you had everything you need for an biometric system.
Well, maybe not everything.
Today, I can think of a few other things that might be essential, or at least highly recommended. Here they are:
An algorithm that can measure the quality of a biometric sample. In some cases, the quality of the sample may be important in determining how reliable matching results may be.
For fingerprints, an algorithm that can classify the prints. Forensic examiners routinely classify prints as arches, whorls, loops, or variants of these three, and classifications can sometimes be helpful in the matching process.
For some biometric samples, utilities to manage the compression and decompression of the biometric images. Such images can be huge, and if they can be compressed by a reliable compression methodology, then processing and transmission speeds can be improved.
A utility to manage the way in which the biometric data is accessed. To ensure that biometric systems can talk to each other, there are a number of related interchange standards that govern how the biometric information can be read, written, edited, and manipulated.
For fingerprints, a utility to segment the fingerprints, in cases where multiple fingerprints can be found in the same image.
So based upon the two lists above, there are seven different algorithms/utilities that could be combined to form an automated fingerprint identification system, and I could probably come up with an eighth one if I really felt like it.
My friend knew about this stuff, because he had worked for several different firms that produced fingerprint identification systems. These firms spent a lot of money hiring many engineers and researchers to create all of these algorithms/utilities and sell them to customers.
How to get these biometric system components for free
But what if I told you that all of these firms were wasting their time?
And if I told you that since 2007, you could get source code for ALL of these algorithms and utilities for FREE?
Well, it’s true.
To further its testing work, the National Institute of Standards and Technology (NIST) created the NIST Biometric Image Software (NBIS), which currently has eight algorithms/utilities. (The eighth one, not mentioned above, is a spectral validation/verification metric for fingerprint images.) Some of these algorithms and utilities are available separately or in other utilities: anyone can (and is encouraged to) use the quality algorithm, called NFIQ, and the minutiae detector MINDTCT is used within the FBI’s Universal Latent Workstation (ULW).
As I write this, NBIS has not been updated in six years, when Release 5.0.0 came out.
Is anyone using this in a production system?
And no, I am unaware of any law enforcement agency or any other entity that has actually USED NBIS in a production system, outside of the testing realm, with the exception of limited use of selected utilities as noted above. Although Dev Technology Group has compiled NBIS on the Android platform as an exercise. (Would you like an AFIS on your Samsung phone?)