Digital Identity: Endorsed, Or Bestowed?

Joel R. McConvey’s recent article in Biometric Update made my head spin.

“Utah’s state legislature has voted unanimously to pass SB 275, the State-Endorsed Digital Identity Program Amendments bill. The law makes Utah unique among states, in that it defines identity as something that is inherent to a person and endorsed by the state rather than bestowed by the state.

“The distinction has implications for discussions about data sovereignty – who gets to control a person’s personal information – as well as for other states pursuing digital identity programs.”

Endorsed? Bestowed? What’s up? An earlier McConvey article quotes from Utah’s Chief Privacy Officer Christopher Bramwell:

“Part of Utah’s history,” Bramwell says – “why we care so much about privacy, and this does translate directly to digital identity – is when pioneers came to Utah, it was literally for autonomy, and it was to be left alone to live their life according to the dictates of their heart. That’s why many people came to America, whether as pilgrims or pioneers or immigrants: because you want something better and you want to do it according to your conscience.”

For those whose history is rusty, Bramwell is referring to the migration of the Mormons out west. As he points out, the Mormons are not the only ones in U.S. history who came to a new land to enjoy freedom from the perceived oppressive state. The original inhabitants of Massachusetts, Rhode Island, Maryland, and Pennsylvania also fall within this tradition.

Bramwell continues:

““And that’s a lot of what we’re talking about with digital ID. You need to engage in the free market, but do it according to your choice without being tracked, without being surveilled, without undue influence on how you’re operating. So you can live your life in the digital realm according to the dictates of your heart and how you and your family see fit.”

“Our approach is to separate identity from any privileges or licenses that are given by government. Identity should be separate, so that it is not something that there’s any reason to ever take away.”

But this is not just a religious issue, as the American Civil Liberties Union points out.

“The philosophical underpinning of the state’s SEDI concept is that “identity” is not something bestowed by the state, but that inherently belongs to the individual; the state merely “endorses” a person’s ID.”

Of the six major underpinnings of SEDI, the third is of interest here:

“Individual control,” in which the state throws its weight behind a movement known as “user-centric” or “self-sovereign” identity, that strives to ensure that government identification systems are used to empower individuals, not to control them.

So what does self-sovereign, endorsed identity mean from a legal standpoint? Let’s look at the opening section of the most recent bill, Utah’s SB 275:

63A-20-101. Digital identity bill of rights.

The following rights constitute the digital identity bill of rights in this state:

(1)An individual possesses an individual identity innate to the individual’s existence and independent of the state, which identity is fundamental and inalienable.

(2)An individual has a right to the management and control of the individual’s digital identity to protect individual privacy.

(3)An individual has a right to choose, receive, and use a physical form of identity assertion that is endorsed by the state.

(4)An individual has a right to not be compelled by the state to possess, use, or rely upon a digital form of identity assertion in place of a physical form of identity assertion that is endorsed by the state.

(5)An individual has a right to state endorsement of the individual’s digital identity upon meeting objective, uniform standards for eligibility and verification established by law, and a right to not have such endorsement arbitrarily or discriminatorily withheld or revoked.

(6)An individual has a right to have the state’s operation of digital identity systems governed by clear standards established by the Legislature, including for eligibility, issuance, endorsement, acceptance, revocation, or interoperability of digital identityassertions.

(7)An individual has a right to transparency in the design and operation of a state digital identity, including the right to access, read, and review the standards and technical specifications upon which the state digital identity is built and operates.

(8)An individual has the right to choose what identity attributes are disclosed by the individual’s state digital identity in accordance with standards established by theLegislature.

(9)An individual has the right to any service or benefit to which the individual is otherwise lawfully entitled based on the individual’s choice of a lawful format or means of identity assertion without denial, diminishment, or condition.

(10)An individual has a right to be free from surveillance, profiling, tracking, or persistent monitoring of the individual’s assertions of digital identity by the state, except as authorized by law.

(11)An individual has a right to not be required by the state to surrender the individual’s device in order to present the individual’s digital identity.

Of course, once you leave the state of Utah and reside in another state, that state will BESTOW an identity upon you.

And while this controls what the state of Utah can do, it does not apply to a FEDERAL digital identity, such as a future digital U.S. passport.

Bash Script Vulnerabilities

I can’t say WHY I’m looking at bash script vulnerabilities, but they’ve been around since…well, this Kaspersky article is based upon CVE-2014-6271.

The “bash bug,” also known as the Shellshock vulnerability, poses a serious threat to all users. The threat exploits the Bash system software common in Linux and Mac OS X systems in order to allow attackers to take potentially take control of electronic devices. An attacker can simply execute system level commands, with the same privileges as the affected services….

“But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.”

An authorization nightmare as a hostile non-person entity runs amok.

And it’s still a threat, as two recent CVEs attest…and that’s all I’ll say.

Today’s Acronym is PADFAA. And It Has Nothing To Do With Liveness Detection or Airplanes.

TAA.

Too many acronyms.

And this one, PADFAA, sounds like a mashup of presentation attack detection and the Federal Aviation Administration.

It isn’t.

PADFAA stands for the “Protecting Americans’ Data from Foreign Adversaries Act of 2024.”

So while it doesn’t involve PAD or the FAA, it does involve PII (personally identifiable information) and the FTC (Federal Trade Commission).

“The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).

“PADFAA prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which include North Korea, China, Russia, and Iran, or any entity controlled by those countries. The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behavior information as well as account or device log-in credentials and government-issued identifiers such as Social Security, passport, or driver’s license numbers.”

Although frankly it’s not a good idea to sell PII to our friends either, but that’s another topic.

Delivering Bad News: How Motorola Overcame the FpVTE 2003 Results Announcement

I just realized that I have never told the FULL story of FpVTE 2003 in the Bredemarket blog. I’ve only told the problem part, but not the solution part. Bad on me.

The problem part

I told parts of this in a 2023 post entitled “The Big 3, or 4, or 5? Through the Years.” One of the pivotal parts of the story was when the “big 4” became the “big 3.”

It happened like this:

These days the U.S. National Institute of Standards and Technology (NIST) is well known for its continuous biometric testing, but one of its first tests was conducted in 2003. At the time, there were four well-recognized fingerprint vendors:

  • Cogent Systems.
  • Motorola, which had acquired Printrak.
  • NEC.
  • Sagem Morpho, which had acquired Morpho.

There were a bunch of other fingerprint vendors, but they were much smaller, including the independent companies Bioscrypt and Identix.

I was a product manager at Motorola at the time, managing the server portion of the company’s automated fingerprint identification system (AFIS), Omnitrak. This featured a modernization of the architecture that was a vast improvement over the client-server architecture in Series 2000. The older product was still in use at the Royal Canadian Mounted Police (RCMP), but Motorola was in the process of installing Omnitrak in Slovenia and upgrading existing systems in Oklahoma and Switzerland.

Yes, I’ve worked in biometrics for a while.

Yes, I am the biometric product marketing expert.

This is the environment in which NIST released its Fingerprint Vendor Technology Evaluation of 2003 (FpVTE 2003).

“FpVTE 2003 consists of multiple tests performed with combinations of fingers (e.g., single fingers, two index fingers, four to ten fingers) and different types and qualities of operational fingerprints (e.g., flat livescan images from visa applicants, multi-finger slap livescan images from present-day booking or background check systems, or rolled and flat inked fingerprints from legacy criminal databases).”

So the companies listed above, among others, submitted their algorithms to FpVTE 2003. After the testing, NIST issued a summary report that included this sentence.

“Of the systems tested, NEC, SAGEM, and Cogent produced the most accurate results.”

You can see how this affected Motorola…and me. We were suddenly second-tier, via independent confirmation.

I’m a loser, baby. Google Gemini.

We first had to go to the RCMP and admit that we weren’t as accurate as other systems. This came at a particularly bad time, since the RCMP was engaged in a massive system upgrade of its own. While Motorola’s FpVTE performance was not the ultimate deciding factor, we lost the massive RCMP system to Cogent.

But Motorola did something else at the same time.

The solution part

The accuracy of an automated fingerprint identification system falls in the laps of the algorithm developers, whether the vendor develops its own algorithms or buys a third-party algorithm from another AFIS vendor.

Motorola developed its own algorithm…and one of the R&D leaders was Guy Cardwell.

Motorola held a User’s Conference after the FpVTE results announcement, and Cardwell spoke to our customers.

  • It wasn’t a flashy presentation with smoke and mirrors.
  • It wasn’t an accusatory presentation calling NIST a bunch of crooks.
  • It was basically Guy, on stage, saying that we didn’t do well.
  • And that we would do better.

Now of course that in itself means nothing unless we actually DID better. The R&D team went to work and improved the algorithm, and continued with other advances such as supporting complete 1000 pixel per inch systems as Sweden demanded.

But from a product marketing perspective, Motorola’s initial messaging to its customers was critically important.

Because if Motorola didn’t publicly address its FpVTE 2003 performance, then the only people talking about it would be Cogent, NEC, and Sagem Morpho.

And you don’t want to let your competitors deliver your message and steal your prospects.

Stop losing prospects! Use Bredemarket content for tech marketers

Lyria…and Fingerprint Matching

Google Gemini has a new capability: artificial intelligence music generation.

It’s called Lyria.

“Since launching the Gemini app, we’ve built tools to encourage creative expression through images and video. Today, we’re taking the next step: custom music generationLyria 3, Google DeepMind’s latest generative music model, is rolling out today in beta in the Gemini app.”

I used this prompt to generate a Lyria tune:

“Create music for a wildebeest using a laptop to compare a latent fingerprint to a tenprint fingerprint”

Google’s response:

“’I’ve created a unique atmospheric track for you that blends electronic data-processing sounds with the deep, resonant textures of a wildebeest’s world. You can play the music directly here in our chat!”

Or I could download it and share it with you.

Lyria.

If the City Fails, Try the County (Milwaukee and Biometrica)

The facial recognition brouhaha in southeastern Wisconsin has taken an interesting turn.

According to Urban Milwaukee, the Milwaukee County Sheriff’s Office is pursuing an agreement with Biometrica for facial recognition services.

The, um, benefit? No cost to the county.

“However, the contract would not need to be approved by the Milwaukee County Board of Supervisors, because there would be no cost to the county associated with the contract. Biometrica offers its services to law enforcement agencies in exchange for millions of mugshots.”

Sound familiar? Chris Burt thinks so.

“Milwaukee Police Department has also attempted to contract Biometrica’s services, prompting pushback, at least some of which reflected confusion about how the system works….

“The mooted agreement between Biometrica and MPD would have added 2.5 million images to the database.

“In theory, if MCSO signs a contract with Biometrica, it could perform facial recognition searches at the request of MPD.”

See Bredemarket’s previous posts on the city efforts that are now on hold.

And counties also.

No guarantee that the County will approve what the City didn’t. And considering the bad press from the City’s efforts, including using software BEFORE adopting a policy on its use, it’s going to be an uphill struggle.