MFB = Multi Factor Biasification?

There’s a paper from Itiel Dror that I need to read. Its title is “Biased and Biasing: The Hidden Bias Cascade and Bias Snowball Effects.”

Here is a portion of the abstract:

“Cognitive bias…impacts each and every aspect of the justice and legal systems, from the initial engagement of police officers attending the crime scene, through the forensic examination, and all the way to the final outcome of the jurors’ verdict and the judges’ sentencing. It impacts not only the subjective elements in the justice and legal systems but also the more objective scientific elements, such as forensic fingerprinting and DNA….[S]uch errors in the final outcome rarely occur because they require that the shortcomings in each element be coordinated and aligned with the other elements. However, in the justice and legal systems, the different elements are not independent; they are coordinated and mutually support and bias each other, creating and enabling hidden bias cascade and bias snowball effects.”

Secretly Using WOMBAT for Positive Impact

We create things for maximum impact. But is the impact positive or negative?

Move fast and break things

In 2019, Hemant Taneja wrote the following in a Harvard Business Review article, “The Era of ‘Move Fast and Break Things’ Is Over”:

“The technologies of tomorrow—genomics, blockchain, drones, AR/VR, 3D printing—will impact lives to an extent that will dwarf that of the technologies of the past ten years.”

Although not mentioned in the sentence above, Taneja subsequently references artificial intelligence—not as a technology, but as an underpinning of the others.

And the overall theme of the piece is a questioning of what all these things DO—and that it may not be good to break things. Destroying society may have an impact, but it’s a negative one. Can anyone think of any recent examples?

Which leads to keeping processes secret. But not all of them.

Bredemarket’s not-so-secret process

If you’ve ever read my CPA page, you may have noticed the phrase “before I write a word.”

Perhaps that’s the point where some people stopped reading the page. After all, Bredemarket provides writing services. Write stuff! Don’t wait.

And I do write stuff, creating a draft 0.5, sleeping on it, and only then creating a draft 1.

But there’s something that I do even before my draft 0.5.

“Before I write a word, I work with you to make sure that I understand your needs. I start by asking seven important questions. This ensures the best possible deliverable.”

In case you’re curious about those seven questions, you can read about them here. These questions certainly aren’t so secret, since I’ve talked about them for a long time. (There used to be six.)

But there’s something I’ve learned not to talk about.

Bredemarket’s secret process

I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.

And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)

But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.

And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”

So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.

Because it helps my clients make an impact.

A positive one.

(Imagen 3)

Upland California Amazon Fresh Opening May 1

Finally.

Amazon Fresh, April 6, 2025.

Oh, and they’re hiring. Sort of.

Work Address: 235 E. Foothill Blvd, Upland, CA, 91786  

Pay Rate: $17.80 per hour

Availability Requirements: Shift availability is dependent on operational needs.

Part-time: Shift availability required 3 days per week, including Saturday and Sunday

Flex-time: Must be available 2 weekdays between Monday-Friday and 1 weekend day/evening between Saturday-Sunday. May be scheduled up to 8 hours weekly, with additional shifts offered based on store availability.

Shifts are between 4 a.m. and 12 a.m. and may be up to 8 hours long

On Comment Cards

How do you elicit feedback from your customers? Pop-ups on your website? Emails?

Well, back when dinosaurs roamed the planet, none of these methods was available.

So you had to resort to other methods.

Corporate comedian Jan McInnis likes to share stories of her early days in comedy, when she was working comedy clubs instead of corporate conventions. Comedy clubs feature several comedians a night, and some do better than others.

And sometimes the same comedian gets different reactions from different audiences.

McInnis was once booked at a club for a week. The club owner was there for the first show, which went great. The owner went on a trip, and as McInnis relates in detail, she bombed for the next several shows. Afterwards, the club owner returned and asked how the week went.

“My first thought was to say the shows were fine and pretend that I didn’t notice the silent stares from 7 separate audiences….BUT I knew she’d see the comment cards and then know that I was not only a terrible comic, but a liar.”

Ah, those pesky comment cards, the dinosaur era version of Google Forms or Adobe Experience Manager Forms. (Gotta promote my favorite AEM consultant. But I digress.)

I won’t give away how McInnis answered the question (read about it here), but I will say that honesty is (usually) the best policy.

But regardless of how you survey your customers, the very act of doing so provides you with important knowledge. Not just data—knowledge.

(Bombing wildebeest comedian from Imagen 3)

DoorDash Gone Wild

One semi-trendy AI application is to use robots to deliver physical items from businesses to consumers…where the robot figures out the delivery route.

According to Dennis Robbins, this is happening in Arizona.

After looking at the regulations, or lack thereof, governing delivery robots in the Phoenix area, Robbins goes into investigative mode.

“After a nice breakfast at IHOP, I found myself facing off with the DoorDash Polar Labs delivery bot.”

If you are not from the U.S., the acronym IHOP stands for International House of Pancakes. (Except for that time when the marketers went crazy.) Not that they’re international, but I digress.

So the delivery bot set out to deliver packages to a hungry customer.

“Anyway … I followed my little friend after it picked up an order from IHOP. Enjoy our strange little jaunt.”

I won’t give it away, other than to comment that AI is like a drug-using teenager who only half listens to you. (I’ve said this before, stealing the idea from Steve Craig and Maxine Most.)

Read the full story here at The Righteous Cause, including commentary.

From Grok.

The One PII/PHI Data Point No One is Discussing

In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.

  • Social Security Number. 
  • Passport number.
  • Driver’s license number.
  • Taxpayer identification number.
  • Patient identification number.
  • Financial account number.
  • Credit card number.
  • Personal address.
  • Personal telephone number.
  • Photographic image of a face.
  • X-rays.
  • Fingerprints.
  • Retina scan.
  • Voice signature.
  • Facial geometry.
  • Date of birth.
  • Place of birth.
  • Race.
  • Religion.
  • Geographical indicators.
  • Employment information.
  • Medical information.
  • Education information.
  • Financial information.

Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)

“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…

“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”

And no, I’m not talking about Jack Appleby’s name.

I’M TALKING ABOUT HIS HOODIE SIZE.

And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.

Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.

But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.

(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)

TMA (Too Many Acronyms): DPI vs. DPI

I recently wrote a post that concluded as follows:

By the way, when talking about digital images, Adobe notes that the correct term is pixels per inch, not dots per inch. DPI specifically refers to printer resolution, which is appropriate when you’re printing a fingerprint card but not when you’re displaying an image on a screen.

It’s a safe bet that older readers of Biometric Update—those who used printers to print out fingerprint cards based upon captured digital images—are familiar with the DPI (dots per inch) acronym.

So perhaps those readers, like me, were confused by the title of a recent Biometric Update article, “DPI is the new ‘global tech bet’ and these are the five core motivations for adoption, researchers say.”

What happened to the paperless office? All the police agencies got rid of their file cabinets of cards, and now they’re supposed to adopt DPI again?

Well you know sometimes acronyms have two meanings.

By Dina Regine – https://www.flickr.com/photos/divadivadina/465006384/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=8022602.

In this case, DPI stands for digital public infrastructure, a key component of smart cities.

And those five core components are fiscal resilience, public services, economic development, national sovereignty, and competition and rent extraction.

Although you would think that SMART people could come up with a better term than rent EXTRACTION.

For more information on those core components, read the Biometric Update “DPI” article.

And no, I shouldn’t cast stones at acronym misuse, since I’m a self-identified CPA. You can’t account for hypocrisy.