In its article “The Science of Infant Biometrics: Are We Really There Yet?” Integrated Biometrics identifies three key components for success: capture, storage, and matching. Since the Bredemarket blog has previously discussed capture, I’ll quote a bit of what Integrated Biometrics has to say about it.
[I]nfant fingerprints have smaller ridge spacing (roughly) 4-5 pixels compared to 9-10 in adults). Movement, skin peeling, and soft, malleable skin can also distort the fingerprint, making it difficult to capture accurate data.
Because of that size, the company cites studies that suggest a capture resolution of 3500 ppi and beyond may be necessary.
But that’s not the biggest of the three key components. The biggest one is matching, because even if you capture the best infant image, it’s of no use if it doesn’t correctly match (or not match) against adult images.
Luckily, we’re now at the point where we’re starting to get data for the same person at infant and (near) adult ages, so we can study the issue. Integrated Biometrics’ post contains more detail in the section “Can Today’s Algorithms Track Biometric Evolution from Infancy to Adulthood?” I’ll direct you there to read about it.
As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).
In the article, CyberArk’s Scott Carter makes the following points:
Today there are many more machine identities than human ones.
They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”
What does this mean?
Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution…
But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.
(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)
I’ve noticed that my LinkedIn posts on jobseeking perform much better than my LinkedIn posts on the technical intricacies of multifactor identity verification.
But maybe I can achieve both mass appeal and niche engagement.
Private Equity Talent Hunt and Emma Emily
A year ago I reposted something on LinkedIn about a firm called Private Equity Talent Hunt (among other names). As Shelly Jones originally explained, their business model is to approach a jobseeker about an opportunity, ask for a copy of the jobseeker’s resume, and then spring the bad news that the resume is not “ATS friendly” but can be fixed…for a fee.
The repost has garnered over 20,000 impressions and over 200 comments—high numbers for me.
It looks like a lot of people are encountering Jennifer Cona, Elizabeth Vardaman, Sarah Williams, Jessica Raymond, Emily Newman, Emma Emily (really), and who knows how many other recruiters…
…who say they work at Private Equity Talent Hunt, Private Equity Recruiting Firm, Private Equity Talent Seek, and who knows how many other firms.
If only there were a way to know if you’re communicating with a real person, at a real business.
KYC and KYB let companies make sure they’re dealing with real people, and that the business is legitimate and not a front for another company—or for a drug cartel or terrorist organization.
So if a company is approached by Emma Emily at Private Equity Talent Hunt, what do they need to do?
The first step is to determine whether Emma Emily is a real person and not a synthetic identity. You can use a captured facial image, analyzed by liveness detection, coupled with a valid government ID, and possibly supported by home ownership information, utility bills, and other documentation.
If there is no Emma Emily, you can stop there.
But if Emma Emily is a real person, you can check her credentials. Where is she employed today? Where was she employed before? What are her post secondary degrees? What does her LinkedIn profile say? If her previous job was as a jewelry designer and her Oxford degree was in nuclear engineering, Emma Emily sounds risky.
And you can also check the business itself, such as Private Equity Talent Hunt. Check their website, business license, LinkedIn profile, and everything else about the firm.
But I’m not a business!
OK, I admit there’s an issue here.
There are over 100 businesses that provide identity verification services, and many of them provide KYC and KYB.
To other businesses.
Very few people purchase KYC and KYB per se for personal use.
So you have to improvise.
Ask Emma Emily some tough questions.
Ask her about the track record of her employer.
And if Emma Emily claims to be a recruiter for a well-known company like Amazon, ask for her corporate email address.
Celina Moreno is the CEO and Co-Founder of Luna Marketing Services. And I always forget her name, so when I see her in Luna Marketing Services’ Instagram videos, I always call her “Luna.”
You remember the first TikTok ban, which had the same outcome as your usual “fights” between cable/satellite providers and content channels. Everyone gets all excited, but then they all kiss and make up.
Except with TikTok, we have to go through it all over again. And maybe again after that.
I’m not going to steal Luna’s…I mean Moreno’s post, but I do want to quote a brief excerpt.
We are now not in the hands of the Supreme Court or the legal system. We are in the hands of the current administration, a potential deal, and fate….
Unlike January’s drawn-out drama after the Supreme Court ruling upholding the ban, nothing is certain yet, but the pressure is mounting. For many, this feels like a countdown to an uncertain future.
April 5th might not be doomsday—but it could be the day the countdown gets real. There are still a lot of unknowns.
Remember in January when OpenAI announced some great achievement, and then a few days later we learned that the Chinese firm DeepSeek could boast the same performance, only much better?
These Chinese leapfrogs don’t only happen in artificial intelligence.
One kilometer facial capture
In February, I wrote about something that I initially heard of via Biometric Update. My post, “How to Recognize People From Quite a Long Way Away,” told of an effort at Heriot-Watt University in Edinburgh, Scotland in which the researchers used light detection and ranging (LiDAR) to capture and evaluate faces from as far as a kilometer away.
In normal circumstances, we capture faces from a distance of mere meters. So one kilometer facial capture is impressive.
Scientists in China have created a satellite with laser-imaging technology powerful enough to capture human facial details from more than 60 miles (100 kilometers) away….
According to the South China Morning Post, the scientists conducted a test across Qinghai Lake in the northwest of the country with a new system based on synthetic aperture lidar (SAL), a type of laser radar capable of constructing two-dimensional or three-dimensional images.
Qinghai Lake, from Google Maps.
Writers will note that the acronym SAL incorporates the L from the acronym LiDAR. This is APO, or acronym piling on.
Since I cannot read the original report, I don’t know if the researchers actually performed tests with actual faces. But supposedly SAL “detected details as small as 0.07 inches (1.7 millimeters),” based in part upon the benefits of its technology:
[T]his new system operates at optical wavelengths, which have much shorter wavelengths than microwaves and produce clearer images (though microwaves are better for penetrating into materials, because their longer wavelengths aren’t scattered or absorbed as easily).
All the cited articles make a big deal about the 100 kilometer distance’s equivalence to the boundaries of space. But before you get too excited, remember that a space-hosted SAL will be ABOVE any human subjects, and therefore will NOT capture the face at an optimal angle…
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Regarding facial recognition, I wrote this in a social media conversation earlier today:
“Facial recognition CAN be used as a crowd checking tool…with proper governance, including strict adherence to a policy of only using FR as an investigative lead, and requiring review of potential criminal matches by a forensic face investigator. Even then, investigative lead ONLY. Same with DNA.”
I received this reply:
“It’s true but in my experience cops rarely follow any rules.”
Now I could have claimed that this view was exaggerated, but there are enough examples of cops who DON’T follow the rules to tarnish all of them.
“The complaint alleges that the surveillance footage is poorly lit, the shoplifter never looks directly into the camera and still a Detroit Police Department detective ran a grainy photo made from the footage through the facial recognition technology.”
There’s so much that isn’t said here, such as whether a forensic face examiner made a definitive conclusion, or if the detective just took the first candidate from the list and ran with it.
But I am willing to bet that there was no independent evidence placing Williams at the shop location.
Why this matters
The thing that concerns me about all this? It just provides ammo to the people who want to ban facial recognition entirely.
Yes, oil company executives. I keep on hearing ads for some TV show that imply that the oil industry is invincible. Um…ask John Connally.
Survey says
Richard Dawson did not kiss anyone in this survey.
Back to the survey, conducted by the ultra libtards at the Federal Reserve Bank of Dallas.
“Uncertainty around everything has sharply risen during the past quarter,” another executive said. “Planning for new development is extremely difficult right now due to the uncertainty around steel-based products.”
But what of the politicians in high places who are pro-oil (well, except when they promote a certain woke electric car) and are doing everything they can to encourage oil production?
“The threat of $50 oil prices by the administration has caused our firm to reduce its 2025 and 2026 capital expenditures,” an executive said. “‘Drill, baby, drill’ does not work with $50 per barrel oil. Rigs will get dropped, employment in the oil industry will decrease, and U.S. oil production will decline as it did during COVID-19.”
I wonder if one of my old employers is still conducting its three year planning exercises.
I was encouraged to check out k-ID, a firm that tracks age compliance laws on a global basis. It also lets companies ensure that their users comply with these laws.
“Age assurance refers to a range of methods and technologies used to estimate, verify or confirm someone’s age. Different countries allow different methods, but here are a few commonly used by k-ID…”
The following methods are then listed:
Face Scan: Your age is estimated by completing a video selfie
ID Scan: Your age is confirmed by scanning a government-issued ID
Credit Card: Confirm you’re an adult by using a valid credit card
Note that k-ID’s age assurance methods include age estimation (via your face), age verification (via your government ID), and age who-knows-what (IMHO, possession of a credit card proves nothing, especially if it’s someone else’s).
But if k-ID truly applies the appropriate laws to age assurance, it’s a step in the right direction. Because keeping track of laws in hundreds of thousands of jurisdictions can be a…um…challenge.
12-18-6.1. Voters required to provide identification before voting.
When the voter is requesting a ballot, the voter shall present a valid form of personal identification. The personal identification that may be presented shall be either:
(1) A South Dakota driver’s license or nondriver identification card;
(2) A passport or an identification card, including a picture, issued by an agency of the United States government;
(3) A tribal identification card, including a picture; or
(4) A current student identification card, including a picture, issued by a high school or an accredited institution of higher education, including a university, college, or technical school, located within the State of South Dakota.
As most people know, legislators only define the law in broad strokes. It is up to the executive to figure out the details of how to implement the law.
So how does the South Dakota Board of Elections determine that the presented identification is valid?
Does every precinct worker in South Dakota possess a copy of a guide (such as this one) that includes, among other items:
“Explanation of what the proper alphanumeric sequencing of a South Dakota ID or Driver’s License should be (how many letters, numbers, etc.).”
In addition, does every precinct worker in South Dakota have access to software and equipment (such as this one that uses “white, infrared, ultraviolet and coaxial lights”) that detects deepfake IDs? This one has a $1,600 list price. You can get cheaper ones that only support white light and can’t detect the other security features, but such readers would violate the law.
If the state can negotiate a discount of $1,000 per reader, then you can equip almost 700 precincts for less than $1 million (excluding training and maintenance, and assuming only 1 reader per precinct). A small price to pay for democracy.
Of course voter ID fraud doesn’t just affect South Dakota, as I previously noted. But even if South Dakota doesn’t equip its precinct workers to reject voters with fake IDs, I’m sure the other states do.
Bredemarket 