Bredemarket

Examples of Biometric Technology Misuse

If I become known for anything in biometrics, I want to be known for my extremely frequent use of the words “investigative lead.”

Whether you are talking about DNA or facial recognition, these types of biometric evidence should not be the sole evidence used to arrest a person.

For an example of why DNA shouldn’t be your only evidence, see my recent post about Amanda Knox.

Facial recognition misuse in law enforcement

Regarding facial recognition, I wrote this in a social media conversation earlier today:

“Facial recognition CAN be used as a crowd checking tool…with proper governance, including strict adherence to a policy of only using FR as an investigative lead, and requiring review of potential criminal matches by a forensic face investigator. Even then, investigative lead ONLY. Same with DNA.”

I received this reply:

“It’s true but in my experience cops rarely follow any rules.”

Now I could have claimed that this view was exaggerated, but there are enough examples of cops who DON’T follow the rules to tarnish all of them.

Revisiting Robert Williams’ Detroit arrest

I’ve already addressed the sad story of Robert Williams, who was “wrongfully arrested based upon faulty facial recognition results.”

At the time, I did not explicitly share the circumstances behind Williams’ arrest:

“The complaint alleges that the surveillance footage is poorly lit, the shoplifter never looks directly into the camera and still a Detroit Police Department detective ran a grainy photo made from the footage through the facial recognition technology.”

There’s so much that isn’t said here, such as whether a forensic face examiner made a definitive conclusion, or if the detective just took the first candidate from the list and ran with it.

But I am willing to bet that there was no independent evidence placing Williams at the shop location.

Why this matters

The thing that concerns me about all this? It just provides ammo to the people who want to ban facial recognition entirely.

Not realizing that the alternative—manual witness (mis)identification—is far more inaccurate and far more racist.

But the controversy would pretty much go away if criminal investigators only used facial recognition and DNA as investigative leads.

Uncertainty Below Ground Level

I previously wrote about how marketers can navigate the “time of uncertainty,” including three suggested tips:

De-emphasize long term planning
Expect the unexpected
Move quickly

In short, agile to the extreme.

But writers aren’t the only ones faced with uncertainty.

If these anonymous survey results are to be believed, despair is setting in among…oil company executives.

Yes, oil company executives. I keep on hearing ads for some TV show that imply that the oil industry is invincible. Um…ask John Connally.

Survey says

Richard Dawson did not kiss anyone in this survey.

Back to the survey, conducted by the ultra libtards at the Federal Reserve Bank of Dallas.

“Uncertainty around everything has sharply risen during the past quarter,” another executive said. “Planning for new development is extremely difficult right now due to the uncertainty around steel-based products.”

But what of the politicians in high places who are pro-oil (well, except when they promote a certain woke electric car) and are doing everything they can to encourage oil production?

“The threat of $50 oil prices by the administration has caused our firm to reduce its 2025 and 2026 capital expenditures,” an executive said. “‘Drill, baby, drill’ does not work with $50 per barrel oil. Rigs will get dropped, employment in the oil industry will decrease, and U.S. oil production will decline as it did during COVID-19.”

I wonder if one of my old employers is still conducting its three year planning exercises.

How Does k-ID Perform Age Assurance?

I was encouraged to check out k-ID, a firm that tracks age compliance laws on a global basis. It also lets companies ensure that their users comply with these laws.

How? The company explains.

“Age assurance refers to a range of methods and technologies used to estimate, verify or confirm someone’s age. Different countries allow different methods, but here are a few commonly used by k-ID…”

The following methods are then listed:

Face Scan: Your age is estimated by completing a video selfie
ID Scan: Your age is confirmed by scanning a government-issued ID
Credit Card: Confirm you’re an adult by using a valid credit card

Note that k-ID’s age assurance methods include age estimation (via your face), age verification (via your government ID), and age who-knows-what (IMHO, possession of a credit card proves nothing, especially if it’s someone else’s).

But if k-ID truly applies the appropriate laws to age assurance, it’s a step in the right direction. Because keeping track of laws in hundreds of thousands of jurisdictions can be a…um…challenge.

(Old Enough picture from Imagen 3)

Looking at One Voter ID State

Back in 2023, I wrote “How to Vote Fraudulently in a Voter ID State.” But that only works if the voter ID state fails to protect its precincts from fake IDs.

Here is an example of voter ID legislation, this one from South Dakota.

12-18-6.1. Voters required to provide identification before voting.

When the voter is requesting a ballot, the voter shall present a valid form of personal identification. The personal identification that may be presented shall be either:

(1) A South Dakota driver’s license or nondriver identification card;

(2) A passport or an identification card, including a picture, issued by an agency of the United States government;

(3) A tribal identification card, including a picture; or

(4) A current student identification card, including a picture, issued by a high school or an accredited institution of higher education, including a university, college, or technical school, located within the State of South Dakota.

Source: SL 2003, ch 82, § 1; SL 2004, ch 108, § 3; SL 2006, ch 71, § 1.

As most people know, legislators only define the law in broad strokes. It is up to the executive to figure out the details of how to implement the law.

So how does the South Dakota Board of Elections determine that the presented identification is valid?

Does every precinct worker in South Dakota possess a copy of a guide (such as this one) that includes, among other items:

“Explanation of what the proper alphanumeric sequencing of a South Dakota ID or Driver’s License should be (how many letters, numbers, etc.).”

In addition, does every precinct worker in South Dakota have access to software and equipment (such as this one that uses “white, infrared, ultraviolet and coaxial lights”) that detects deepfake IDs? This one has a $1,600 list price. You can get cheaper ones that only support white light and can’t detect the other security features, but such readers would violate the law.

If the state can negotiate a discount of $1,000 per reader, then you can equip almost 700 precincts for less than $1 million (excluding training and maintenance, and assuming only 1 reader per precinct). A small price to pay for democracy.

Unfortunately, I could not find Regula in the list of certified South Dakota voting equipment. Perhaps South Dakota uses a competitor.

Of course voter ID fraud doesn’t just affect South Dakota, as I previously noted. But even if South Dakota doesn’t equip its precinct workers to reject voters with fake IDs, I’m sure the other states do.

Well, maybe not Alabama.

Age Estimation is Challenging

(Part of the biometric product marketing expert series)

Two Biometric Update stories that were published on March 27, 2025 reminded me of something I wrote before.

One involved Paravision.

An announcement from Paravision says its biometric age estimation technology has achieved Level 3 certification from the Age Check Certification Scheme (ACCS), the leading independent certification body for age estimation. The results make it one of only six companies globally to receive ACCS’s highest-level designation for compliance.

San Francisco-based Paravision’s age estimation tech posted 100 percent precision in Challenge 25 compliance, with 0 subjects falsely identified as over 25 years old. It also scored a 0 percent Failure to Acquire Rate, meaning that every image submitted for analysis returned a result. Mean Absolute Error (MAE) was 1.37 years, with Standard Deviation of 1.17.

Now this is an impressive achievement, and Paravision is a quality company, and Joey Pritikin is a quality biometric executive, but…well, let me share the other story first, involving a Yoti customer (not Yoti).

Fenix responded that it set a challenge threshold at 23 years of age. Any user estimated to be that age or younger based on their face biometrics is required to use a secondary method for age verification.

Fenix had set OnlyFans challenge age, it turns out, at 20 years old. A correction to 23 years old was carried out on January 16, and then Fenix changed it again three days later, to 21 years old, Ofcom says.

Now Biometric Update was very clear that “Yoti provides the tech, but does not set the threshold.”

Challenge ages and legal ages

But do challenge thresholds have any meaning? I addressed that issue back in May 2024.

Many of the tests used a “Challenge-T” policy, such as “Challenge 25.” In other words, the test doesn’t estimate whether a person IS a particular age, but whether a person is WELL ABOVE a particular age….

So if you have to be 21 to access a good or service, the algorithm doesn’t estimate if you are over 21. Instead, it estimates whether you are over 25. If the algorithm thinks you’re over 25, you’re good to go. If it thinks you’re 24, pull out your ID card.

And if you want to be more accurate, raise the challenge age from 25 to 28.

NIST admits that this procedure results in a “tradeoff between protecting young people and inconveniencing older subjects” (where “older” is someone who is above the legal age but below the challenge age).

You may be asking why the algorithms have to set a challenge age above the lawful age, thus inconveniencing people above the lawful age but below the challenge age.

The reason is simple.

Age estimation is not all that accurate.

I mean, it’s accurate enough if I (a person well above the age of 21 years) must indicate whether I’m old enough to drink, but it’s not sufficiently accurate for a drinker on their 21st birthday (in the U.S.), or a 13 year old getting their first social media account (where lawful).

If you have a government issued ID, age verification based upon that ID is a much better (albeit less convenient) solution.

(Kid computer picture by Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727.)

(Fake driver license picture from https://www.etsy.com/listing/1511398513/editable-little-drivers-license.)

The “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is Coming

As you may have noticed, I have talked about both deepfakes and synthetic identity ad nauseum.

But perhaps you would prefer to hear from someone who knows what they’re talking about.

On a webcast this morning, C. Maxine Most of The Prism Project reminded us that the “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is scheduled for publication in May 2025, just a little over a month from now.

As with all other Prism Project publications, I expect a report that details the identity industry’s solutions to battle deepfakes and synthetic identities, and the vendors who provide them.

And the report is coming from one of the few industry researchers who knows the industry. Max doesn’t write synthetic identity reports one week and refrigerator reports the next, if you know what I mean.

At this point The Prism Project is soliciting sponsorships. Quality work doesn’t come for free, you know. If your company is interested in sponsoring the report, visit this link.

While waiting for Max, here are the Five Tops

And while you’re waiting for Max’s authoritative report on deepfakes and synthetic identity, you may want to take a look at Min’s (my) views, such as they are. Here are my current “five tops” posts on deepfakes and synthetic identity.

March 17, 2025, “How Much Does Synthetic Identity Fraud Cost?“
March 11, 2025, “Update: A Little Harder to Create Voice Deepfakes?“
February 24, 2024, “Why Knowledge-Based Authentication Fails at Authentication.”
November 3, 2023, “Kelly Shepherd, #fakefakefake.”
August 15, 2023, “Communicating How Your Firm Fights Synthetic Identities.”

Baby Steps Toward Order of Magnitude Increases in Fingerprint Resolution

(Part of the biometric product marketing expert series)

For many years, the baseline for high-quality capture of fingerprint and palm print images has been to use a resolution of 500 pixels per inch. Or maybe 512 pixels per inch. Whatever.

The crime scene (latent) folks weren’t always satisfied with this, so they pushed to capture latent fingerprint and latent palm print images at 1000 pixels per inch. Pardon me, 1024.

But beyond this, the resolution of captured prints hasn’t really changed in decades. I’m sure some people have been capturing prints at 2000 (2048) pixels per inch, but there aren’t massive automated biometric identification systems that fully support this resolution from end to end.

But that may be changing.

One important truth about infant fingerprints

For about as long as latent examiners have pursued 1000 ppi print capture, people outside of the criminal justice arena have been looking at fingerprints for a very different purpose.

Our normal civil fingerprint processes require us to identify people via fingerprints beginning at the age of 18, or perhaps at the age of 12.

But gow do we identify people in those first 12 years?

More specifically, can we identify someone via their fingerprints at birth, and then authenticate them as an adult by comparing to those original prints?

It’s a dream, but many have pursued this dream. Dr. Anil Jain at Michigan State University has pursued this for years, and co-authored a 2014 paper on the topic.

Given that children, as well as the adults, in low income countries typically do not have any form of identification documents which can be used for this purpose [vaccination], we address the following question: can fingerprints be effectively used to recognize children from birth to 4 years? We have collected 1,600 fingerprint images (500 ppi) of 20 infants and toddlers captured over a 30-day period in East Lansing, Michigan and 420 fingerprints of 70 infants and toddlers at two different health clinics in Benin, West Africa.

At the time, it probably made sense to use 500 pixel per inch scanners to capture the prints, since developing countries don’t have a lot of money to throw around on expensive 1000 ppi scanners. But the use of regular scanners runs counter to a very important truth about infants and their fingerprints. Are you sitting down?

Because infants are smaller than adults, infant fingerprints are smaller than adult fingerprints.

Think about it. The standard FBI fingerprint card assumes that a rolled fingerprint occupies 1.6 inches x 1.5 inches of space. If you were to roll an infant fingerprint, it would occupy much less than that. Heck, I don’t even know if an infant’s entire FINGER is 1.6 inches long.

So the capture device is obtaining these teeny tiny ridges, and these teeny tiny ridge endings, and these teeny tiny bifurcations. Or trying to. And if those second-level details can’t be captured, then you’re not going to get the minutiae, and your fingerprint matching is going to fail.

So a decade later, researchers today are adopting a newer approach, according to a Biometric Update summary of an ID4Africa webinar. (This particular portion is at the very end of the webinar, at around the 2 hour 40 minute mark.)

A video presentation from Judge Lidia Maejima of the Court of Justice of Parana, Brazil introduced the emerging legal framework for biometric identification of infants. Her representative Felipe Hay explained how researchers in Brazil developed 5,000 dpi scanners, he says, which accurately record the minutiae of infants’ fingerprints.

Did you capture that? We’re moving from five hundred pixels per inch to FIVE THOUSAND pixels per inch. (Or maybe 5120.) Whether even that resolution is capable of capturing infant fingerprint detail remains to be seen.

And as Dr. Joseph Atick noted, all this research is still in its…um…infancy. We won’t know for years whether the algorithms can truly match infant fingerprints to child or adult fingerprints.

By the way, when talking about digital images, Adobe notes that the correct term is pixels per inch, not dots per inch. DPI specifically refers to printer resolution, which is appropriate when you’re printing a fingerprint card but not when you’re displaying an image on a screen.

(Image from From https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-290e3.pdf )

Diluting the Impact

Much business time is spent waiting…and sometimes you’re waiting on someone who is procrastinating.

Itamar Shatz, PhD provided several examples of business procrastination. This one caught my eye:

“Delaying marketing your new app, because you’re a developer or a designer and marketing is outside your comfort zone.”

But it’s not just developers or designers who delay product marketing efforts.

Two reasons why product marketers don’t market

While it’s easy to blame the techie, non-techies can also delay a go-to-market effort. Even product marketers can and do delay a go-to-market effort. Not because of comfort zone issues, but for two other reasons.

Reason One: The good is the enemy of the perfect

The first was cited by Shatz in another context:

“Delaying launching your new product, because you want to make sure that it’s absolutely perfect, even though it’s already good enough for your purposes and it would be better to just launch it already.”

In the same way we want our product to be perfect, we often want our product marketing to be perfect. Thus the A version becomes the B version which becomes the C version until we run out of letters at Z and have to employ the Excel solution and create version AA, AB, and so forth.

Reason Two: Being on the wrong level of the three levels of importance

But there’s another reason for the frustratingly endless revision cycles: you can’t get all the reviewers to look at the first version, or the second.

Why not?

Because the go-to-market project is important.

Not critically important.

We’ve all encountered situations where things that are critically important to us are merely important to others. I still remember the time when a company executive talked about how important a particular project was…and then left the room, conveying an unintended message.

And when things are relatively unimportant, they don’t happen.

And because of the delay, your product’s impact is diluted.

(Image of bus stop shelter in Chandigarh, India by Sarbjit Bahga, CC BY-SA 4.0, https://commons.wikimedia .org/wiki/File:Bus_stop_in_Chandigarh.jpg )

NPRM

Third party risk management, illustrated by a locked safe connected to a breached safe.

Back in January I wrote a post entitled “TPRM,” and I want to expand upon that post.

But first I want to talk about [REDACTED].

Because people who have been around for a while have heard the phrase that if you’ve ever had [REDACTED] with someone, you’ve had [REDACTED] with everyone they’ve ever had [REDACTED] with. At least in terms of [REDACTED] transmitted diseases. Lloyds Pharmacy Online even developed a “[REDACTED] degrees of separation” calculator to quantify that exposure.

Beyond third-party risk

But enough about [REDACTED]. Your company’s data and information are subject to similar threats.

I mean, it’s all well and great for you to adopt a third-party risk management system to make sure that your vendors and suppliers aren’t letting bad things happen to your data and information.

But guess what? All those third parties have third parties of their own.

Risk and Compliance Magazine explains:

A fourth party is an independent entity that provides services to you on behalf of your third-party service provider – also known as your third party’s third party. A fourth party is also known as a subcontractor or sub-outsourcer. Fourth parties have not signed an agreement with your organisation, so they do not have a legally binding obligation to your business. Your third party itself may subcontract all or some obligations of their agreement to you to another service provider.

An example

Let me delve into an example that I touched upon in my January post.

Let’s say that you did business with Bank of America.
You checked out Bank of America’s systems as part of your due diligence.
Perhaps you determined that everything was right and fine with the bank.
But it was NOT right and fine with one of Bank of America’s software providers, which is a FOURTH party to you.
So there’s this other system that you never contracted with.
But perhaps you’re one of the unlucky 414-plus Bank of America customers whose data was exposed because of this fourth party.

And the fourth parties have fifth parties, the fifth parties have sixth parties, and so fourth. I mean forth.

Making an impact

Luckily there are companies that provide aids not only to address third-party risk, but also nth-party risk when data is transmitted all over the place.

Hence my acronym NPRM, Nth-party risk management.

Which really stands for “notice of proposed rulemaking,” but what the hey.

Anyway, these companies and many other technology companies are making an impact.

But does anyone know what these companies are doing?

Perhaps Bredemarket can help your company make an impact with my content, proposal, and analysis services. If so, let me know.

(The image was created by Imagen 3.)

DNA Contamination Has Consequences. Ask Amanda Knox.

(Part of the biometric product marketing expert series)

When Thermo Fisher Scientific announced Amanda Knox as one of its speakers at the HIDS 2025 conference (image from the HIDS 2025 conference page), I wondered why. All of knew of Knox was that she was imprisoned for a murder in Italy that she didn’t commit.

I then found the details.

Prosecution Exhibit #36 was a knife discovered in the kitchen drawer of Raffaele Sollecito’s apartment on November 6, 2007. The police claimed this knife, 31 m long with a 17.5 cm blade, to be the murder weapon. It was the only physical evidence linking Amanda Knox to the murder. The Scientific Police claimed to have found Knox’s DNA on the handle and [murder victim Meredith] Kercher’s DNA on the blade and called the knife the “double DNA knife.”

Because DNA proves all, Knox was sent off to prison.

Only there was one problem.

Later re-evaluation of the knife left little doubt that the DNA found on the knife was the result of contamination.

You see, DNA evidence is examined in a lab. So if someone takes DNA from a knife blade and compares it to DNA taken from Amanda Knox, and if the samples have a high probability of a match, then you can make a determination.

But what if there were a mixture of the DNA, and Knox’s sample was mixed with the knife sample at some point, or misidentified? Then Knox’s DNA would match to Knox’s DNA, but that may have nothing to do with the DNA that was originally on the knife.

And you know nothing.