Category Archives: Uncategorized

On Comment Cards

How do you elicit feedback from your customers? Pop-ups on your website? Emails?

Well, back when dinosaurs roamed the planet, none of these methods was available.

So you had to resort to other methods.

Corporate comedian Jan McInnis likes to share stories of her early days in comedy, when she was working comedy clubs instead of corporate conventions. Comedy clubs feature several comedians a night, and some do better than others.

And sometimes the same comedian gets different reactions from different audiences.

McInnis was once booked at a club for a week. The club owner was there for the first show, which went great. The owner went on a trip, and as McInnis relates in detail, she bombed for the next several shows. Afterwards, the club owner returned and asked how the week went.

“My first thought was to say the shows were fine and pretend that I didn’t notice the silent stares from 7 separate audiences….BUT I knew she’d see the comment cards and then know that I was not only a terrible comic, but a liar.”

Ah, those pesky comment cards, the dinosaur era version of Google Forms or Adobe Experience Manager Forms. (Gotta promote my favorite AEM consultant. But I digress.)

I won’t give away how McInnis answered the question (read about it here), but I will say that honesty is (usually) the best policy.

But regardless of how you survey your customers, the very act of doing so provides you with important knowledge. Not just data—knowledge.

(Bombing wildebeest comedian from Imagen 3)

DoorDash Gone Wild

One semi-trendy AI application is to use robots to deliver physical items from businesses to consumers…where the robot figures out the delivery route.

According to Dennis Robbins, this is happening in Arizona.

After looking at the regulations, or lack thereof, governing delivery robots in the Phoenix area, Robbins goes into investigative mode.

“After a nice breakfast at IHOP, I found myself facing off with the DoorDash Polar Labs delivery bot.”

If you are not from the U.S., the acronym IHOP stands for International House of Pancakes. (Except for that time when the marketers went crazy.) Not that they’re international, but I digress.

So the delivery bot set out to deliver packages to a hungry customer.

“Anyway … I followed my little friend after it picked up an order from IHOP. Enjoy our strange little jaunt.”

I won’t give it away, other than to comment that AI is like a drug-using teenager who only half listens to you. (I’ve said this before, stealing the idea from Steve Craig and Maxine Most.)

Read the full story here at The Righteous Cause, including commentary.

From Grok.

The One PII/PHI Data Point No One is Discussing

In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.

  • Social Security Number. 
  • Passport number.
  • Driver’s license number.
  • Taxpayer identification number.
  • Patient identification number.
  • Financial account number.
  • Credit card number.
  • Personal address.
  • Personal telephone number.
  • Photographic image of a face.
  • X-rays.
  • Fingerprints.
  • Retina scan.
  • Voice signature.
  • Facial geometry.
  • Date of birth.
  • Place of birth.
  • Race.
  • Religion.
  • Geographical indicators.
  • Employment information.
  • Medical information.
  • Education information.
  • Financial information.

Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)

“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…

“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”

And no, I’m not talking about Jack Appleby’s name.

I’M TALKING ABOUT HIS HOODIE SIZE.

And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.

Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.

But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.

(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)

TMA (Too Many Acronyms): DPI vs. DPI

I recently wrote a post that concluded as follows:

By the way, when talking about digital images, Adobe notes that the correct term is pixels per inch, not dots per inch. DPI specifically refers to printer resolution, which is appropriate when you’re printing a fingerprint card but not when you’re displaying an image on a screen.

It’s a safe bet that older readers of Biometric Update—those who used printers to print out fingerprint cards based upon captured digital images—are familiar with the DPI (dots per inch) acronym.

So perhaps those readers, like me, were confused by the title of a recent Biometric Update article, “DPI is the new ‘global tech bet’ and these are the five core motivations for adoption, researchers say.”

What happened to the paperless office? All the police agencies got rid of their file cabinets of cards, and now they’re supposed to adopt DPI again?

Well you know sometimes acronyms have two meanings.

By Dina Regine – https://www.flickr.com/photos/divadivadina/465006384/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=8022602.

In this case, DPI stands for digital public infrastructure, a key component of smart cities.

And those five core components are fiscal resilience, public services, economic development, national sovereignty, and competition and rent extraction.

Although you would think that SMART people could come up with a better term than rent EXTRACTION.

For more information on those core components, read the Biometric Update “DPI” article.

And no, I shouldn’t cast stones at acronym misuse, since I’m a self-identified CPA. You can’t account for hypocrisy.

More on Infant Biometrics

Since I recently shared some news on “Baby Steps Toward Order of Magnitude Increases in Fingerprint Resolution,” I figure I should share what Integrated Biometrics has to say on the matter.

In its article “The Science of Infant Biometrics: Are We Really There Yet?” Integrated Biometrics identifies three key components for success: capture, storage, and matching. Since the Bredemarket blog has previously discussed capture, I’ll quote a bit of what Integrated Biometrics has to say about it.

[I]nfant fingerprints have smaller ridge spacing (roughly) 4-5 pixels compared to 9-10 in adults). Movement, skin peeling, and soft, malleable skin can also distort the fingerprint, making it difficult to capture accurate data.

Because of that size, the company cites studies that suggest a capture resolution of 3500 ppi and beyond may be necessary.

But that’s not the biggest of the three key components. The biggest one is matching, because even if you capture the best infant image, it’s of no use if it doesn’t correctly match (or not match) against adult images.

Luckily, we’re now at the point where we’re starting to get data for the same person at infant and (near) adult ages, so we can study the issue. Integrated Biometrics’ post contains more detail in the section “Can Today’s Algorithms Track Biometric Evolution from Infancy to Adulthood?” I’ll direct you there to read about it.

(Image from Freepik)

Another Take on NPEs and Security

I learned about the following story via the Identity Jedi, which leads me to my early and self-serving call to action:

If you’re interested in identity, The Identity Jedi Newsletter is a must-read. It’s packed with educational and insightful content. And if you would like to subscribe to the newsletter, please use my referral link: https://www.theidentityjedi.com/subscribe?ref=YoUVK0Uos1&_bhlid=7fecfad9eb7fd8bcdb529e945e11346b5897acdc I’m in the running to get an Identity Jedi mug. Thanks.

Enough self-serving content. Let’s get to what I learned about in the newsletter: namely, this article from CSO Online, “The urgent reality of machine identity security in 2025.”

As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).

In the article, CyberArk’s Scott Carter makes the following points:

  • Today there are many more machine identities than human ones.
  • They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
  • These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”

What does this mean?

Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution

But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.

(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)

Jobseekers and Know Your (Fill in the Blank)

I’ve noticed that my LinkedIn posts on jobseeking perform much better than my LinkedIn posts on the technical intricacies of multifactor identity verification.

But maybe I can achieve both mass appeal and niche engagement.

Private Equity Talent Hunt and Emma Emily

A year ago I reposted something on LinkedIn about a firm called Private Equity Talent Hunt (among other names). As Shelly Jones originally explained, their business model is to approach a jobseeker about an opportunity, ask for a copy of the jobseeker’s resume, and then spring the bad news that the resume is not “ATS friendly” but can be fixed…for a fee.

The repost has garnered over 20,000 impressions and over 200 comments—high numbers for me. 

It looks like a lot of people are encountering Jennifer Cona, Elizabeth Vardaman, Sarah Williams, Jessica Raymond, Emily Newman, Emma Emily (really), and who knows how many other recruiters…

…who say they work at Private Equity Talent Hunt, Private Equity Recruiting Firm, Private Equity Talent Seek, and who knows how many other firms.

If only there were a way to know if you’re communicating with a real person, at a real business.

Actually, there is.

Know Your Customer and Business

As financial institutions and other businesses have known for years, there are services such as “Know Your Customer” and “Know Your Business” that organizations can use. 

KYC and KYB let companies make sure they’re dealing with real people, and that the business is legitimate and not a front for another company—or for a drug cartel or terrorist organization.

So if a company is approached by Emma Emily at Private Equity Talent Hunt, what do they need to do?

The first step is to determine whether Emma Emily is a real person and not a synthetic identity. You can use a captured facial image, analyzed by liveness detection, coupled with a valid government ID, and possibly supported by home ownership information, utility bills, and other documentation.

If there is no Emma Emily, you can stop there.

But if Emma Emily is a real person, you can check her credentials. Where is she employed today? Where was she employed before? What are her post secondary degrees? What does her LinkedIn profile say? If her previous job was as a jewelry designer and her Oxford degree was in nuclear engineering, Emma Emily sounds risky.

And you can also check the business itself, such as Private Equity Talent Hunt. Check their website, business license, LinkedIn profile, and everything else about the firm.

But I’m not a business!

OK, I admit there’s an issue here.

There are over 100 businesses that provide identity verification services, and many of them provide KYC and KYB.

To other businesses.

Very few people purchase KYC and KYB per se for personal use.

So you have to improvise.

Ask Emma Emily some tough questions.

Ask her about the track record of her employer.

And if Emma Emily claims to be a recruiter for a well-known company like Amazon, ask for her corporate email address.

(Image from Microsoft Copilot)

TikTok Uncertainty…Again

Celina Moreno is the CEO and Co-Founder of Luna Marketing Services. And I always forget her name, so when I see her in Luna Marketing Services’ Instagram videos, I always call her “Luna.”

But she’s not only a video creator.

Today Moreno wrote a post on something that many social media people are thinking about right now: “How To Survive Your Second TikTok Ban.”

You remember the first TikTok ban, which had the same outcome as your usual “fights” between cable/satellite providers and content channels. Everyone gets all excited, but then they all kiss and make up.

Except with TikTok, we have to go through it all over again. And maybe again after that.

I’m not going to steal Luna’s…I mean Moreno’s post, but I do want to quote a brief excerpt.

We are now not in the hands of the Supreme Court or the legal system. We are in the hands of the current administration, a potential deal, and fate….

Unlike January’s drawn-out drama after the Supreme Court ruling upholding the ban, nothing is certain yet, but the pressure is mounting. For many, this feels like a countdown to an uncertain future.

April 5th might not be doomsday—but it could be the day the countdown gets real. There are still a lot of unknowns.

Read the rest here.

And if anyone finds any certainty, let me know. Yes, I know about death and taxes, but the IRS has been DOGEd

The Chinese Version: How to Recognize People From Quite a Long Way Away

Remember in January when OpenAI announced some great achievement, and then a few days later we learned that the Chinese firm DeepSeek could boast the same performance, only much better?

These Chinese leapfrogs don’t only happen in artificial intelligence.

One kilometer facial capture

In February, I wrote about something that I initially heard of via Biometric Update. My post, “How to Recognize People From Quite a Long Way Away,” told of an effort at Heriot-Watt University in Edinburgh, Scotland in which the researchers used light detection and ranging (LiDAR) to capture and evaluate faces from as far as a kilometer away.

In normal circumstances, we capture faces from a distance of mere meters. So one kilometer facial capture is impressive.

Or is it?

One hundred kilometer facial capture

Some Chinese researchers replied, “Hold my Tsingtao,” according to a Chinese Journal of Lasers paper (in Chinese) that was reported on by Live Science (in English). (And again, I learned of this via Biometric Update.)

Scientists in China have created a satellite with laser-imaging technology powerful enough to capture human facial details from more than 60 miles (100 kilometers) away….

According to the South China Morning Post, the scientists conducted a test across Qinghai Lake in the northwest of the country with a new system based on synthetic aperture lidar (SAL), a type of laser radar capable of constructing two-dimensional or three-dimensional images.

Qinghai Lake, from Google Maps.

Writers will note that the acronym SAL incorporates the L from the acronym LiDAR. This is APO, or acronym piling on.

Since I cannot read the original report, I don’t know if the researchers actually performed tests with actual faces. But supposedly SAL “detected details as small as 0.07 inches (1.7 millimeters),” based in part upon the benefits of its technology:

[T]his new system operates at optical wavelengths, which have much shorter wavelengths than microwaves and produce clearer images (though microwaves are better for penetrating into materials, because their longer wavelengths aren’t scattered or absorbed as easily).

All the cited articles make a big deal about the 100 kilometer distance’s equivalence to the boundaries of space. But before you get too excited, remember that a space-hosted SAL will be ABOVE any human subjects, and therefore will NOT capture the face at an optimal angle…

Can you identify Bart Everson’s face from this picture? For all I know it could be Moby. CC-BY-2.0, https://www.flickr.com/photos/editor/158206278.

…unless you’re lying on the beach sunbathing and therefore facing TOWARD space where all the Chinese satellites can see you.

The Chinese can see all of you. By Daniel Dudek – https://www.flickr.com/photos/dansapples/9530477943/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=129964713.

Oh, and one more thing. The Chinese tests were conducted in optimal weather conditions, and obviously you can’t get the same results in bad weather.

But in the ideal conditions, perhaps you CAN be identified remotely.

(Snowman from Imagen 3)