Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)
“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…
“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”
And no, I’m not talking about Jack Appleby’s name.
I’M TALKING ABOUT HIS HOODIE SIZE.
And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.
Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.
But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.
(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)
The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.
Who runs the SOC suite
But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.
I’m talking about the AICPA, or the Association of International Certified Professional Accountants.
Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?
Why CPAs run the SOC suite
Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.
“CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
“It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
“CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.
So that’s why the accountants are running your SOC 2 audit.
And don’t try to cheat when you pay them for the audit.
And one more thing
A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.
By the way, when talking about digital images, Adobe notes that the correct term is pixels per inch, not dots per inch. DPI specifically refers to printer resolution, which is appropriate when you’re printing a fingerprint card but not when you’re displaying an image on a screen.
It’s a safe bet that older readers of Biometric Update—those who used printers to print out fingerprint cards based upon captured digital images—are familiar with the DPI (dots per inch) acronym.
In this case, DPI stands for digital public infrastructure, a key component of smart cities.
And those five core components are fiscal resilience, public services, economic development, national sovereignty, and competition and rent extraction.
Although you would think that SMART people could come up with a better term than rent EXTRACTION.
In its article “The Science of Infant Biometrics: Are We Really There Yet?” Integrated Biometrics identifies three key components for success: capture, storage, and matching. Since the Bredemarket blog has previously discussed capture, I’ll quote a bit of what Integrated Biometrics has to say about it.
[I]nfant fingerprints have smaller ridge spacing (roughly) 4-5 pixels compared to 9-10 in adults). Movement, skin peeling, and soft, malleable skin can also distort the fingerprint, making it difficult to capture accurate data.
Because of that size, the company cites studies that suggest a capture resolution of 3500 ppi and beyond may be necessary.
But that’s not the biggest of the three key components. The biggest one is matching, because even if you capture the best infant image, it’s of no use if it doesn’t correctly match (or not match) against adult images.
Luckily, we’re now at the point where we’re starting to get data for the same person at infant and (near) adult ages, so we can study the issue. Integrated Biometrics’ post contains more detail in the section “Can Today’s Algorithms Track Biometric Evolution from Infancy to Adulthood?” I’ll direct you there to read about it.
As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).
In the article, CyberArk’s Scott Carter makes the following points:
Today there are many more machine identities than human ones.
They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”
What does this mean?
Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution…
But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.
(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)
I’ve noticed that my LinkedIn posts on jobseeking perform much better than my LinkedIn posts on the technical intricacies of multifactor identity verification.
But maybe I can achieve both mass appeal and niche engagement.
Private Equity Talent Hunt and Emma Emily
A year ago I reposted something on LinkedIn about a firm called Private Equity Talent Hunt (among other names). As Shelly Jones originally explained, their business model is to approach a jobseeker about an opportunity, ask for a copy of the jobseeker’s resume, and then spring the bad news that the resume is not “ATS friendly” but can be fixed…for a fee.
The repost has garnered over 20,000 impressions and over 200 comments—high numbers for me.
It looks like a lot of people are encountering Jennifer Cona, Elizabeth Vardaman, Sarah Williams, Jessica Raymond, Emily Newman, Emma Emily (really), and who knows how many other recruiters…
…who say they work at Private Equity Talent Hunt, Private Equity Recruiting Firm, Private Equity Talent Seek, and who knows how many other firms.
If only there were a way to know if you’re communicating with a real person, at a real business.
KYC and KYB let companies make sure they’re dealing with real people, and that the business is legitimate and not a front for another company—or for a drug cartel or terrorist organization.
So if a company is approached by Emma Emily at Private Equity Talent Hunt, what do they need to do?
The first step is to determine whether Emma Emily is a real person and not a synthetic identity. You can use a captured facial image, analyzed by liveness detection, coupled with a valid government ID, and possibly supported by home ownership information, utility bills, and other documentation.
If there is no Emma Emily, you can stop there.
But if Emma Emily is a real person, you can check her credentials. Where is she employed today? Where was she employed before? What are her post secondary degrees? What does her LinkedIn profile say? If her previous job was as a jewelry designer and her Oxford degree was in nuclear engineering, Emma Emily sounds risky.
And you can also check the business itself, such as Private Equity Talent Hunt. Check their website, business license, LinkedIn profile, and everything else about the firm.
But I’m not a business!
OK, I admit there’s an issue here.
There are over 100 businesses that provide identity verification services, and many of them provide KYC and KYB.
To other businesses.
Very few people purchase KYC and KYB per se for personal use.
So you have to improvise.
Ask Emma Emily some tough questions.
Ask her about the track record of her employer.
And if Emma Emily claims to be a recruiter for a well-known company like Amazon, ask for her corporate email address.
Celina Moreno is the CEO and Co-Founder of Luna Marketing Services. And I always forget her name, so when I see her in Luna Marketing Services’ Instagram videos, I always call her “Luna.”
You remember the first TikTok ban, which had the same outcome as your usual “fights” between cable/satellite providers and content channels. Everyone gets all excited, but then they all kiss and make up.
Except with TikTok, we have to go through it all over again. And maybe again after that.
I’m not going to steal Luna’s…I mean Moreno’s post, but I do want to quote a brief excerpt.
We are now not in the hands of the Supreme Court or the legal system. We are in the hands of the current administration, a potential deal, and fate….
Unlike January’s drawn-out drama after the Supreme Court ruling upholding the ban, nothing is certain yet, but the pressure is mounting. For many, this feels like a countdown to an uncertain future.
April 5th might not be doomsday—but it could be the day the countdown gets real. There are still a lot of unknowns.
Remember in January when OpenAI announced some great achievement, and then a few days later we learned that the Chinese firm DeepSeek could boast the same performance, only much better?
These Chinese leapfrogs don’t only happen in artificial intelligence.
One kilometer facial capture
In February, I wrote about something that I initially heard of via Biometric Update. My post, “How to Recognize People From Quite a Long Way Away,” told of an effort at Heriot-Watt University in Edinburgh, Scotland in which the researchers used light detection and ranging (LiDAR) to capture and evaluate faces from as far as a kilometer away.
In normal circumstances, we capture faces from a distance of mere meters. So one kilometer facial capture is impressive.
Scientists in China have created a satellite with laser-imaging technology powerful enough to capture human facial details from more than 60 miles (100 kilometers) away….
According to the South China Morning Post, the scientists conducted a test across Qinghai Lake in the northwest of the country with a new system based on synthetic aperture lidar (SAL), a type of laser radar capable of constructing two-dimensional or three-dimensional images.
Qinghai Lake, from Google Maps.
Writers will note that the acronym SAL incorporates the L from the acronym LiDAR. This is APO, or acronym piling on.
Since I cannot read the original report, I don’t know if the researchers actually performed tests with actual faces. But supposedly SAL “detected details as small as 0.07 inches (1.7 millimeters),” based in part upon the benefits of its technology:
[T]his new system operates at optical wavelengths, which have much shorter wavelengths than microwaves and produce clearer images (though microwaves are better for penetrating into materials, because their longer wavelengths aren’t scattered or absorbed as easily).
All the cited articles make a big deal about the 100 kilometer distance’s equivalence to the boundaries of space. But before you get too excited, remember that a space-hosted SAL will be ABOVE any human subjects, and therefore will NOT capture the face at an optimal angle…
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Regarding facial recognition, I wrote this in a social media conversation earlier today:
“Facial recognition CAN be used as a crowd checking tool…with proper governance, including strict adherence to a policy of only using FR as an investigative lead, and requiring review of potential criminal matches by a forensic face investigator. Even then, investigative lead ONLY. Same with DNA.”
I received this reply:
“It’s true but in my experience cops rarely follow any rules.”
Now I could have claimed that this view was exaggerated, but there are enough examples of cops who DON’T follow the rules to tarnish all of them.
“The complaint alleges that the surveillance footage is poorly lit, the shoplifter never looks directly into the camera and still a Detroit Police Department detective ran a grainy photo made from the footage through the facial recognition technology.”
There’s so much that isn’t said here, such as whether a forensic face examiner made a definitive conclusion, or if the detective just took the first candidate from the list and ran with it.
But I am willing to bet that there was no independent evidence placing Williams at the shop location.
Why this matters
The thing that concerns me about all this? It just provides ammo to the people who want to ban facial recognition entirely.
Bredemarket 