Companies always strive to obtain some sort of recognition. I tried to do the same for Bredemarket, but my effort got derailed into a common local Inland Empire joke.
Aware’s biometric blog recognition
So what recognition did I want to receive? The same recognition that noted biometric company Aware received in 2020.
The Best Biometrics Blogs from thousands of Biometrics blogs on the web using search and social metrics. Subscribe to these websites because they are actively working to educate, inspire, and empower their readers with frequent updates and high-quality information.
Not that I necessarily consider myself equal to Aware or some of the other noted companies on the current list, but as the self-acknowledged identity/biometric blog expert, with hundreds of identity posts over the last three years, I figured I had a shot of making the list. The benefit to me, of course, is that if I made the list, I had a better chance of securing identity blog post writing clients and other clients.
So far I haven’t made the biometric blogs list.
But I did make another list.
Which is somewhat problematic.
Ontario blogs? True.
You see, earlier this morning I received an email that stated the following.
I would like to personally congratulate you as your blog Bredemarket Blog has been selected by our panelist as one of the Top 45 Ontario Bloggers on the web.
I personally give you a high-five and want to thank you for your contribution to this world. This is the most comprehensive list of Top 45 Ontario Bloggers on the internet and I’m honored to have you as part of this!
We’d be grateful if you can help us spread the word by briefly mentioning about the Top 45 Ontario Bloggers list in any of your upcoming post.
Yup. The people who created the feed think that I’m in CANADA.
But if you think my listing is messed up, take a look at the number 1 listing, for the official news site for the Government of Ontario. This IS a Canadian website, as evidenced by its URL of https://news.ontario.ca/newsroom/en, and the fact that it discusses people like Doug Ford. But take a real close look at the logo at the left of the listing.
And our websites down here don’t offer French as one of the two main languages.
If you live in Canada, don’t read this section
But at least the Bredemarket blog is listed SOMEWHERE, because I help a lot of U.S. companies (sorry, no Canadian companies) create the words they need to drive awareness and eventually revenue. Services such as the Bredemarket 400 Short Writing Service let Bredemarket collaborate with you to create the text your firm needs.
If you are reading this on your laptop (or your desktop), point your smartphone to the QR code on your laptop (or desktop) screen to read my first e-book, “Six Questions Your Content Creator Should Ask You.”
(UPDATE OCTOBER 22, 2023: “SIX QUESTIONS YOUR CONTENT CREATOR SHOULD ASK YOU IS SO 2022. DOWNLOAD THE NEWER “SEVEN QUESTIONS YOUR CONTENT CREATOR SHOULD ASK YOU” HERE.)
As I said before, QR codes are sometimes useful, and sometimes not.
If you want to know the “why” about the e-book-see what I did there?-visit my announcement of the e-book. You can view the e-book there also.
By the way, I just checked my WordPress stats. Since this e-book was published in December 2022, it’s been downloaded over 160 times. I hope it’s helping people.
Gambling is becoming acceptable in more and more places.
When I was young, and even when I got older, the idea of locating a pro sports team in Las Vegas, Nevada was unthinkable. In the last few years, that has changed dramatically.
The Roblox “Robux” gambing lawsuit
Well, now that gambling for adults has become more and more acceptable (although adults in my home state of California still can’t gamble by phone), now attention is focusing on child gambling.
In a new class action lawsuit filed in the Northern District of California this week, two parents accuse Roblox of illegally facilitating child gambling.
While gambling is not allowed on the platform, which hosts millions of virtual games that cater to children and teens, the lawsuit points to third-party gambling sites that invite users to play blackjack, slots, roulette and other games of chance using Roblox’s in-game currency.
But the gambling sites’ terms of service prohibit underage gambling!
I’m not going to concentrate on Roblox here, but on the other defendants—the ones who actually operate the sites that allegedly allow child gambling.
The lawsuit specifically names RBXFlip, Bloxflip and RBLXWild as participants in “an illegal gambling operation that is preying on children nationwide.”
But according to Bloxflip’s Terms of Service, it’s impossible that children can be using the site, because the Terms of Service prohibit this.
By accessing Bloxflip or using the Services, you accept and agree to our website policies, including these Terms of Service, and you certify to us that (i) you are eighteen (18) years of age or older, and are at least the age of majority in your jurisdiction, (ii) you are not a resident of Washington, (iii) you have the legal capacity to enter into and agree to these Terms of Service, (iv) you are using the Services freely, voluntarily, willingly, and for your own personal enjoyment, and (v) you will only provide accurate and complete information to us and promptly update this information as necessary to maintain its accuracy and completeness.
However, stating a minimum age in your TOS is even less effective than other common age verification methods, such as
Asking your customer to check a box to say that they are over 18 years old.
Asking your customer to type in their birthday.
Requiring your customer to read a detailed description of IRA/401(k) funding strategies and the medical need for colonoscopies. (This would be more effective than the first two methods.)
A better way to verify and estimate ages
As more and more companies are realizing, however, there are other ways to measure customer ages, including a comparison of a live face with a government-issued identification card (driver’s license or passport), or the use of “age estimation” software to ensure that a 12 year old isn’t gambling. (And don’t forget that NIST will test age estimation software as part of its FATE testing.)
Even when the kids aren’t gambling legal currency.
(D)igital security engineers at the University of Wisconsin–Madison have found these systems are not quite as foolproof when it comes to a novel analog attack. They found that speaking through customized PVC pipes — the type found at most hardware stores — can trick machine learning algorithms that support automatic speaker identification systems.
The project began when the team began probing automatic speaker identification systems for weaknesses. When they spoke clearly, the models behaved as advertised. But when they spoke through their hands or talked into a box instead of speaking clearly, the models did not behave as expected.
(Shimaa) Ahmed investigated whether it was possible to alter the resonance, or specific frequency vibrations, of a voice to defeat the security system. Because her work began while she was stuck at home due to COVID-19, Ahmed began by speaking through paper towel tubes to test the idea. Later, after returning to the lab, the group hired Yash Wani, then an undergraduate and now a PhD student, to help modify PVC pipes at the UW Makerspace. Using various diameters of pipe purchased at a local hardware store, Ahmed, Yani and their team altered the length and diameter of the pipes until they could produce the same resonance as they voice they were attempting to imitate.
Eventually, the team developed an algorithm that can calculate the PVC pipe dimensions needed to transform the resonance of almost any voice to imitate another. In fact, the researchers successfully fooled the security systems with the PVC tube attack 60 percent of the time in a test set of 91 voices, while unaltered human impersonators were able to fool the systems only 6 percent of the time.
We evaluate two state-of-the-art ASI models: (1) the x-vector network [51] implemented by Shamsabadi et al. [45], and (2) the emphasized channel attention, propagation and aggregation time delay neural network (ECAPATDNN) [17], implemented by SpeechBrain.1 Both models were trained on VoxCeleb dataset [15, 36, 37], a benchmark dataset for ASI. The x-vector network is trained on 250 speakers using 8 kHz sampling rate. ECAPA-TDNN is trained on 7205 speakers using 16 kHz sampling rate. Both models report a test accuracy within 98-99%.
So what we know is that this test, which used these two ASI models trained on a particular dataset, demonstrated an ability to fool systems 60 percent of the time.
But…
What does this mean for other ASI algorithms, including the commercial algorithms in use today?
And what does it mean when other datasets are used?
In other words (and I’m adapting my own text here), how do the results of this study affect “current automatic speaker identification products”?
The answer is “We don’t know.”
So pipe down…until we actually test commercial algorithms for this technique.
But I’m sure that the UW-Madison researchers and I agree on one thing: more research is needed.
I and countless others have spent the last several years referring to the National Institute of Standards and Technology’s Face Recognition Vendor Test, or FRVT. I guess some people have spent almost a quarter century referring to FRVT, because the term has been in use since 1999.
Starting now, you’re not supposed to use the FRVT acronym any more.
To bring clarity to our testing scope and goals, what was formerly known as FRVT has been rebranded and split into FRTE (Face Recognition Technology Evaluation) and FATE (Face Analysis Technology Evaluation). Tracks that involve the processing and analysis of images will run under the FATE activity, and tracks that pertain to identity verification will run under FRTE. All existing participation and submission procedures remain unchanged.
The change actually makes sense, since tasks such as age estimation and presentation attack detection (liveness detection) do not directly relate to the identification of individuals.
Us old folks just have to get used to the change.
I just hope that the new “FATE” acronym doesn’t mean that some algorithms are destined to perform better than others.
Victoria Gardens, Rancho Cucamonga, California, August 12, 2023.
Can someone pretend to be you if they have no idea who you are?
It’s been a couple of weeks since I last addressed Worldcoin’s activities, but a lot has happened in Kenya, and now in Argentina also. Here’s a succinct (I hope) update that looks beyond the blaring headlines to see what is REALLY happening.
And, at the end of this post, I address what COULD happen if a fraudster “cut off someone’s face, including gouging out their eyes, and then you draped it all over your own face.” Hey, you have to consider ALL the use cases.
According to the AAIP, an entity like Worldcoin must register with the AAIP, provide information about its data processing policy, and indicate the purpose for collecting sensitive data and the retention period for such data. Additionally, the agency requires details of the security and confidentiality measures applied to safeguard personal information. The AAIP did not confirm whether Worldcoin complies with the standards.
Worldcoin told CoinDesk in an emailed statement that “the project complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including but not limited to Argentina’s Personal Data Protection Act 25.326.”
But what is this “personal data” that concerns Argentina so much?
The data that Worldcoin collects
Now a number of companies need to comply with local privacy regulations in numerous countries, and Worldcoin obviously must obey the law in the countries where it conducts business, including laws about personally identifiable information (PII). For illustration, here is an incomplete list of examples of PII, compiled by the University of Pittsburgh:
Name: full name, maiden name, mother’s maiden name, or alias
Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
Personal address information: street address, or email address
Personal telephone numbers
Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
Biometric data: retina scans, voice signatures, or facial geometry
Information identifying personally owned property: VIN number or title number
Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
To my knowledge, Worldcoin acquires PII in two separate instances: when downloading the World App, and when registering at an Orb.
Data collected by the World App
First, Worldcoin collects data when you download the World App. The data that is collected by the iOS version of the World App includes a user ID, the user’s coarse location, a name, contacts, and a phone number. I’ll admit that the collection of contacts is a little odd, but let’s see what happens to that data later in the process.
Your biometric data is first processed locally on the Orb and then permanently deleted. The only data that remains is your iris code. This iris code is a set of numbers generated by the Orb and is not linked to your wallet or any of your personal information. As a result, it really tells us — and everyone else — nothing about you. All it does is stop you from being able to sign up again.
But what about the second use case, in which the user consents to have Worldcoin retain information (so that the user does not have to re-enroll if they get a new phone)?
Your biometric data is first processed locally on the Orb and then sent, via encrypted communication channels, to our distributed secure data stores, where it is encrypted at rest. Once it arrives, your biometric data is permanently deleted from the Orb.
Regardless of whether biometric data is retained or not, other PII isn’t even collected at the Orb:
Since you are not required to provide personal information like your name, email address, physical address or phone number, this means that you can easily sign up without us ever knowing anything about you.
“But John,” you’re saying, “names and phone numbers are not collected at the Orb, but names and phone numbers ARE collected by the World App. So how are the name, phone number, user ID, and ‘iris code’ linked together?” Let me reprint what Worldcoin says about the app:
Your Worldcoin App is your self-custodial wallet. That means, just like a physical wallet, that no banks, governments or corporations can do anything to it — like lose or freeze your money — you’re in complete control.
You also don’t need to enter any personal information to get or use the App. But even if you do, you can rest assured that, unlike others, we will never sell or try to profit from your personal information.
So apparently, while the World App asks for your name, it is not a mandatory field. I just confirmed this on my World App (which I enabled on May 16, without orb verification); the only identifying information that I could find was my phone number and my user ID.
And I’m assuming that if I were to enroll at an Orb, the iris code would be linked to my user ID.
Depending upon Worldcoin’s internal architecture:
It’s possible that the iris code could be linked to my phone number, either intentionally or unintentionally. But even if it is, an iris code in and of itself is useless outside of the Worldcoin ecosystem. In the same way that an Aware, IDEMIA, NEC, or Thales fingerprint template (not the fingerprint image) can’t be used to generate a full fingerprint image, a Worldcoin iris code can’t be used to generate a full iris image.
If I choose the “with data custody” option, my biometric images could be linked to my phone number. Again, they could be linked either intentionally or unintentionally. If such a linkage exists, then that IS a problem. If a user chooses to back up both their World App data and their Orb biometric image data with Worldcoin (and again, the user must CHOOSE to back up both sets of data), how does Worldcoin ensure that the two sets of data can’t be linked?
Presumably Argentina’s AAIP will investigate Worldcoin’s architecture to ensure that there are no financial identity threats.
Which leads us to Kenya.
Kenya and data protection laws
When we last visited Kenya and Worldcoin on August 2, the government had announced that “(r)elevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, the safety and protection of the data being harvested, and how the harvesters intend to use the data.”
Those investigations continue, Worldcoin’s Kenya offices have been raided, and Parliament is angry at the regulatory authorities…for not doing enough. The article that reports this states that the Data Protection Unit feels it is not responsible for investigating the “core business” of the registered companies, but Parliament feels otherwise.
The article also makes another interesting statement:
…the office failed to conduct background checks on the company, whose operations have been banned in both the United States of America (USA) and Germany.
Now what I CAN’T do is obtain some Worldcoin when I register my irises.
In addition, Worldcoin tokens (“WLD”) are not intended to be available for use, purchase, or access by US persons, including US citizens, residents, or persons in the United States, or companies incorporated, located, or resident in the United States, or who have a registered agent in the United States. We do not make WLD available to such US persons. Furthermore, you agree that you will not sell, transfer or make available WLD to US persons.
I continued on a darker vein: What if a criminal mastermind decided to cut out someone’s eyes, and use them to steal their identity?
The Orb engineer told me that it wouldn’t work. This Orb needs to see alive, blinking eyes, and a human face that is real attached to them. A picture of someone’s eyes won’t scan, robot eyes won’t scan, canine eyes won’t scan.
But then I got him.
If you cut off someone’s face, including gouging out their eyes, and then you draped it all over your own face, could you register as them with a Worldcoin scanner and steal their identity?
Yes.
Although he promised that the Worldcoin R&D team has not tested this particular edge case.
We often use the phrase “four-letter word” to refer to cuss words that shouldn’t be said in polite company. Occasionally, we have our own words that we personally consider to be four-letter words. (Such as “BIPA.”)
There are some times when we resign ourselves to the fact that “tech” can be a four-letter word also. But there’s actually a good reason for the problems we have with today’s technology.
Tech can be dim
Just this week I was doing something on my smartphone and my screen got really dim all of a sudden, with no explanation.
So I went to my phone’s settings, and my brightness setting was down at the lowest level.
For no reason.
“Any sufficiently advanced technology is indistinguishable from magic.”
So I increased my screen’s brightness, and everything was back to normal. Or so I thought.
A little while later, my screen got dim again, so I went to the brightness setting…and was told that my brightness was very high. (Could have fooled me.)
I can’t remember what I did next (because when you are trying to fix something you can NEVER remember what you did next), but later my screen brightness was fine.
Was Arthur C. Clarke right? And if so, WHY was he right?
Perhaps it’s selective memory, but I don’t recall having this many technology problems when I was younger.
The shift to multi-purpose devices
Part of the reason for the increasing complexity of technology is that we make fewer and fewer single-purpose devices, and are manufacturing more and more multi-purpose devices.
One example of the shift: if I want to write a letter today, I can write it on my smartphone. (Assuming the screen is bright enough.) This same smartphone can perform my banking activities, play games, keep track of Bredemarket’s earnings…oh, and make phone calls.
Technological convergence is a term that describes bringing previously unrelated technologies together, often in a single device. Smartphones might be the best possible example of such a convergence. Prior to the widespread adoption of smartphones, consumers generally relied on a collection of single-purpose devices. Some of these devices included telephones, wrist watches, digital cameras and global positioning system (GPS) navigators. Today, even low-end smartphones combine the functionality of all these separate devices, easily replacing them in a single device.
From a consumer perspective, technological convergence is often synonymous with innovation.
And the smartphone example certainly demonstrates innovation from the previous-generation single-purpose devices.
When I was a kid, if I wanted to write a letter, I had two choices:
I could set a piece of paper on the table and write the letter with a writing implement such as a pen or pencil.
I could roll a piece of paper into a typewriter and type the letter.
These were, for the most part, single purpose devices. Sure I could make a paper airplane out of the piece of paper, but I couldn’t use the typewriter to play a game or make a phone call.
Turning our attention to the typewriter, it certainly was a manufacturing marvel, and intricate precision was required to design the hammers that would hit the typewritter ribbon and leave their impressions on the piece of paper. And typewriters could break, and repairmen (back then they were mostly men) could fix them.
A smartphone is much more innovative than a smartphone. But it’s infinitely harder to figure out what is wrong with a smartphone.
The smartphone hardware alone is incredibly complex, with components from a multitude of manufacturers. Add the complexities of the operating system and all the different types of software that are loaded on a smartphone, and a single problem could result from a myriad of causes.
No wonder it seems like magic, even for the best of us.
Explaining technology
But this complexity has provided a number of jobs:
The helpful person at your cellular service provider who has acquired just enough information to recognize and fix an errant application.
The many people in call centers (the legitimate call centers, not the “we found a problem with your Windows computer” call scammers) who perform the same tasks at a distance.
All the people who write instructions on how to use and fix all of our multi-purpose devices, from smartphones to computers to remote controls.
Oh, and the people that somehow have to succinctly explain to prospects why these multi-purpose devices are so great.
Because no one’s going to run into problems with technology unless they acquire the technology. And your firm has to get them to acquire your technology.
Crafting a technology marketing piece
So your firm’s marketer or writer has to craft some type of content that will make a prospect aware of your technology, and/or induce the prospect to consider purchasing the technology, and/or ideally convert the prospect into a paying customer.
Before your marketer or writer crafts the content, they have to answer some basic questions.
Using a very simple single-purpose example of a hammer, here are the questions with explanations:
Why does the prospect need this technology? And why do you provide this technology? This rationale for why you are in business, and why your product exists, will help you make the sale. Does your prospect want to buy a hammer from a company that got tired of manufacturing plastic drink stirrers, or do they want to buy a hammer from a forester who wants to empower people to build useful items?
How does your firm provide this technology? If I want to insert a nail into a piece of wood, do I need to attach your device to an automobile or an aircraft carrier? No, the hammer will fit in your hand. (Assuming you have hands.)
What is the technology? Notice that the “why” and “how” questions come before the “what” question, because “why” and “how” are more critical. But you still have to explain what the technology is (with the caveat I mention below). Perhaps some of your prospects have no idea what a hammer is. Don’t assume they already know.
What is the goal of the technology? Does a hammer help you floss your teeth? No, it puts nails into wood.
What are the benefitsof the technology? When I previously said that you should explain what the technology is, most prospects aren’t looking for detailed schematics. They primarily care about what the technology will do for them. For example, that hammer can keep their wooden structure from falling down. They don’t care about the exact composition of the metal in the hammer head.
Finally, who is the target audience for the technology? I don’t want to read through an entire marketing blurb and order a basic hammer, only to discover later that the product won’t help me keep two diamonds together but is really intended for wood. So don’t send an email to jewelers about your hammer. They have their own tools.
(UPDATE OCTOBER 23, 2023: “SIX QUESTIONS YOUR CONTENT CREATOR SHOULD ASK YOU IS SO 2022. DOWNLOAD THE NEWER “SEVEN QUESTIONS YOUR CONTENT CREATOR SHOULD ASK YOU” HERE.)
Once you answer these questions (more about the six questions in the Bredemarket e-book available here), your marketer or writer can craft your content.
Or, if you need help, Bredemarket (the technology content marketing expert) can craft your content, whether it’s a blog post, case study, white paper, or something else.
I’ve helped other technology firms explain their “hammers” to their target audiences, explaining the benefits, and answering the essential “why” questions about the hammers.
Can I help your technology firm communicate your message? Contact me.
What’s more, these results change on a monthly basis, so it’s quite possible that the #1 vendor in some category in February 2022 was no longer than #1 vendor in March 2022. (And if your company markets years-old FRVT results, stop it!)
This is the August 15, 2023 peek at three ways to slice and dice the NIST FRVT results.
And a bunch of vendors will be mad at me because I didn’t choose THEIR preferred slicing and dicing, or their ways to exclude results (not including Chinese algorithms, not including algorithms used in surveillance, etc.). The mad vendors can write their own blog posts (or ask Bredemarket to ghostwrite them on their behalf).
NIST FRVT 1:1, VISABORDER
The phrase “NIST FRVT 1:1, VISABORDER” is shorthand for the NIST one-to-one version of the Face Recognition Vendor Test, using the VISABORDER probe and gallery data. This happens to be the default way in which NIST sorts the 1:1 accuracy results, but of course you can sort them against any other probe/gallery combination, and get a different #1 vendor.
As of August 15, the top two accuracy algorithms for VISABORDER came from Cloudwalk. Here are all of the top ten.
But NIST doesn’t just measure accuracy for a bunch of different probe-target combinations. It also measures performance, since the most accurate algorithm in the world won’t do you any good if it takes forever to compare the face templates.
One caveat regarding these measures is that NIST conducts the tests on a standardized set of equipment, so that results between vendors can be compared. This is important to note, because a comparison that takes 103 milliseconds on NIST’s equipment will yield a different time on a customer’s equipment.
One of the many performance measures is “Comparison Time (Mate).” There is also a performance measure for “Comparison Time (Non-mate).”
So in this test, the fastest vendor algorithm comes from Trueface. Again, here are the top 10.
Now I know what some of you are saying. “John,” you say, “the 1:1 test only measures a comparison against one face against one other face, or what NIST calls verification. What if you’re searching against a database of faces, or identification?”
Well, NIST has a 1:N test to measure that particular use case. Or use cases, because again you can slice and dice the results in so many different ways.
When looking at accuracy, the default NIST 1:N sort is by:
Probe images from the BORDER database.
Gallery images from a 1,600,000 record VISA database.
Cloudwalk happens to be the #1 vendor in this slicing and dicing of the test. Here are the top ten.
The usual cautions apply that everyone, including NIST, emphasizes that these test results do not guarantee similar results in an operational environment. Even if the algorithm author ported its algorithm to an operational system with absolutely no changes, the operational system will have a different hardware configuration and will have different data.
For example, none of the NIST 1:N tests use databases with more than 12 million records. Even 20 years ago, Behnam Bavarian correctly noted that biometric databases would eventually surpass hundreds of millions of records, or even billions of records. There is no way that NIST could assemble a test database that large.
Bredemarket 