And there are a ton of ramifications and unintended consequences.
Covishield and the EUDCC
When I last looked at the EUDCC, I examined its effect on travel from people outside of the European Union. The question at the time was what would happen to people who were vaccinated with something other than the European Medicines Agency-approved vaccines, thus rendering them ineligible for the EUDCC.
In particular, people who were vaccinated with the Covishield vaccine were not eligible for the EUDCC. Depending upon whom you asked, Covishield is either just the same as the EMA-approved AstraZeneca vaccine (now referred to as “Vaxzervria” in EU-speak), or it has a radically different manufacturing process that disqualifies it from automatic acceptance.
This non-recognition of Covishield has a great impact on African nations, because that vaccine is popular there. However, EUDCC disapproval has been offset by the actions of several individual countries to recognize Covishield as a vaccine. For example, Greece recognizes ten vaccines (including Covishield) as opposed to the EU’s four. Of course, you have to go through additional paperwork to get authorization to enter a specific country.
But Joseph Atick notes that there’s another issue that adversely impacts the ability of Africans to enter Europe.
Linking a vaccination to a person
Assume for the moment that you have received an EU-authorized vaccine. This is only part of the battle, because the act of vaccination has to be tied to you as a person.
One of the biggest barriers to setting up these systems—and one that could greatly complicate digital health certificates – involves traceability, which for an official digital ID means documenting one’s birth event.
In Africa, not everyone has a birth certificate, and many struggle to trace their identity to the birth event.
If you cannot prove to the satisfaction of the European Union (or whoever) that you were the actual person who received a vaccine, then you may face barriers to entering Europe (or wherever).
And what are the ramifications of this?
A digital health certificate has appeal as an efficient and effective way to manage COVID-19 risks. But if we don’t pause now to consider the implications of getting it wrong and look for ways to get it right, these marvellous digital innovations could also be supremely effective at creating a binary world of those who can prove their COVID-19 risk status and those who cannot.
The requirement for a digital identity
Oh, and there’s another issue that Atick didn’t address, but which bears noting.
All of the health vaccination solutions listed above assume as a given that people will be the owners of a unique, government-authorized digital identity.
In my country, both some people on the left and some people on the right believe that “governmental digital identity” naturally equates to “governmental digital surveillance,” and that governments shouldn’t be abusing the data that they can obtain from all the vaccinations you get, all the places you travel, all the things you buy, and all the other things that you do.
(Well, except for voting. Some on the right fervently believe that government identities are essential to voting, even if they’re not essential to any other activity.)
But are people truly banned from travel?
So where does this leave the people who cannot prove that they were vaccinated with an authorized vaccine, or perhaps were never vaccinated at all?
In many cases travel for the unvaccinated is not banned, but they have to go through additional hoops to travel. Using one example, unvaccinated U.S. citizens can travel to Austria if they “have recovered from COVID-19 in the past 180 days; or present a negative COVID-19 PCR or antigen test result procured within 72 or 48 hours of travel.” For more country-by-country specifics as of August 13, click here.
But how will the unvaccinated get to Europe, or anywhere else?
United Airlines isn’t requiring passengers to be vaccinated. Employees? That’s another matter.
But on the other hand, a vaccination in and of itself is not a guarantee that you can travel. Norway has a long list of requirements that an incoming person must satisfy, vaccination or not. This isn’t the time for an American to go on a sightseeing tour to Oslo.
So a binary division into the “travels” and “travel nots” may not become a reality. Instead, it will be a gradation of travel allowances and non-allowances, based upon a variety of factors.
As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.
What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.
Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.
However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.
I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.
One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.
Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.
Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.
As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUs, University of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).
As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.
And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.
Reluctance to set national standards for mobile driver’s licenses
Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.
Some people are not especially wowed with this use case.
The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.
We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…
You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.
Is a Non-Governmental Identity (NGI) feasible and reliable?
Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).
…others are animated by a vision of “self-sovereign identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….
DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.
For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.
Who issues Verifiable Credentials?
As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:
There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.
In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)
Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.
Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)
But NGIs are not a cure-all
Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.
Here’s what McKinsey has said:
…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.
Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.
In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several yearsAFTER 9/11.
And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:
At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.
1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)
Which identiy(ies) will prevail?
Back to governmental recognition of NGI.
Don’t count on it.
Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.
So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.
But frankly, I’m still not sure that I want Facebook to know how much I weigh.
(Although, now that I think about it, Apple already knows.)
When I was part of an industry in which the three major players were my employer IDEMIA and its competitors NEC and Thales, I was always aware of a potential threat to these three multi-billion dollar biometric companies. Specifically, there were much, much bigger technology companies (both inside and outside of Silicon Valley) with huge resources and extensive artificial intelligence experience. These firms could put the three biometric firms out of business at any time.
As my regular readers know, I’ve recently spent some time refining my content creation process for Bredemarket’s clients. As part of this, I’ve made a point of emphasizing some key points that need to be established at the beginning of a client engagement with someone like you, including the following:
Your overall GOAL. The content Bredemarket creates must advance your goal.
Your perceived BENEFITS. The content Bredemarket creates must communicate your benefits.
Your TARGET AUDIENCE. The content Bredemarket creates must speak to your target audience.
To use a simple example, if your goal is to have local law enforcement agencies request formal quotes from you, your benefits include your experience working as a certified latent fingerprint examiner, and your target audience is the forensic, records, and/or IT departments of local law enforcement agencies, then I have failed if Bredemarket’s generated content talks about general business topics with no reference to law enforcement or fingerprints.
However, I realize that there’s an implicit assumption that there is something that is at an even higher level than goals, benefits, or target audiences.
That “something” is your beliefs. (I speak in a business sense here, by the way, although your beliefs in general can impact how you do business.)
Because your beliefs underpin everything that you do.
We are influenced by many factors that ripple through our minds as our beliefs form, evolve, and may eventually change. By User:Lbeaumont based on image by Mila / Brocken Inaglory – This file has been extracted from another file: Multy droplets impact.JPG, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=29111316
They are the (sometimes unspoken) foundation that effects the goals you set, the benefits you offer, the audiences you target, and even whether you will meet with a client at 6:00 in the morning local time. (There are pros and cons to taking 6am meetings; it’s not a one-size-fits-all decision. More about that later.)
Beliefs of sole proprietors
The influence of beliefs on a business is obviously clearest when I as a consultant deal with other sole proprietors, because sole proprietors by definition have great control over how they do business.
Because of my background, many of the sole proprietors that I know are people who were formerly in the corporate world, but left it for some reason (sometimes by choice, sometimes not). Universally, these sole proprietors have seen things in the corporate world that they like, but have also seen corporate practices that they DO NOT like. Now that they’re in business for themselves, these sole proprietors have resolved that their business will never do these bad things.
I don’t want to single out any of the sole proprietors that I know, so I’m going to make up an example.
Beth Smith spent two years working for Pay By Touch, an early pioneer in digital identity that was in some respects ahead of its time. Even when founded in the early 2000s, the concept was solid: rather than having to drag out a credit card to make a payment, a grocery store shopper or other consumer could simply touch his or her finger against a fingerprint reader, securely allowing the consumer to pay by touch. Unfortunately, the leadership of the firm was not so good, and the company itself eventually went bankrupt.
Several years later, when digital identity became a hot topic, Beth Smith decided to re-enter the industry on her own. But she decided that a key belief of her business would be ethical behavior. No cocaine binges or unpaid bills would sully the reputation of Beth Smith Identity Services.
From this key belief, you can extrapolate how it would be reflected in Beth Smith’s goals, benefits, and target audience. For example, if you’re an illegal drug dealer, don’t even bother to ask Beth Smith Identity Services for a quote. She won’t talk to you.
Perhaps my made-up example is outrageous (then again, Pay By Touch’s founder John P. Rogers was pretty outrageous himself), but I’ve seen how similar beliefs (shaped by experience) have influenced other sole proprietors that I know.
If a sole proprietor is angered by the glacial nature of multinational decision-making, that proprietor will emphasize quick delivery to accelerate client business and satisfaction.
If a sole proprietor is disheartened because their former employer ignored a specific product, service, or market, that proprietor will prioritize that product/service/market and bring their unique talents to that market.
If a sole proprietor is frustrated by the prevalence of one-size-fits-all cookie cutter solutions, that proprietor will prioritize responsiveness to a customer’s unique needs to ensure that the customer receives the best possible service.
But how do you discover a sole proprietor’s beliefs?
If I were interviewing you, I probably wouldn’t ask you what your key beliefs are. Perhaps I should (although that’s a rather personal question), but so far I haven’t needed to do so. If I already know you from past associations, I already know what your beliefs are. And if I don’t know you but just generally ask you about yourself and your business, your beliefs will probably come through in your conversation with me. If you spend a half hour talking with someone, you can learn all sorts of things. (But if you’re talking with me, my Calendly calendar doesn’t include 6am appointments.)
Beliefs of corporate employees
In terms of beliefs, a corporation is very different from a sole proprietor.
I know this from personal experience. The first multinational corporation that employed me was Motorola. This was before Motorola split into two entities, Motorola Solutions and Motorola Mobility.
During my period as a Motorola employee, the company had three leaders: Christopher Galvin, Edward Zander, and Greg Brown. While these leaders could set the direction for the company, they could not completely influence the beliefs of every member. It isn’t like all of the tens of thousands of Motorola employees immediately changed direction when Zander replaced Galvin, even though the two had distinctly different styles.
Galvin is a quiet, reserved, man who is perhaps contemplative and reflective to a fault. He believed in layers of management and many meetings that often kept Motorola from responding quickly to dynamic market circumstances. While not prone to take credit for successes, he always said the buck stopped with him when things didn’t go well. Zander, a freewheeling showman, is a boisterous, energetic, fast-moving Brooklyn native who often shoots from the hip or the lip.
I have never spoken with Galvin, Zander, or Brown, and I don’t think I’ve ever been in the same room with Galvin or Zander. Greg Brown advanced in Motorola’s hierarchy before becoming CEO, so I’m sure that I was in the same room with him at some point in my Motorola career.
So Galvin’s, Zander’s, and Brown’s influence on me and my beliefs was somewhat limited.
I was much more influenced by my direct supervisors, other directors and managers at Motorola’s Anaheim and Irvine offices, and selected people from Schaumburg, Plantation, Phoenix, Canada, and elsewhere who interacted with me on a daily basis.
The same holds true with my consulting business.
While I am technically delivering Bredemarket’s services to companies (including some large multinational companies), in reality I am delivering my services to Director Jim at Company X or Vice President Carol at Company Y. Director Jim and VP Carol have their own goals, perceived benefits, and target audiences…and their own beliefs.
When Bredemarket is delivering something to Director Jim, and is considering various options, there are times when I say to myself “Director Jim wouldn’t go for that.” Or if I’m delivering something to VP Carol, it will occur to me that she would really prefer a particular way of doing things.
Again, a consultant may not explicitly ask a corporate employee about their beliefs, but if the consultant regularly talks to the client, those beliefs will come out in the course of conversation.
What are MY beliefs?
This is the “physician heal thyself” portion of the post.
As you may have gathered from this post, I don’t always expect a sole proprietor or corporate employee to explicitly delineate their beliefs, perhaps because I can’t envision myself doing something like that. If I were talking to you as a potential client, it would feel brazen for me to declare, “This is what I believe.” Beliefs are personal, after all.
But even if I don’t explicitly state my beliefs, I need to make sure that they are reflected in Bredemarket’s goals, benefits, and target audiences.
How is my self-proclaimed status as a biometric content marketing expert and a biometric proposal writing expert influenced by my underlying beliefs?
What are YOUR beliefs?
For this post, I’ll dispense with my usual call to action to contact me if Bredemarket can help you. (Actually, I didn’t dispense with it, since I just wrote it.)
But I WILL ask you to think about something, whether you are a sole proprietor, a corporate employee, or a guy who used to be everyone’s best friend and is now having fun.
Think about your beliefs.
What are they?
How do they influence how you conduct business?
Finally, would you explicitly state your beliefs, or would you prefer that your beliefs be reflected by what you do?
While he does not explicitly talk about the myriad of facial recognition algorithms that were NOT addressed in the study, he does have some additional details about the test dataset.
The three algorithms that were tested
Here’s what FindBiometrics says about the three algorithms that were tested in the Israeli study.
The researchers described (the master faces) as master keys that could unlock the three facial recognition systems that were used to test the theory. In that regard, they challenged the Dlib, FaceNet, and SphereFace systems, and their nine master faces were able to impersonate more than 40 percent of the 5,749 people in the LFW set.
While it initially sounds impressive to say that three facial recognition algorithms were fooled by the master faces, bear in mind that there are hundreds of facial recognition algorithms tested by NIST alone, and (as I said earlier) the test has NOT been duplicated against any algorithms other than the three open source algorithms mentioned.
…let’s look at the algorithms themselves and evaluate the claim that results for the three algorithms Dlib, FaceNet, and SphereFace can naturally be extrapolated to ALL facial recognition algorithms….NIST’s subsequent study…evaluated 189 algorithms specially for 1:1 and 1:N use cases….“Tests showed a wide range in accuracy across developers, with the most accurate algorithms producing many fewer errors.”
In short, just because the three open source algorithms were fooled by master faces doesn’t mean that commercial grade algorithms would also be fooled by master faces. Maybe they would be fooled…or maybe they wouldn’t.
What about the dataset?
The three open source algorithms were tested against the dataset from Labeled Faces in the Wild. As I noted in my prior post, the LFW people emphasize some important caveats about their dataset, including the following:
Many groups are not well represented in LFW. For example, there are very few children, no babies, very few people over the age of 80, and a relatively small proportion of women. In addition, many ethnicities have very minor representation or none at all.
In the FindBiometrics article, Weiss provides some additional detail about dataset representation.
…there is good reason to question the researchers’ conclusion. Only two of the nine master faces belong to women, and most depicted white men over the age of 60. In plain terms, that means that the master faces are not representative of the global public, and they are not nearly as effective when applied to anyone that falls outside one particular demographic.
That discrepancy can largely be attributed to the limitations of the LFW dataset. Women make up only 22 percent of the dataset, and the numbers are even lower for children, the elderly (those over the age of 80), and for many ethnic groups.
Valid points to be sure, although the definition of a “representative” dataset varies depending upon the use case. For example, a representative dataset for a law enforcement database in the city of El Paso, Texas will differ from a representative dataset for an airport database catering to Air France customers.
So what conclusion can be drawn?
Perhaps it’s just me, but scientific entities that conduct studies are always motivated by the need for additional funding. After a study is concluded, it seems that the entities always conclude that “more research is needed”…which can be self-serving, because as long as more research is needed, the scientific entities can continue to receive necessary funding. Imagine the scientific entity that would dare to say “Well, all necessary research has been conducted. We’re closing down our research center.”
But in this case, there IS a need to perform additional research, to test the master faces against different algorithms and against different datasets. Then we’ll know whether this statement from the FindBiometrics article (emphasis mine) is actually true:
Any face-based identification system would be extremely vulnerable to spoofing…
This is the “oops” of the month (actually for the month of July).
By U.S. Government – ATSDR (part of the CDC) series of state-specific fact sheets. Bitmap versions have been seen on US Embassy websites. Direct PDF URL [1], Public Domain, https://commons.wikimedia.org/w/index.php?curid=14801198
On Monday, July 26 the Tennessee Department of Economic and Community Development made an important announcement:
Tennessee Gov. Bill Lee, Department of Economic and Community Development Commissioner Bob Rolfe and Integrated Biometric Technology, LLC (IBT) officials announced today that the company will establish new operations and locate its corporate headquarters in Franklin.
For those who aren’t familiar with the Nashville area, Franklin is a suburb of Nashville. Coincidentally, IDEMIA (IBT President & CEO Charles Carroll’s former employer) used to have an office in Franklin (I visited it in June 2019), but it has since moved to another Nashville suburb.
This job-related news obviously pleased a number of other Tennessee government officials, including one whom (in this post at least) will remain nameless. The government official tweeted the following, along with a link to the announcement:
Congratulations to @IntegratedBiome on their decision to locate their facility in Franklin and to all our state and local officials who helped bring these jobs home!
A nice sentiment to be sure…except for one teeny problem.
The government official didn’t tag Integrated Biometric Technology (who appears to have a Twitter account, but it isn’t live yet), but instead tagged a SOUTH CAROLINA company with a similar name, Integrated Biometrics. (I’ve discussed this company before. They’re the ones who really like 1970s TV crime fighters.)
Hi there! That article is actually about Integrated Biometric Technology – not us (Integrated Biometrics)
It turns out that the two companies with similar names have existed in one form or another for nearly two decades. The first iteration of Integrated Biometric Technology was established in 2005, while Integrated Biometrics dates back to 2002. I was in Motorola at the time and can’t remember any name confusion in those days, since I was busy concentrating on other things…such as AFIX Tracker.
Cue the “It’s a Small World” music. Trust me, the biometrics world can be very small at times…
(This is the third post in a series. The first post (from July 8) can be found here, the second (from July 12) here.)
Most people who started new businesses did not start them during a pandemic. Those of us who did had a different experience than older firms. Some things those older firms did weren’t necessary for the COVID firms.
Until now.
Starting a business during a pandemic
When I started Bredemarket, I wasn’t creating tangible collateral.
When would I use it?
I wasn’t driving to clients’ offices to pitch my services. I was sitting in my home office, communicating with people online, and never visiting them. I had not met any of my clients in-person in years, and some of my clients have never met me in-person at all.
I wasn’t mailing things to clients or potential clients…well, not through the U.S. Postal Service anyway. I’m using email, LinkedIn, and other electronic communication methods to interact with my clients. Bredemarket’s inventory doesn’t even include a single stamp.
And in my case I wasn’t traveling on any real business trips. (I didn’t go to last week’s International Association for Identification conference.) For me, my only “business trips” so far have been to:
You can’t blame me for thinking that tangible collateral was on the way out, because I was conducting most of my business without physically entering a location. My city business license, my fictitious business name application, and even my business bank account were all applied for online.
Tangible collateral was of far less importance than my QR code.
And now I’m printing tangible collateral
So what changed?
Well, I’m going to an in-person event next week. For my younger readers (i.e. those who developed awareness after 2019), an “in-person event” is something where you are actually in the same room as the people that you are meeting, rather than looking at them in boxes on your computer screen.
After I registered for the in-person event, I realized that I needed to obtain something, preferably before the meeting.
I needed business cards.
And the business cards had to be Bredemarket business cards. I still have some business cards from my former employer, but they’re obviously not going to do me any good.
Now travel back to those long-ago days of 2019 and try to imagine any firm, even a service-based firm, conducting business for almost a year without bothering to print business cards.
Since I haven’t really dealt with business cards in a couple of years, it’s time for me to brush up on business card etiquette:
Cards should not be handed out by the left hand, should never be written on and should always be translated to the language of the specific country they are being handed out in on the rear of the card. They should never be carried loose and presented in the best condition.
(By the way, don’t you think that last sentence needs a comma?)
Anyway, I have finally ordered some business cards, which should arrive before my in-person event next week.
And I’ll also be ready for a SECOND in-person event.
Unless a future Mu or Nu variant of COVID sends us all back home.
When looking at U.S. state implementations of mobile driver’s licenses, there are various gradations of these implementations.
Some states have only performed pilots.
Some states have implemented production versions of mobile driver’s license, but their acceptance is limited and you still have to carry your physical driver’s license with you.
I don’t think any state has reached the level where the mDL is acceptable for ALL state purposes, and you DON’T have to carry your physical license with you any more.
NO state has reached the level where the mDL is acceptable for state AND federal purposes (such as boarding planes). That is still in process.
This post looks at what is going on in one state, what may happen in the future, and what resistance the state may (or may not) meet from its own residents.
Subscribe to get access
Subscribe to Bredemarket Premium to access this premium content.
Subscriptions just $5 per month.
Access Bredemarket’s expertise without spending hundreds or thousands of dollars.
Modern “journalism” often consists of reprinting a press release without subjecting it to critical analysis. Sadly, I see a lot of this in publications, including both biometric and technology publications.
This post looks at the recently announced master faces study results, the datasets used (and the datasets not used), the algorithms used (and the algorithms not used), and the (faulty) conclusions that have been derived from the study.
Oh, and it also informs you of a way to make sure that you don’t make the same mistakes when talking about biometrics.
In facial recognition, there is a concept called “master faces” (similar concepts can be found for other biometric modalities). The idea behind master faces is that such data can potentially match against MULTIPLE faces, not just one. This is similar to a master key that can unlock many doors, not just one.
This can conceivably happen because facial recognition algorithms do not match faces to faces, but match derived features from faces to derived features from faces. So if you can create the right “master” feature set, it can potentially match more than one face.
Ever thought you were being gaslighted by industry claims that facial recognition is trustworthy for authentication and identification? You have been.
The article goes on to discuss an Israeli research project that demonstrated some true “master faces” vulnerabilities. (Emphasis mine.)
One particular approach, which they write was based on Dlib, created nine master faces that unlocked 42 percent to 64 percent of a test dataset. The team also evaluated its work using the FaceNet and SphereFace, which like Dlib, are convolutional neural network-based face descriptors.
They say a single face passed for 20 percent of identities in Labeled Faces in the Wild, an open-source database developed by the University of Massachusetts. That might make many current facial recognition products and strategies obsolete.
Sounds frightening. After all, the study not only used dlib, FaceNet, and SphereFace, but also made reference to a test set from Labeled Faces in the Wild. So it’s obvious why master faces techniques might make many current facial recognition products obsolete.
Right?
Let’s look at the datasets
It’s always more impressive to cite an authority, and citations of the University of Massachusetts’ Labeled Faces in the Wild (LFW) are no exception. After all, this dataset has been used for some time to evaluate facial recognition algorithms.
But what does Labeled Faces in the Wild say about…itself? (I know this is a long excerpt, but it’s important.)
DISCLAIMER:
Labeled Faces in the Wild is a public benchmark for face verification, also known as pair matching. No matter what the performance of an algorithm on LFW, it should not be used to conclude that an algorithm is suitable for any commercial purpose. There are many reasons for this. Here is a non-exhaustive list:
Face verification and other forms of face recognition are very different problems. For example, it is very difficult to extrapolate from performance on verification to performance on 1:N recognition.
Many groups are not well represented in LFW. For example, there are very few children, no babies, very few people over the age of 80, and a relatively small proportion of women. In addition, many ethnicities have very minor representation or none at all.
While theoretically LFW could be used to assess performance for certain subgroups, the database was not designed to have enough data for strong statistical conclusions about subgroups. Simply put, LFW is not large enough to provide evidence that a particular piece of software has been thoroughly tested.
Additional conditions, such as poor lighting, extreme pose, strong occlusions, low resolution, and other important factors do not constitute a major part of LFW. These are important areas of evaluation, especially for algorithms designed to recognize images “in the wild”.
For all of these reasons, we would like to emphasize that LFW was published to help the research community make advances in face verification, not to provide a thorough vetting of commercial algorithms before deployment.
While there are many resources available for assessing face recognition algorithms, such as the Face Recognition Vendor Tests run by the USA National Institute of Standards and Technology (NIST), the understanding of how to best test face recognition algorithms for commercial use is a rapidly evolving area. Some of us are actively involved in developing these new standards, and will continue to make them publicly available when they are ready.
So there are a lot of disclaimers in that text.
LFW is a 1:1 test, not a 1:N test. Therefore, while it can test how one face compares to another face, it cannot test how one face compares to a database of faces. The usual law enforcement use case is to compare a single face (for example, one captured from a video camera) against an entire database of known criminals. That’s a computationally different exercise from the act of comparing a crime scene face against a single criminal face, then comparing it against a second criminal face, and so forth.
The people in the LFW database are not necessarily representative of the world population, the population of the United States, the population of Massachusetts, or any population at all. So you can’t conclude that a master face that matches against a bunch of LFW faces would match against a bunch of faces from your locality.
Captured faces exhibit a variety of quality levels. A face image captured by a camera three feet from you at eye level in good lighting will differ from a face image captured by an overhead camera in poor lighting. LFW doesn’t have a lot of these latter images.
I should mention one more thing about LFW. The researchers allow testers to access the database itself, essentially making LFW an “open book test.” And as any student knows, if a test is open book, it’s much easier to get an A on the test.
Now let’s take a look at another test that was mentioned by the LFW folks itself: namely, NIST’s Face Recognition Vendor Test.
This is actually a series of tests that has evolved over the years; NIST is now conducting ongoing tests for both 1:1 and 1:N (unlike LFW, which only conducts 1:1 testing). This is important because most of the large-scale facial recognition commercial applications that we think about are 1:N applications (see my example above, in which a facial image captured at a crime scene is compared against an entire database of criminals).
In addition, NIST uses multiple data sets that cover a number of use cases, including mugshots, visa photos, and faces “in the wild” (i.e. not under ideal conditions).
It’s also important to note that NIST’s tests are also intended to benefit research, and do not necessarily indicate that a particular algorithm that performs well for NIST will perform well in a commercial implementation. (If the algorithm is even available in a commercial implementation: some of the algorithms submitted to NIST are research algorithms only that never made it to a production system.) For the difference between testing an algorithm in a NIST test and testing an algorithm in a production system, please see Mike French’s LinkedIn article on the topic. (I’ve cited this article before.)
With those caveats, I will note that NIST’s FRVT tests are NOT open book tests. Vendors and other entities give their algorithms to NIST, NIST tests them, and then NIST tells YOU what the results were.
So perhaps it’s more robust than LFW, but it’s still a research project.
Let’s look at the algorithms
Now that we’ve looked at two test datasets, let’s look at the algorithms themselves and evaluate the claim that results for the three algorithms Dlib, FaceNet, and SphereFace can naturally be extrapolated to ALL facial recognition algorithms.
This isn’t the first time that we’ve seen such an attempt at extrapolation. After all, the MIT Media Lab’s Gender Shades study (which evaluated neither 1:1 nor 1:N use cases, but algorithmic attempts to identify gender and race) itself only used three algorithms. Yet the popular media conclusion from this study was that ALL facial recognition algorithms are racist.
Compare this with NIST’s subsequent study, which evaluated 189 algorithms specially for 1:1 and 1:N use cases. While NIST did find some race/sex differences in algorithms, these were not universal: “Tests showed a wide range in accuracy across developers, with the most accurate algorithms producing many fewer errors.”
In other words, just because an earlier test of three algorithms demonstrated issues in determining race or gender, that doesn’t mean that the current crop of hundreds of algorithms will necessarily demonstrate issues in identifying individuals.
So let’s circle back to the master faces study. How do the results of this study affect “current facial recognition products”?
The answer is “We don’t know.”
Has the master faces experiment been duplicated against the leading commercial algorithms tested by Labeled Faces in the Wild? Apparently not.
Has the master faces experiment been duplicated against the leading commercial algorithms tested by NIST? Well, let’s look at the various ways you can define the “leading” commercial algorithms.
For example, here’s the view of the test set that IDEMIA would want you to see: the 1:N test sorted by the “Visa Border” column (results as of August 6, 2021):
Now you can play with the sort order in many different ways, but the question remains: have the Israeli researchers, or anyone else, performed a “master faces” test (preferably a 1:N test) on the IDEMIA, Paravision, Sensetime, NtechLab, Anyvision, or ANY other commercial algorithm?
Maybe a future study WILL conclude that even the leading commercial algorithms are vulnerable to master face attacks. However, until such studies are actually performed, we CANNOT conclude that commercial facial recognition algorithms are vulnerable to master face attacks.
So naturally journalists approach the results critically…not
But I’m sure that people are going to make those conclusions anyway.
While Matt Schneier doesn’t go to the extreme of saying that all facial recognition algorithms are now defunct, he does classify the research as “fascinating” WITHOUT commenting on its limitations or applicability. Schneier knows security, but he didn’t vet this one.
Gizmodo, on the other hand, breathlessly declares (in “‘Master Face’: Researchers Say They’ve Found a Wildly Successful Bypass for Face Recognition Tech”) that “you’d be safe to add (the study) to the growing body of literature that suggests facial recognition is bad news for everybody except cops and large corporations.” Apparently Gizmodo never read the NIST gender/race test results that I cited earlier.
Does anyone even UNDERSTAND these studies? (Or do they choose NOT to understand them?)
How can you avoid the same mistakes when communicating about biometrics?
As you can see, people often write about biometric topics without understanding them fully.
Even biometric companies sometimes have difficulty communicating about biometric topics in a way that laypeople can understand. (Perhaps that’s the reason why people misconstrue these studies and conclude that “all facial recognition is racist” and “any facial recognition system can be spoofed by a master face.”)
Are you about to publish something about biometrics that requires a sanity check? (Hopefully not literally, but you know what I mean.)
Well, why not turn to a biometric content marketing expert? Use the identity/biometric blog expert to write your blog post, the identity/biometric case study expert to write your case study, or the identity/biometric white paper expert to…well, you get the idea. (And all three experts are the same person!)
A few hours after finishing my revision of Bredemarket’s work process, I attended this month’s Orange County (California) Freelancers Union SPARK webinar. I’ve shared some things from SPARK meetings in the past (July’s happy hour, May’s AB2257 discussion), and I’m going to share some things from the August meeting also.
Jung and the restless
This meeting (which also happened to be the national Freelancers Union meeting for the month; our chapter rules!) was led by Cara Raffele, who spoke about “The Power of Storytelling.”
I’m not going to talk about the ENTIRE meeting, but will focus on the last part of the meeting, during which Raffele discussed “understanding your brand for maximum impact,” or brand archetypes.
The idea of archetypes started with Carl Jung, who defined them as images and themes that derive from the collective unconscious.
Jung claimed to identify a large number of archetypes but paid special attention to four. Jung labeled these archetypes the Self, the Persona, the Shadow and the Anima/Animus.
In modern-day marketing, this “large number of archetypes” has been boiled down to twelve, and it was these twelve that Raffele referenced in her presentation.
Raffele encouraged all of us freelancers to listen to all twelve, and then to select multiple archetypes (not just one) that seemed to reflect our freelance brands. So I iterated a first cut at the archetypes that I believed applied to Bredemarket; my preliminary list included Sage, Creator, and Explorer.
Why Sage? That particular one resonated with me because of my experiences with my clients (educating on benefits vs. features, expanding the understanding of law enforcement agency stakeholders), and because of the way I’ve been marketing myself anyway. After all, when I self-reference as the biometric content marketing expert and the biometric proposal writing expert, then it’s obvious that I can add the sage to my clients’ parsley, rosemary, and thyme. (Sorry, couldn’t resist, even though I know it’s bad.)
But after guessing that Bredemarket is Sage with a pinch of Creator and Explorer, I realized that I might not know myself as well as I thought, so I asked if there were some type of online “archetypes test,” similar to the online Meyers-Briggs personality tests, that could help you semi-independently discern your archetypes.
(One aside before moving on to Putnam’s test. A few of you realize that I did not come up with the section title “Jung and the restless” on my own. Yes, I stole it from a Steve Taylor song title (and he stole it from a soap opera). I used the title even though Taylor is frankly not that positive about secular psychology. But he did say “some of my best friends are shrinks.” Oh, and that’s obviously Gym Nicholson of Undercover fame on guitar.)
My “Brand Personality Quiz” results, and Kaye Putnam’s recommendations
If you’ve taken an online Meyers-Briggs personality test, or any other similar online test, the process of the Brand Personality Quiz will seem familiar to you. Putnam’s quiz asks you a series of independent questions, some of which have as many as twelve options. It then tabulates your answers against attributes of the twelve brand archetypes, and produces a final result listing a primary brand archetype and some secondary archetypes.
Here are my results.
So if you take Putnam’s quiz as gospel, I was somewhat accurate in my initial self-assessment.
Note that “Sage” came first and “Explorer” came second in the quiz results, and those were two of the archetypes I initially tweeted about before taking the quiz.
Considering the personal writing style I use in my blog, tweets, and elsewhere, “Entertainer” wasn’t much of a surprise either.
Upon further personal reflection, “Royalty” makes sense also. (So bow before me, serfs.)
And after reading Putnam’s description of “Creator” and its emphasis on visual presentation (rather than textual presentation), I can see why this was NOT on the list.
Along with my results, Putnam provided a link that allowed me to download a brief description of my primary archetype, Sage. Now this brief description doesn’t include all of the detail found in Putnam’s 12 Brandfluency courses (one for each archetype), but it does include many actionable items.
The “Sage Inspiration Kit” provides useful tips for Sage businesspeople to include in their brand marketing. The kit asserts that if the tips are followed, the results will produce emotional responses in potential clients that will increase brand attractiveness, thus allowing businesspeople to win more business (and win better business).
Tips are provided on the following:
Color.
Typography.
Words.
Obviously that’s a lot of stuff to absorb, even in this brief kit. (The paid course offers tips in additional areas.) And even if I wanted to, I couldn’t change all the colors and fonts in my marketing overnight.
But I could look at Putnam’s word suggestions.
Ignoring the expert
Now Kaye Putnam’s word suggestions are freely available to anyone, but I’m not going to just copy all of them and reproduce them here. Request them yourself. (The link is for the Sage archetype)
But I’ll offer comments on a few of the 18 words and phrases in the kit.
First off, I’m NOT going to use “think tank” in Bredemarket’s marketing. Perhaps this phrase may resonate for a larger firm, or even for a smaller firm with a team of people addressing their clients’ needs. But it would take a lot of stretching to describer a solopreneur think tank.
Another term that DOESN’T make sense for Bredemarket is “engineering.” Now obviously engineering is a good thing, although I’ve seen cases where engineering is overemphasized. But it doesn’t really make sense for my business, in which I make a point of emphasizing my ability to communicate engineering concepts to non-engineers. The same issues apply with the phrase “the code.”
I won’t go into all of my concerns, but there are several “Sage words” in the list that I would never use for Bredemarket, or would use very sparingly.
When someone gives you advice, whether it’s Kaye Putnam or John Bredehoft, you have to judge whether the advice is good for YOU.
Even if you narrow a brand down to one archetype, there are innumerable differences between individuals who align with this archetype. One size does not fit all, and I personally may love the term “experiment” but hate the terms listed above.
Now perhaps I may be wrong in rejecting Putnam’s advice. Perhaps there’s a really, really good reason why I should sprinkle the phrase “think tank” through all of my marketing materials.
But in the end it’s up to the recipient to decide whether or not to follow the advice of the expert. That applies to people giving advice to me, and that also applies to the advice that I give to my clients. (If a client insists on using the phrase “best of breed,” I can’t stop the client from doing so.)
But several of those words and phrases DO seem like good ideas, and I’ll probably make a concerted effort to sprinkle the GOOD words and phrases throughout Bredemarket’s website, social media channels, proposals, and other marketing.
Even though this might require me to re-revise the content creation process that I just revised.
Oh well. It’s good to…experiment with things. After all, Bredemarket is in effect a laboratory in which I like to try solutions out myself before I try to make a case for them with my clients. It’s easier to speak to research-based proven solutions than ones with which I have no experience at all.
Did that paragraph sound sage-like? I got six of the words/phrases into that paragraph!
Oh, and if you’re looking for a Royally Entertaining and Exploring Sage…
Bredemarket offers clients deep experience in content marketing, proposals, and strategy. I can offer expert advice to biometrics firms, since (as noted above) I am a biometric content marketing expert and a biometric proposal writing expert. However, this expert advice can also be provided to other technology firms, and to general business.
You can read here about how my content creation process ensures that the final written content (a) advances your GOAL, (b) communicates your BENEFITS, and (c) speaks to your TARGET AUDIENCE.
If Bredemarket can fill a gap in your company’s needs (NOTE TO SELF: DO NOT MENTION PARSLEY. DO NOT MENTION PARSLEY. DO NOT MENTION PARSLEY.), then feel free to contact me and we can discuss your needs and possible solutions.
Bredemarket 