Category Archives: Uncategorized

California Assembly Bill 5—I mean 2257—and business-to-business exemptions

On Thursday, I attended an Orange County Freelancers Union meeting that focused on California Assembly Bill 5. The presentation was given by Lee Goldberg. I’ve talked about Assembly Bill 5 before, most notably regarding how Proposition 22 affected it, but I definitely learned something from Goldberg’s presentation.

Namely, that it’s technically incorrect to talk about Assembly Bill 5.

Whoops.

That bill was superseded by a subsequent bill, Assembly Bill 2257. It preserves the basic structure of AB5, but tweaks things in various ways. (And of course AB2257 was subsequently tweaked by Proposition 22.)

So henceforth when I’m referring to the bill text, I need to refer to the right bill. The text for AB2257 is here. This was incorporated into the California Labor Code as seen here.

From https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=LAB&division=3.&title=&part=&chapter=2.&article=1.5.

Goldberg briefly alluded to the business-to-business exemption discussed on AB2257. It has a number of points, and for my own education I subsequently took the time to read all the points, just to make sure that Bredemarket complies with the business-to-business exemption.

So let’s look at the business-to-business exemption in California Labor Code [2776]. Warning I am lot a lawyer bla bla bla.

2776.

Section 2775 and the holding in Dynamex do not apply to a bona fide business-to-business contracting relationship, as defined below, under the following conditions:

(a) If an individual acting as a sole proprietor, or a business entity formed as a partnership, limited liability company, limited liability partnership, or corporation (“business service provider”) contracts to provide services to another such business or to a public agency or quasi-public corporation (“contracting business”), the determination of employee or independent contractor status of the business services provider shall be governed by Borello, if the contracting business demonstrates that all of the following criteria are satisfied:

What follows are the 12 points that relate to the business-to-business exemption.

(1) The business service provider is free from the control and direction of the contracting business entity in connection with the performance of the work, both under the contract for the performance of the work and in fact.

So I started to look at each of these 12 points to see whether I thought my independent contracting business Bredemarket was compliant with them, starting with this first point. Those who are familiar with the ABC criteria have already seen a version of this. Perhaps the best way to summarize this is that a Bredemarket client can ask me to do work, but can’t tell me HOW to do the work. In fact, in some cases I tell the client how I am going to do the work.

(2) The business service provider is providing services directly to the contracting business rather than to customers of the contracting business. This subparagraph does not apply if the business service provider’s employees are solely performing the services under the contract under the name of the business service provider and the business service provider regularly contracts with other businesses.

This was another thing that impacted me from hearing Goldberg’s presentation. This was a little unclear in the ABC statement, but is clarified here.

For example, if Bredemarket contracts with a biometrics firm that sells gait recognition software to school districts, I can provide writing services to the firm (even if the firm employs other writers), but I (generally) can’t sell gait recognition software to school districts.

(3) The contract with the business service provider is in writing and specifies the payment amount, including any applicable rate of pay, for services to be performed, as well as the due date of payment for such services.

All of the Bredemarket contracts are in writing.

(4) If the work is performed in a jurisdiction that requires the business service provider to have a business license or business tax registration, the business service provider has the required business license or business tax registration.

Bredemarket has both the required city business license and the appropriate tax registration. (And a filed and published fictitious business name statement.) My city business license has some very specific stipulations, including one stating that my clients cannot come to the place where I work. Revelation: I do not work in the UPS Store that serves as my business address. I work in a room of my own home. As the City of Ontario knows, I work in a specific 25 square foot area in my own home. They have the map and everything.

(5) The business service provider maintains a business location, which may include the business service provider’s residence, that is separate from the business or work location of the contracting business.

See above. None of my clients is located either in my home or in the UPS Store. In fact, none of my clients is within 20 miles of my home or in the UPS Store. (I did try to solicit business from one company with a mailing address at that same location, but I haven’t won that client…yet.)

(6) The business service provider is customarily engaged in an independently established business of the same nature as that involved in the work performed.

See “What I Do.”

(7) The business service provider can contract with other businesses to provide the same or similar services and maintain a clientele without restrictions from the hiring entity.

I contract with multiple businesses without restriction, and in fact once had to refuse business from a potential client because the client’s contract had a non-compete clause which would have effectively put Bredemarket out of business. As anyone with an MBA knows, going out of business is usually not a good thing…although Transformco seems to have a sunny attitude about the continuing demise of Sears and Kmart.

(8) The business service provider advertises and holds itself out to the public as available to provide the same or similar services.

Um…yeah. Website, LinkedIn, Facebook, Google, Anchor, and other places.

(9) Consistent with the nature of the work, the business service provider provides its own tools, vehicles, and equipment to perform the services, not including any proprietary materials that may be necessary to perform the services under the contract.

Done.

In fact, when I started out, another independent contractor insisted to me that I should NOT provide my own tools, and that my clients should provide them. Needless to say, this other independent contractor does not live in California, because that would result in a clear ABC violation.

(10) The business service provider can negotiate its own rates.

Subject to the free market, yes. (Still waiting for that $10,000 per hour client.)

(11) Consistent with the nature of the work, the business service provider can set its own hours and location of work.

Definitely true, since much of my independent contracting work is…independent. If a client has requested a weekly meeting every Thursday morning on a project, I could choose to do all of my work Wednesday night if I so desired. (I don’t.) And I have worked in a variety of locations, including the parking lot of a business in California, and a spare bedroom in Alabama. I’ve known others who travel around and contract in Central America or wherever, but I haven’t done that. Yet.

(12) The business service provider is not performing the type of work for which a license from the Contractors’ State License Board is required, pursuant to Chapter 9 (commencing with Section 7000) of Division 3 of the Business and Professions Code.

My marketing and writing services do not require a license.

So after listening to Lee Goldberg’s presentation and perform some post-presentation research, I feel more confident that Bredemarket isn’t in danger of running afoul of employee classifications.

Hopefully I’m not being overconfident.

The Digital Green Certificate (EU Green Pass), for and against

So I attended the ID4Africa webcast that discussed vaccination certificates, including its discussion of harmonization of the myriad of certificates—a topic that clearly interests me.

If you didn’t already hear this on my recent podcast (microcast?) episode, Pavlina Navratilova of IDEMIA discussed three vaccination certificate standards that affect Europeans. One of these is the Digital Green Certificate, also known as the EU Green Pass.

In this post I’ll explain what the Digital Green Certificate is, why some people think this health measure is essential to the continuance of civilization, and why some people think it destroys civilization as we know it.

Or something like that.

What is the Digital Green Certificate?

First, a clarification. The word “green” in Digital Green Certificate does not refer to saving the whales. It refers to “green means go” in terms of COVID-19. Specifically, a Digital Green Certificate is a digital proof that a person has either

tick iconbeen vaccinated against COVID-19
tick iconreceived a negative test result or 
tick iconrecovered from COVID-19

The certificate will also be available in paper format for us old-school types, but the digital version is what interests me.

The certificate will not be issued by the EU itself, but by entities within each EU country such as health authorities or individual hospitals. The certificate will be in a person’s national language and in English (for those who have forgotten, English is no longer a national language within the European Union due to Brexit).

From https://ec.europa.eu/commission/presscorner/api/files/attachment/868508/Digital%20Green%20Certificate_en.pdf.pdf

Each certificate will contain a QR code to ensure authenticity, and these QR codes will be tracked at the EU level.

Each issuing body (e.g. a hospital, a test centre, a health authority) has its own digital signature key. All of these are stored in a secure database in each country.

The European Commission will build a gateway. Through this gateway, all certificate signatures can be verified across the EU. The personal data encoded in the certificate does not pass through the gateway, as this is not necessary to verify the digital signature. The  Commission will also help Member States to develop a software that authorities can use to check the QR codes.

The idea is that any EU citizen can provide national proof of vaccination, negative test, or recovery from COVID and that this national proof will be accepted in any other EU country, subject to the specific rules of that country.

On the other hand, the EU does not want to restrict freedom of movement within the EU.

The Digital Green Certificate should facilitate free movement inside the EU. It will not be a pre-condition to free movement, which is a fundamental right in the EU.

For more details on the plans for the Digital Green Certificate, see this European Commission page. Work continues to get the Digital Green Certificate up and running, including approval of technical specifications.

Entities supporting the Digital Green Certificate

Like anything COVID-related, there are entities that support the Digital Green Certificate, and entities that oppose it.

One group of entities that supports the Digital Green Certificate is the European airline industry. Because of the adverse economic effects of COVID travel restrictions, the airline industry not only wants Digital Green Certificates, but it wants them in time for the summer travel season. Here’s an excerpt from a statement from Airlines for Europe (A4E):

A4E welcomed today’s decision by the European Parliament to fast-track the European Commission’s Digital Green Certificates proposal using an Urgent Procedure. A positive decision by the European Council later today would set in motion a vote on the certificates by the end of April, facilitating the European Commission’s plan to have the certificates operational by June….

“With vaccination programmes underway, I am even more confident travel will be possible this summer. Airlines are ready to re-connect Europe and support economic recovery. I look forward to working with A4E members and policy leaders on this critical work ahead”, (A4E Chairman John) Lundgren added.

The “get people on flights” message is loud and clear.

And it’s not just the airlines; this initiative is also supported by the World Travel and Tourism Council and European Travel Commission. And the European Tourism Manifesto. And the European Exhibition Industry Alliance.

And (most importantly!) the general concept is supported by Vince, who though he is no longer in the EU (did I mention Brexit?), wrote this back in April:

#vaccinationcertificates The reason we need mandatory #vaccinationcards is because of the #superspreaders who demonstrated yesterday. Banning them from #pubs#football.#holidays#events etc will force #covididiots to adhere to the rules or stay at home. @LBC

And then there is the view of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). They support the idea, but with some qualifications:

Andrea Jelinek, Chair of the EDPB, said: “A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place.”

Wojciech Wiewiórowski, EDPS, said: It must be made clear that the Proposal does not allow for – and must not lead to – the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”

This raises an interesting point that was also raised (after I left) in the ID4Africa webinar: what will happen to the Digital Green Certificate in the long term? The attendees were polled on this question.

From https://twitter.com/ID4AfricaLive/status/1390311486757744646

Obviously the EDPB and EDPS prefer option 3, in which the Digital Green Certificate disappears once the pandemic is over.

Entities opposing the Digital Green Certificate

But not everyone believes that the Digital Green Certificate is a wonderful thing. Take the attitude of the the Dutch section of the International Commission of Jurists (NJCM), as expressed in a liberties.eu post.

As NJCM explains in a letter to the European Parliament, the EU has set up a system and infrastructure for Green Certificates, but only partially regulates the use of these Green Certificates. This leaves it up to member states to make their use mandatory, or to use Green Certificates in many more areas than just border control. Such mandatory use of Green Certificates may limit the freedom of movement, the right to not be discriminated against, the right to privacy, the right to data protection and, indirectly, the right to the integrity of the person (since the ability to travel is made conditional on undergoing testing or vaccination).

While the UK is (as I may have previously mentioned) outside of the EU, that country’s National Museum Directors’ Council has weighed in on the concept of vaccination certificates in general. Unlike airlines that believe that such certificates will encourage travel, the museum directors think these certificates will actually restrain it.

In the UK, where a government consultation on vaccine passports has proved controversial, a coalition of leading museum directors has spoken out against their potential use in museums. Such a scheme “sits at odds with the public mission and values of museums”, the National Museum Directors’ Council said, warning that it would constitute “an inappropriate form of exclusion and discrimination”. 

And, to be truthful, the existence of any type of vaccine certificate allows a distinction between those who are (believed to be) COVID-free and those who are not. You can use the emotionally-charged word “discrimination” or the less-charged “distinction,” but either way you’re dividing people into two groups.

The only way to remove such a distinction is to automatically assume that everyone has COVID. That could close the museums

…but at least everyone will be treated equally without discrimination. So that’s a good thing…I guess…

ID4Africa Livecast, “Vaccination Certificates and Identity Management”

Since I’ve discussed vaccination certificates in the past (most recently here), I thought I should alert you of an event later this week that covers the topic.

Parts 1 & 2 of our trilogy on Vaccination Certificates & Identity Management have set the pace for discussions on policy deliberations and innovative solutions in the development of COVID verifiable credentials. Both events continue to be praised as being our best series yet and… there’s still more to come!

Join your host, Dr. Joseph Atick, for a series finale, tour de force coverage on CV19 credentials where he shifts gears with a league of domain experts in a live collaboration searching for a framework for harmonizing national, regional and international efforts in this domain.

The webinar will take place on Thursday, May 6, from 12:30-14:30 GMT (or 14:30-16:30 CEST). That translates to 5:30 am in my timezone, but it looks like there will be a replay if I oversleep.

If you want to attend live, register here.

Words matter, or the latest from the National Institute of Standards and Technology on problematic security terms

(Alternate title: Why totem pole blackmail is so left field.)

I want to revisit a topic I last addressed in December, in a post entitled “Words matter, or the latest from the Security Industry Association on problematic security terms.”

If you recall, that post mentioned the realization in the technology community that certain long-standing industry terms were no longer acceptable to many technologists. My post cited the Security Industry Association’s recommendations for eliminating language bias, such as replacing the term “slave” (as in master/slave) with the term “secondary” or “responder.” The post also mentions other entities, such as Amazon and Microsoft, who are themselves trying to come up with more inclusive terms.

Now in this particular case, I’m not that bent out of shape over the fact that multiple entities are coming up with multiple standards for inclusive language. (As you know, I feel differently about the plethora of standards for vaccine certificates.) I’ll grant that there might be a bit of confusion when one entity refers to a blocklist, another a block list, and a third a deny list (various replacements for the old term “blacklist”), but the use of different terms won’t necessarily put you on a deny list (or whatever) to enter an airport.

Well, one other party has weighed in on the inclusive language debate – not to set its own standards, but to suggest how its employees should participate in general standards discussions.

That entity is the National Institute of Standards and Technology (NIST). I’ve mentioned NIST before in other contexts. But NIST just announced its contribution to the inclusive language discussion.

Our choice of language — what we say and how we say it — can have unanticipated effects on our audience, potentially conveying messages other than those we intend. In an effort to help writers express ideas in language that is both clear and welcoming to all readers, the National Institute of Standards and Technology (NIST) has released new guidance on effective wording in technical standards.

The point about “unanticipated effects” is an interesting point. Those of us who have been in tech for a while have an understanding of what the term “blacklist” means, but what of the new person who sees the term for the first time?

So, since NIST employees participate in technical standards bodies, it is now publicly sharing its internal guidance as NISTIR 8366, Guidance for NIST Staff on Using Inclusive Language in Documentary Standards. This document is available in PDF form at https://doi.org/10.6028/NIST.IR.8366.

It’s important to note that this document is NOT a standard, and some parts of this “guidance” document aren’t even guidance. For example, section 4.1 begins as follows:

The following is taken from the ‘Inclusive Language’ section of the April 2021 version of the NIST Technical Series Publications Author Instructions. It is not official NIST guidance and will be updated periodically based on user feedback.

The need to periodically update is because any type of guidance regarding inclusive language will change over time. (It will also change according to culture, but since NIST is a United States government agency, its guidance in this particular case is focused on U.S. technologists.)

The major contribution of the NIST guidance is to explain WHY inclusive language is desirable. In addition to noting the “unanticipated effects” of our choice of language, NIST documents five key benefits of inclusive language.

1. avoids false assumptions and permits more precise wording,

2. conveys respect to those who listen or read,

3. maintains neutrality, avoiding unpleasant emotions or connotations brought on by more divisive language (e.g., the term ‘elderly’ may have different connotations based on the age of an employee),

4. removes colloquialisms that are exclusive or usually not well understood by all (e.g., drink the Kool-Aid), and

5. enables all to feel included in the topic discussed.

Let me comment on item 4 above. I don’t know how many people know that the term “drink the Kool-Aid” originated after the Guyana murders of Congressman Dan Ryan and others, and the subsequent mass suicides of People’s Temple members, including leader Jim Jones.

Rev. Jim Jones at an anti-eviction rally Sunday, January 16, 1977 in front of the International Hotel, Kearny and Jackson Streets, San Francisco. By Nancy Wong – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=91003548

They committed suicide by drinking a cyanide-laced drink which may or may not have been Kool-Aid. The entire history (not for the squeamish) can be found here. But even in 2012, many people didn’t know that history, so why use the colloquialism?

So that’s the guidance. But for those keeping score on specific terms, the current guidance document mentions the a number of suggestions, either from NIST or other entities. I’m going to concentrate on three terms that I haven’t mentioned previously.

  • Change “blackmail” to “extortion.”
  • Change “way out in left field” to “made very inaccurate measurements.” (Not only do some people not understand baseball terminology, but the concepts of “left” and “right” are sometimes inapplicable to the situation that is under discussion.)
  • Change “too low on the primary totem pole” to “low priority.” (This is also concise.)

So these discussions continue, sometimes with controversy, sometimes without. But all technologists should be aware that the discussions are occurring.

The REAL ID deadline has been extended…again

Three days ago, I read a news item on LinkedIn that stated that the REAL ID deadline might be extended.

I reacted.

My response is a one-word response: “AGAIN?”

I admit to a bit of frustration. For years, some states resisted REAL ID because of federalism concerns. (When MorphoTrak was briefly trying to win driver’s license contracts by competing against our sibling MorphoTrust, I remember one state RFP that explicitly stated that the state would NOT comply with the REAL ID mandate.)

Finally, after hemming and hawing, all of the states agreed to become REAL ID compliant (15 years after the original mandate). Then, as people rushed to get REAL IDs, #covid19 hit and the driver’s license offices closed.

The offices are now open, but some people STILL haven’t gotten REAL ID.

Prediction: if the deadline is extended to 2022, significant numbers of people won’t have REAL IDs by 2022.

Well, I will never get the chance to see if my prediction was accurate, because in the end, the REAL ID deadline was NOT extended to 2022.

It was extended to 2023, according to sources. (As I write this, the DHS website has not yet been updated.)

The Department of Homeland Security will delay the requirement for air travelers to have a Real ID-compliant form of identification, pushing it back 19 months, DHS Secretary Alejandro Mayorkas said Tuesday.

The deadline was supposed to be Oct. 1, but it’s now being postponed until May 3, 2023. 

Here’s the rationale that Secretary Mayorkas provided.

“Extending the Real ID full enforcement deadline will give states needed time to reopen their driver’s licensing operations and ensure their residents can obtain a Real ID-compliant license or identification card.”

Of course, since may people object to REAL ID on principle, it could be extended again and again for ANOTHER fifteen-plus years and people STILL won’t get it.

There is a draft proposal (from GIPHT and CDISC) for vaccine certificate interoperability, but will the players pay attention?

I’ve gone on ad nauseum about the plethora of vaccine certificate options that are being developed by public and private entities.

Wouldn’t it be nice if all of these different options were able to talk to each other, so that my existing blue certificate would talk to health systems that require the orange certificate or the red certificate?

Two organizations are pursuing this dream of interoperability.

The Global Information for Public Health Transformation (GIPHT) initiative of the Learning Health Community has collaborated with CDISC to develop a minimum set of key data elements for documenting vaccinations. The goal of the collaboration is to achieve multinational agreement around one global core data standard that will enable the success of vaccine credentialing applications and secure sharing of essential information for uses such as safe travel.

The organizations have published a draft standard for public review. This draft attempts to define the minimum key data elements, and draws upon the work of several different organizations.

The set of common data elements proposed has been based upon recommendations made available by the European eHealth Network as referenced by the European Commission in announcing their plans for a Green Certificate to facilitate travel by Europeans among EU countries. This set of common data elements has also been informed through U.S. CDC. The elements have been aligned with standards from HL7, CDISC and ISO (standards development organizations), where applicable.

Of course, we have to ask the question: why listen to GIPHT and CDISC? Well, these two organizations claim a previous success, as noted in their press release.

“CDISC developed and published a COVID-19 data standard in less than a month by leveraging existing global clinical research standards, including those for vaccinesvirology and Ebola,” stated Rhonda Facile, Vice President of Partnerships and Development, CDISC.

However, there is one significant difference between exchanging COVID-19 data and exchanging vaccine certificate data. The former is an exchange of medical data which is of primary interest to health professionals. The latter has much greater ramifications, since it can potentially affect border crossings, travel in general, and access to facilities such as casinos, sports stadiums, and concert venues.

Is it even possible to develop a vaccine certificate interoperability standard that satisfies the foreign affairs and transportation ministries of multiple countries, the major airlines and airports, the casino operators, the major sports leagues, AND Taylor Swift?

LOS ANGELES – MARCH 14: Guest arrives for the 2019 iHeartRadio Music Awards on March 14, 2019 in Los Angeles, California. (Photo by Glenn Francis/Pacific Pro Digital Photography). By Toglenn (Glenn Francis) – This file has been extracted from another file: Taylor Swift 2 – 2019 by Glenn Francis.jpg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

(We know Ms. Swift’s views on facial recognition, but as far as I know she has not expressed her views on vaccine certificates.)

And if it is possible, will all of these parties agree that GIPHT and CDISC are the ones to develop the standard?

Case studies: a win-win

I just found out that Bredemarket will be getting more case study work, which I’m looking forward to because case studies can often be enjoyable.

No, not that type of case! By Michael Kammerer (Rob Gyp) – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=37604962

While case studies can take a variety of forms, my primary experience with case studies is when a customer explains how a vendor’s solution helped to solve a customer problem. While customers may sometimes want to avoid direct endorsements of a vendor products, a customer can truthfully state how a vendor product helped the customer solve the problem.

If I can use an example that predates my consulting career, I was once involved in a case study in which a law enforcement agency talked about a particular product for law enforcement customers.

  • This type of customer is all too happy to talk about something that keeps the bad people off the streets, since the case study lets the citizens know that the law enforcement agency is taking steps to protect the citizens.
  • And of course the product vendor is all too happy to be associated with this, since it provides a vivid demonstration of how the product works.

A win-win for both customer and vendor, both of whom can look like heroes with the proper case study.

Whenever constructing a case study that features a law enforcement agency or anyone else, it’s important to remember that the vendor’s solution is not the COMPLETE solution to whatever problem is solved in the case study. Again returning to the law enforcement example, the most amazing product gizmo is completely worthless unless a trained person actually applies the gizmo, and knows when to apply the gizmo. And most criminal cases are not solved with a single gizmo, but with multiple gizmos…and a lot of hard work from the law enforcement agency that brings everything together to solve the crime.

Of course, case studies aren’t restricted to law enforcement customers and software products. You can construct a case study out of anything. They can be medical (“Case Study: A Patient with Asthma, Covid-19 Pneumonia and Cytokine Release Syndrome Treated with Corticosteroids and Tocilizumab”), service-related (Direct Travel’s case study of a consumer goods manufacturer), or even relate to adult toys (SEO Design Chicago’s case study for a client who had to overcome advertising challenges due to Google restrictions on sensitive content).

Anyway, I’m looking forward to more case study work…in the biometric, secure document, or technology areas. (I’m not going to cure COVID with novelty items.) In the work I’m about to do, I’ll get to learn about the vendor, and about the vendor’s customer, and how they worked together to solve a particular problem. My part in the process is to help the vendor communicate the story, while emphasizing the benefits that the vendor’s product can provide to customers.

(If you’re interested in understanding benefits, and the difference between benefits and features, take a look at this Hubspot article.)

While brings us to the shameless plug (you knew this was coming after my last post): if you need assistance in coming up with the words for a case study, contact me. I can help with the initial ideas, participate in customer interviews to get information, and draft the words of the case study itself. Bredemarket’s collaborative process ensures that the final written product communicates the client’s desired message. For case studies, this includes mutual agreement on the objective and the outline, and client reviews of the draft iterations of the case study until the final text is delivered.

And even if you don’t use me, business leaders should be thinking about how case studies can help their business, and which of their customers would be willing to participate in a case study…for mutual benefit.

Are you responding to the DHS RFI, “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses”?

I already posted about this Request for Information (RFI) on LinkedIn and Facebook, but I wanted to highlight the details of the Department of Homeland Security’s recent request (see PDF or text version).

https://www.govinfo.gov/content/pkg/FR-2021-04-19/pdf/2021-07957.pdf

The RFI delves into a number of questions about treating mobile (i.e. smartphone) driver’s licenses as REAL ID-compliant. The RFI itself states:

DHS invites comments on any aspect of this RFI, and welcomes any additional comments and information that would promote an understanding of the broader implications of acceptance of mobile or digital driver’s licenses by Federal agencies for official purposes. This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a future rulemaking based on input received as a result of this RFI. In addition, DHS includes specific questions in this RFI immediately following the discussion of the relevant issues.

The RFI can be responded to by any member of the general public, although it is expected that the majority of responses will come from mobile driver’s license vendors and various interest groups. And trust me, there is a wide range of interest groups that are interested in this topic, and in the broader topic of REAL ID in general. Federalism itself is a popular topic when discussing REAL ID.

(Although personally, I believe that if the Federal Government is controlling air travel, and if the Federal Government is…obviously…controlling Federal facilities, then the Federal Government can implement rule-making regarding access. Needless to say, since all 50 states and several territories have adopted REAL ID, the decision has been made.)

While respondents can conceivably talk about anything in their responses, DHS (as noted above) has 15 specific questions to which it is seeking information (see section IV beginning on page 20325). Some are general, such as general questions about security, and some are more specific, such as question 4, which specifically focuses on DHS adoption of requirements derived from “Industry Standard ISO/IEC 18013–5: Communication Interfaces Between mDL Device and Federal Agency, and Federal Agency and DMV.”

Responses to the RFI must be submitted by June 18, and are submitted electronically. (Read the Commenter’s Checklist, and note that DHS prefers that respondents address all 15 questions.) I’m sure that a number of companies and organizations are already starting to think about their responses.

Shameless plug: if you need assistance in managing, organizing, writing, or checking your response, contact me. As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

Learning from the losses

From my years in proposals, and from my time working to secure contracts for Bredemarket, I’ve had a lot of experience with win/loss situations. Often we compete for things, and we usually either win the things, or lose them.

But sometimes things are a little more complex. Take the example of my first three Bredemarket opportunities. At the time I wasn’t trying to win independent consulting contracts; I was trying to secure full-time employment. I’ve told the story before, but here’s a brief version of the story as a set of win/loss experiences.

CompanyDid I get the job?Did I get a consulting contract?
Company #1No, I wasn’t trying to get a job with this company. The head of the company approached me for consulting work.Yes, I got a consulting contract. (Actually multiple contracts.)
Company #2No, I didn’t get the job. Yes, I got a consulting contract.
Company #3No, I didn’t get the job.No, I didn’t get a consulting contract. (Yet.)
Three companies, no jobs, two consulting contracts. Did I win, or did I lose?

In terms of job offers, I got exactly zero job offers from these three companies. But I did get consulting contracts from two of the companies. So as a true marketing professional, I will officially declare a 67% win rate, unless I want to round it up even further and declare a 70% win rate.

But throughout my experiences, I’ve found that I’ve learned a lot from the losses. I’ve told a number of stories in this regard, but today I’m going to share a story that I haven’t shared publicly until now. So gather round while I tell my story. (No pranking.)

Photograph of sculpture “The Storyteller”, featuring Ken Kesey, in Eugene, Oregon. By Original work: Pete HelzerDepiction: Jonesey95 – own work, CC BY-SA 4.0, https://en.wikipedia.org/w/index.php?curid=48410264

Once I was competing for an opportunity to market two products for a firm. The two products competed in markets that were outside my identity (biometrics / secure documents) comfort zone, so I had to do some cramming to learn about the products and their markets. As I crammed, I discovered three “opportunities to excel,” or what some people refer to as “challenges.” Or “land mines.”

  1. Who? First, the two products had come to the firm by way of acquisitions, so the market was confused about not only the names of the products, but the name of the company that was now offering the products. Market confusion is never good.
  2. Um…who? Second, if you looked at the markets for these two products, this firm’s offerings weren’t widely known to some people. In my competitive research, I was checking a lot of sites that listed leading players in the two markets, and this firm’s offerings weren’t always listed. Market apathy is never good.
  3. What? Third, the markets themselves were somewhat complex and ill-defined. The markets had a number of sub-markets, and some competitor products would concentrate on some sub-markets, while others would concentrate on others. It was cumbersome to compare these two products and evaluate the competitors and sort-of competitors. Market complexity is never good.

Anyway, despite my cramming sessions on these two products and their respective markets, I did not win the opportunity to market these two products for the firm. Someone else got that opportunity. (I never even got to show off my cramming knowledge, which is probably just as well.)

So now I can sit back and watch how the winner will take advantage of these opportunities to excel. Since the firm now has someone who can market these two products, I expect that we will all hear more about them soon.

But what did I personally learn from this experience?

  1. First, I learned that it’s possible to extrapolate from your own experience to analyze new opportunities. (Actually, I already knew that, but it was good to have a reminder.)
  2. Second, I learned a lot about these two markets, these two products, and their competitors. I won’t share this here, but maybe I’ll have an opportunity to share it some day. (If I can remember the results of my cramming exercises.)
  3. Third, I was reminded (yet again) that a loss can sometimes be a win. After all, I got a blog post out of the experience.

POSTSCRIPT

Fourth…as I was trying to find a good illustration for “cramming” for this post (as you can see, I didn’t), I discovered an alternate term for cramming: swotting.

Marketers know that the acronym SWOT can also refer to Strengths, Weaknesses, Opportunities, Threats.

By Syassine – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=31368987

SWOT analysis is a technique to size up a product, a market, or a company.

Ironically, I didn’t perform any SWOTting while I was swotting.

How many vaccine certificates (not health passports) will citizens in Africa and elsewhere need to do anything?

This is a follow-up to my April 9 post, with a slight correction. I need to stop using the term “health passport,” and should instead use the term “vaccine certificate.” So starting now I’m doing that. Although I still think passports are cool, even if vaccine certificates aren’t passports.

An Ottoman passport (passavant) issued to Russian subject dated July 24, 1900. By FurkanYalcin3 – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=27699398

It’s also a follow-up to my February 16 post, which noted that there are a whole bunch of health pa- I mean vaccine certificates that are being marketed by various companies and organizations.

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed.

Obviously it takes a while to solve such issues, so you can’t expect that all of this would be resolved by April.

And you’re right.

As Chris Burt of FindBiometrics recently noted, the whole vaccine certificate issue was recently discussed by a panel at an ID4Africa webinar. Now even if you haven’t heard of the organization ID4Africa, you can reasonably conclude that the organization is in favor of…IDs for Africa.

And even they are a bit skittish about vaccine passports, at least for now.

Questions around how these digital health certificates should work, where and whether they should be used, and what can be done to mitigate the risks associated with them remain, and were explored by an international panel of experts representing major global organizations convened by ID4Africa. They found that too much remains unknown to inform final decisions…

The panel warned against rushing headlong into adoption of vaccine certificates without a better understanding of what they were, how they would work, and how individual information would be protected. And there are major questions all over the “how they would work” question, including the long-standing question of how vaccine certificates would be interoperable.

It quickly emerged that while several groups represented are working on similar projects, there are some key differences in goals.

The WHO is building specification which are intended to create digital records not for crossing borders or proving health status to any third party, but merely for continuity of care. Its working group also includes ICAO, IATA, and ISO, each of which have their own applications in mind for digital health credentials.

See the list above.

And even if you just look at the WHO’s project, it’s still not finalized. The present timeframe calls for a version 1.0 of its specification by the end of June, but timelines sometimes slip.

Chris Burt details many other issues in his article, but for purposes of my post, it’s relevant to say that it will be months if not years before we will see any sort of interoperability between vaccine certificates.