28thparallel – Bredemarket

Franchisees and BIPA

In other contexts, I have written about the relationship between franchisors and franchisees, which in some respects is similar to the way gig drivers work “with” (not “for”) Uber, Lyft, and the like. In many cases, the products that are advertised by a particular company are not made by that company, but by a franchisee of that company who is entirely separate from the parent company, but who is responsible for doing things the way the parent company wants them done. If you’re a franchisee, you CAN’T…um…”have it your way.”

This Whopper probably wasn’t made by Burger King itself, but by a franchisee of Burger King. By Tokfo – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=37367904

Speaking of which, here is an example of an article that confuses franchisor and franchisee. The Buzzfeed article, in typical Buzzfeed style, is entitled “This Is What Happened After A Bunch Of Employees At A Burger King Quit.” (Because of malfunctioning air conditioning, a number of employees put in their two weeks’ notice, leaving a “We All Quit” sign as they left.) You have to read ANOTHER article (from NBC) to find this little statement:

“Our franchisee is looking into this situation to ensure this doesn’t happen in the future,” a Burger King spokesperson said.

Yes, the employees’…um…beef wasn’t with Burger King itself (or its Brazilian/Canadian/American parent Restaurant Brands International), but with whoever manages the local franchise.

Well, now this world of franchisors and franchisees has entered the biometric world, according to a post in Greensfelder, a self-described “franchising & distribution law blog.”

Greensfelder’s post starts by explaining to its readers what BIPA is (something you already know if you read MY blog) and how franchisees are affected.

Plaintiffs are suing both franchisors and franchisees. Franchisors are being sued for collecting the information themselves for their own employees and also for the actions of their franchisees on theories of joint and several liability, vicarious liability, agency and alter ego. A recently filed case alleges that a franchisor mandates and controls virtually every aspect of its franchise locations, including the use of certain equipment that collects biometric information to track employees’ time and attendance and to monitor cash register systems for fraud.

This benefits the lawyers, who get to collect double the damages by claiming that both the franchisor and the franchisee are separately liable.

Greensfelder’s takeaway for franchisors:

Franchisors should be careful about mandating franchisee use of biometric procedures and devices without first checking applicable law and also making sure that their own policies and procedures are in compliance with those laws.

I’m not sure who is providing takeaways for franchisees.

Other than the usual advice to read the franchise agreement very, very carefully.

Biometrics IS the financial sector

“Have to update my chart again.”
C. Maxine Most of Acuity Market Intelligence. From https://twitter.com/cmaxmost/status/1418306725510193152

Since I’m treading into financial territory here, I should disclose that Bredemarket has financial relationships with one or more of the companies mentioned in this post. This is not investment advice, do your own due diligence, bla bla bla.

CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=243386

I don’t monitor the market enough to know if this is part of an overall trend, but there has been a lot of biometric and digital identity investment recently. Both Biometric Update and FindBiometrics (and other publications such as FinLedger) have written about some of these recent investments, and IPVM has published its acquisition analysis (for subscribers only). Here’s a partial list of the biometric and/or digital identity companies who have received new funding (via investors, IPO, or acquisitions) recently:

I am not a financial expert (trust me on this), but I suspect that these companies are benefiting from two contradictory factors.

The apparent WANING of the COVID threat suggests better market performance in the future.
Some biometric and digital identity investments are very attractive precisely BECAUSE of the COVID threat, and the resulting attractiveness of remote and touchless technologies.

Of course, markets run in cycles, and it’s hard to predict if this is just the beginning of money flowing to biometrics/digital identity companies, or if all of this will suddenly come to a grinding halt. Remember how hot so-called “fever scanners” were a year ago, until their deficiencies were identified? And remember how Microsoft was prompted to divest from Anyvision not too long ago?

It’s possible that a number of external factors, such as an increase in government bans of facial recognition use, consumer resistance to digital identity, or the entry (or re-entry) of much larger players into the biometrics and/or digital identity markets, could dampen the revenue hopes for these funded companies.

Of course, investors are used to analyzing risk, and in many cases the investments with higher risk can yield the greater rewards.

It’s all just a game.

From https://ipdb.org/machine.cgi?id=1966. Fair use.

You will soon deal with privacy stakeholders (and they won’t care about the GYRO method)

I’ve written about the various stakeholders at government agencies who have an interest in biometrics procurements- not only in this post, but also in a post that is available to Bredemarket Premium subscribers. One of the stakeholders that appeared on my list was this one.

The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.

Broken Liberty: Istanbul Archaeology Museum. By © Nevit Dilmen, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1115936

If you haven’t encountered a privacy advocate in your marketing or proposal efforts…you will.

Utah Gov. Spencer Cox has appointed Christopher Bramwell as the Department of Government Operations’ first privacy officer….As privacy officer, Bramwell will be responsible for surveying and compiling information about state agencies’ privacy practices to discern which poses a risk to individual privacy. He will also work with the personal privacy oversight commission and state privacy officer to provide government privacy practice reports and recommendations.

Obviously this affects companies that work with government agencies on projects such as digital identity platforms. After all, mobile driver’s licenses contain a wealth of personally identifiable information (PII), and a privacy advocate will naturally be concerned about who has access to this PII.

But what about law enforcement? Do subjects in law enforcement databases have privacy rights that need to be respected? After all, law enforcement agencies legally share PII all the time.

From https://www.facebook.com/UplandPolice/photos/pcb.5828261687245780/5828261513912464/

However, there are limitations on what law enforcement agencies can share.

First off, remember that not everyone in a law enforcement database is an arrested individual. For example, agencies may maintain exclusion databases of police officers and crime victims. When biometric evidence is found at a crime scene, agencies may compare the evidence against the exclusion database to ensure that the evidence does not belong to someone who is NOT a suspect. (This can become an issue in DNA mixtures, by the way.)
Second off, even arrested individuals have rights that need to be respected. While arrested individuals lose some privacy rights (for example, prisoners’ cells can be searched and prisoners’ mail can be opened), a privacy advocate should ensure that any system does not deny prisoners protections to which they are entitled.

So expect to see a raised concern about privacy rights when dealing with law enforcement agencies. This concern will vary from jurisdiction to jurisdiction based upon the privacy (and biometric) laws that apply in each jurisdiction, but vendors that do business with government agencies need to stay abreast of privacy issues.

A little more about stakeholders, or actors, or whoever

Whether you’re talking about stakeholders in a government agency, stakeholders at a vendor, or external stakeholders, it’s important to identify all of the relevant stakeholders.

Or whatever you call them. I’ve been using the term “stakeholders” to refer to these people in this post and the prior posts, but there are other common terms that could be used. People who construct use cases refer to “actors.” Marketers will refer to “personas.”

Whatever term you use, it’s important to distinguish between these stakeholders/actors/personas/whatever. They have different motivations and need to be addressed in different ways.

When talking with Bredemarket clients, I often need to distinguish between the various stakeholders, because this can influence my messaging significantly. For example, if a key decision-maker is a privacy officer, and I’m communicating about a fingerprint identification system, I’m not going to waste a lot of time talking about the GYRO method.

My time wouldn’t be wasted effort if I were talking to a forensic examiner, but a privacy advocate just wouldn’t care. They would just sit in silence, internally musing about the chances that a single latent examiner’s “green” determination could somehow expose a private citizen to fraud or doxxing or something.

This is why I work with my clients to make sure that the messaging is appropriate for the stakeholder…and when necessary, the client and I jointly develop multiple messages for multiple stakeholders.

If you need such messaging help, please contact Bredemarket for advice and assistance. I can collaborate with you to ensure that the right messages go to the right stakeholders.

Send me an email at john.bredehoft@bredemarket.com.
Or go to calendly.com/bredemarket to book a meeting with me.
Or go to bredemarket.com/contact/ to use my contact form.

Three recent #DNA stories

By Zephyris – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=15027555

Over the last few days, I’ve run across three stories that deal with two aspects of DNA collection: familial DNA, and DNA mixtures.

Familial DNA

(This case was mentioned on Forensics and Law in Focus, a recommended read for all sorts of forensic techniques.)

Of all of the biometrics, DNA has a property that the others don’t: the similarity of DNA between family members. Someone finding my child’s fingerprints won’t necessarily be able to find me, and even someone who finds my child’s face won’t necessarily be able to find me.

But 84 year old Raymand Vannieuwenhoven is on trial for a 1976 murder because of DNA similarities in families.

Vannieuwenhoven is accused in the July 9, 1976, murders of a Green Bay couple who was camping at McClintock Park in the Town of Silver Cliff. David Schuldes, 25, and Ellen Matheys, 24, were shot and killed at the campground….
A DNA profile obtained through evidence was already on file with the State Crime Lab, according to previous testimony….
Baldwin explained how a breakthrough came in 2018 when Parabon Nanolabs of Virginia developed new technology to examine DNA evidence, which could provide certain genetic characteristics of possible suspects through DNA….
On Dec. 21, 2018, Parabon contacted Baldwin and informed him that a possible suspect was found through the DNA testing. He said they gave him a Green Bay-area family—the Vannieuwenhovens—that had four sons and four grandsons who possibly could be a match.

The detectives then had to test the relatives and compare their DNA to the crime scene DNA. But not ALL of the relatives: this was solely used as an investigative lead, and there was no point in testing the grandsons for a 1976 murder. Raymand was one of those whose DNA was collected (by having him lick an envelope to seal it), and the probabilities indicated a match.

Obviously this technique has controversy in some quarters, since the family members who originally provided the DNA had no idea that it would be used to arrest (or, in some cases, exonerate) another family member in this way. But the technique is being used.

By the way, Vannieuwenhoven was found guilty, and the 84 year old may be sentenced to life in prison.

DNA mixtures

The other story concerns what can be found when a DNA sample is collected. The DNA sample may contain a lot of things, from a lot of people.

With improvements in DNA testing methods, we don’t need much DNA to make a profile and see perhaps if I am a likely contributor to that sample or if you have contributed — even if you never touched the table directly. That level of DNA profiling is useful for many different types of crimes, but also brings up the issue of relevance. We aren’t explaining how DNA got to a location.

As an example, a single item at a crime scene may include the DNA of the person who committed the crime, the crime victim, an innocent bystander who touched the area in question before the crime was committed, and (if the police officer was careless) the police officer investigating the crime.

Now you have to look at the DNA sample that was collected. With DNA mixtures, this gets tough.

If single-source DNA is like basic arithmetic and a two-person mixture is like algebra, then a complicated mixture is like calculus!

The quotes above are from John Butler of the National Institute of Standards and Technology, who has a concern about how all of the different laboratories interpret DNA mixtures. Ideally, all labs should work together to have a consistent, verifiable way to interpret these mixtures.

We wanted to see if there were established methodologies that worked better than others when tested, and where those limits were being drawn. What we found is that there is not enough publicly available data to enable an external and independent assessment of the degree of reliability of DNA mixture interpretation practices.

NIST, as it does in other areas, seeks to advance the science, and is urging stakeholders to work together to do so.

But wait; there’s more on DNA mixtures!

While NIST has been conducting the work above, the National Institute of Justice have been funding other work.

Michael Marciano, research assistant professor and director for research in the Forensic and National Security Sciences Institute (FNSSI) within the College of Arts and Sciences, and Jonathan Adelman, research assistant professor in FNSSI, have invented a novel hybrid machine learning approach (MLA) to mixture analysis (U.S. patent number 10,957,421). Their method combines the strengths of current computational and expert analysis approaches with those in data mining and artificial intelligence.
Marciano and Adelman received funding from the National Institute of Justice to further develop their idea in 2014. Although this intellectual property has not been fully developed for commercial use, they are pursuing funding to transition the technology. Once this is done, they are hopeful that the new method will be used throughout the law enforcement and criminal justice communities, specifically by forensic DNA scientists and the legal community.

Actually, once the intellectual property has been developed for commercial use, it will NOT be used THROUGHOUT the law enforcement and criminal justice communities. It will be used by PORTIONS of the law enforcement and criminal justice communities, while OTHERS within the community will use commercial products from competitors.

Commercialization of a product actually works AGAINST universal acceptance, except in very limited cases. Take commercialization of fingerprinting products. As Chapter 6 of The Fingerprint Sourcebook details, independent research was performed in four separate countries (France, Japan, the UK, and the US) which, after commercialization, led to three (now two) separate fingerprinting products: NEC’s product from Japanese research, and IDEMIA’s product from separate French (Morpho) and United States (Printrak) research. This initial research, combined with subsequent research that led to additional products, led to an interoperability issue, despite efforts from NIST to advance greater inoperability.

Will NIST have to do the same thing to reconcile competing DNA mixture analysis methods?