Biometric Update reports that Amazon’s Ring products are offering a feature called “Familiar Faces.”
“In September, Amazon revealed a revamped Ring camera lineup featuring two notable AI features, Familiar Faces and Search Party. Familiar Faces uses facial recognition and lets users tag neighbors or friends so future alerts identify them by name rather than generic motion.”
Illinois music lovers, wanna see a concert? Sounds like you may have to surrender your BIPA protections.
Specifically, if the concert venue uses Ticketmaster (who doesn’t?), and if the concert venue captures your biometric data without your consent, you may not have legal recourse.
“These Terms of Use (“Terms”) govern your use of Live Nation and Ticketmaster’s websites and applications…
“The Terms contain an arbitration agreement and class action waiver—along with some limited exceptions—in Section 14, below. Specifically, you and we agree that any dispute or claim relating in any way to the Terms, your use of the Marketplace, or products or services sold, distributed, issued, or serviced by us or through us, will be resolved by binding arbitration, rather than in court…
“By agreeing to arbitration, you and we each waive any right to participate in a class action lawsuit or class action arbitration, except those already filed and currently pending as of August 12, 2025.”
And what about Freja? Well, if the Danish Copyright Act takes effect on March 31, 2026 as expected, Cali John can get into a ton of trouble if he uses the video to create a realistic, digitally generated imitation of Freja. Again, consent is required. Again, there can be monetary penalties if you don’t get that consent.
But there’s another question we have to consider.
The vendor responsibility
Does the videoconference provider bear any responsibility for the violations of Illinois and Danish law?
“5. USE OF SERVICES AND YOUR RESPONSIBILITIES. You may only use the Services pursuant to the terms of this Agreement. You are solely responsible for Your and Your End Users’ use of the Services and shall abide by, and ensure compliance with, all Laws in connection with Your and each End User’s use of the Services, including but not limited to Laws related to recording, intellectual property, privacy and export control. Use of the Services is void where prohibited.”
But such requirements haven’t stopped BIPA lawyers from filing lawsuits against deep pocketed software vendors. Remember when Facebook settled for $650 million?
So remember what could happen the next time you participate in a multinational, multi-state, or even multi-city videoconference. Hope your AI note taker isn’t capturing screen shots.
Normally these blog posts are addressed to Bredemarket’s PROSPECTS, the vendors who provide solutions that use biometrics or other technology. Such as identity proofing solutions.
But I’ve targeted this post for another audience, the organizations that BUY biometrics and technology solutions such as identity proofing solutions. Who knows? Perhaps they can use Bredemarket’s content-proposal-analysis services also. Later I will explain why you should use Bredemarket, and how you can use Bredemarket.
So if you are with an organization that SELLS identity proofing solutions, you can stop reading now. You don’t want to know what I am about to tell your prospects…or do you?
When you buy an identity proofing solution, you take on many responsibilities. While your vendor may be able to help, the ultimate responsibility remains with you.
Here are some questions you must answer:
What are your business goals for the project? Do you want to confirm 99.9% of all identities? Do you want to reduce fraudulent charges below $10 million? How will you measure this?
What are your technology goals for the project? What is your desired balance between false positives and false negatives? How will you measure this?
How will the project achieve legal compliance? What privacy requirements apply to your end users—even if they live outside your legal jurisdiction? Are you obtaining the required consents? Can you delete end user data upon request? Are you prepared if an Illinois lawyer sues you? Do you like prison food?
A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program…
As many of you know, the IRS’ identity proofing vendor is ID.me. The GAO didn’t find any fault with ID.me. And frankly, it couldn’t…because according to the GAO, the IRS’ management of ID.me was found to be deficient.
“IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.
“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”
You would think the IRS had a process for this…but apparently it doesn’t.
Dead on arrival (DOA).
But I’m not the IRS!
I’ll grant that you’re not the IRS. But is your identity proofing program management better…or worse?
Do you know what questions to ask?
Let Bredemarket ask you some questions. Perhaps these can help you create relevant external and internal content (I’ve created over 22 types of content), manage an RFP proposal process, or analyze your industry, company, or competitors.
Unlike some clickbait-like article titles, this one from Communications Today succinctly encapsulates the problem up front.
It’s not that the TPRM software is failing to find the red flags. Oh, it finds them!
But the folks at Gartner discovered something:
“A Gartner survey of approximately 900 third-party relationship owners…revealed that while 95% saw a third-party red flag in the past 12 months, only around half of them escalate it to compliance teams.”
Among other things, the relationship owners worry about “the perceived return on investment (ROI) of sharing information.”
And that’s not a software issue. It’s a process issue.
And this is not unique to the cybersecurity world. Let’s look at facial recognition.
Another case in point
I’ve said this over and over, but for U.S. criminal purposes, facial recognition results should ONLY be used as investigative leads.
It doesn’t matter whether they’re automated results, or if they have been reviewed by a trained forensic face examiner.
Facial recognition results should only be used as investigative leads.
Sorry for the repetition, but some people aren’t listening.
But it’s not the facial recognition vendors. Bredemarket has worked with numerous facial recognition vendors over the years, and of those who work with law enforcement, ALL of them have emphatically insisted that their software results should only be used as investigative leads.
And that’s not a software issue. It’s a process issue.
No amount of coding or AI can fix that.
I hope the TPRM folks don’t mind my detour into biometrics, but there’s a good reason for it.
Product marketing for TPRM and facial recognition
Some product marketers, including myself, believe that it’s not enough to educate prospects and customers about your product. You also need to educate them about proper use of the product, including legal and ethical concerns.
If you don’t, your customers will do dumb things in Europe, Illinois, or elsewhere—and blame you when they are caught.
Be a leader in your industry by doing or saying the right thing.
And now here’s a word from our sponsor.
Not the “CPA” guy again…
Bredemarket has openings
There’s a reason why this post specifically focused on cybersecurity and facial recognition.
If you need product marketing assistance with your product, Bredemarket has two openings. One for a cybersecurity client, and one for a facial recognition client.
Because my local Amazon Fresh post is taking off, it’s a good time to revisit the “one” thing Uplanders will encounter when they get there.
I’ve talked about Amazon One palm/vein biometrics several times in the past.
The August 2021 post about Amazon paying $10 for your biometrics, long before World (Worldcoin) did something similar. Hmm…wonder if the $10 deal is still on?
And it’s also available (or soon will be) on TP-Link door locks. But the How-To Geek writer is confused:
“TP-Link says that these palm vein patterns are so unique that they can even tell the difference between identical twins, making them safer than regular fingerprint or facial recognition methods.”
And the TP-Link page for the product has no sales restrictions. Even Illinois residents can buy it. Presumably there’s an ironclad consent agreement with every enrollment to prevent BIPA lawsuits.
He had purchased a feature-rich home security system and received an alarm while he was traveling. That’s all—an alarm, with no context.
“The security company then asked me, ‘Should we dispatch the police?’ At that moment, the reality hit: I was expected to make a decision that could impact my family’s safety, and I had no information to base that decision on. It was a gut-wrenching experience. The very reason I invested in security—peace of mind—had failed me.”
You may remember the May hoopla regarding amendments to Illinois’ Biometric Information Privacy Act (BIPA). These amendments do not eliminate the long-standing law, but lessen its damage to offending companies.
The General Assembly is expected to send the bill to Illinois Governor JB Pritzker within 30 days. Gov. Pritzker will then have 60 days to sign it into law. It will be immediately effective.
While the BIPA amendment has passed the Illinois House and Senate and was sent to the Governor, there is no indication that he has signed the bill into law within the 60-day timeframe.
A proposed class action claims Photomyne, the developer of several photo-editing apps, has violated an Illinois privacy law by collecting, storing and using residents’ facial scans without authorization….
The lawsuit contends that the app developer has breached the BIPA’s clear requirements by failing to notify Illinois users of its biometric data collection practices and inform them how long and for what purpose the information will be stored and used.
In addition, the suit claims the company has unlawfully failed to establish public guidelines that detail its data retention and destruction policies.
If you’re a biometric product marketing expert, or even if you’re not, you’re presumably analyzing the possible effects to your identity/biometric product from the proposed changes to the Biometric Information Privacy Act (BIPA).
As of May 16, the Illinois General Assembly (House and Senate) passed a bill (SB2979) to amend BIPA. It awaits the Governor’s signature.
What is the amendment? Other than defining an “electronic signature,” the main purpose of the bill is to limit damages under BIPA. The new text regarding the “Right of action” codifies the concept of a “single violation.”
(T)he amended law DOES NOT CHANGE “Private Right of Action” so BIPA LIVES!
Companies who violate the strict requirements of BIPA aren’t off the hook. It’s just that the trial lawyers—whoops, I mean the affected consumers make a lot less money.
Bredemarket 