If you’re not a LinkedIn connection you missed this. Here’s something I wrote on the one year anniversary of losing my job.
Here’s the Story…
Tag Archives: biometric product marketing expert
What is Your Biometric Firm’s BIPA Product Marketing Story?
(Part of the biometric product marketing expert series)
If your biometric firm conducts business in the United States, then your biometric firm probably conducts business in Illinois.
Your firm and your customers are impacted by Illinois’ Biometric Information Privacy Act, or BIPA.
Including requirements for consumer consent for use of biometrics.
And heavy fines (currently VERY heavy fines) if you don’t obtain that consent.
What is your firm telling your customers about BIPA?
Bredemarket has mentioned BIPA several times in the Bredemarket blog.
- (5/17/2024) BIPA Remains a Four-Letter Word.
- (8/2/2023) Five Topics a Biometric Content Marketing Expert Needs to Understand.
- (7/1/2021) Is your home your castle when you use consumer doorbell facial recognition?
- (1/22/2021) Will the Kami Doorbell Camera sell in Illinois?
But what has YOUR firm said about BIPA?
And if your firm has said nothing about BIPA, why not?
Perhaps the biometric product marketing expert can ensure that your product is marketed properly in Illlinois.
Contact Bredemarket before it’s too late.
Positioning, Messaging, and Your Facial Recognition Product Marketing
(Part of the biometric product marketing expert series)
When marketing your facial recognition product (or any product), you need to pay attention to your positioning and messaging. This includes developing the answers to why, how, and what questions. But your positioning and your resulting messaging are deeply influenced by the characteristics of your product.
If facial recognition is your only modality
There are hundreds of facial recognition products on the market that are used for identity verification, authentication, crime solving (but ONLY as an investigative lead), and other purposes.
Some of these solutions ONLY use face as a biometric modality. Others use additional biometric modalities.
Your positioning depends upon whether your solution only uses face, or uses other factors such as voice.
- If your solution is only a face solution and does not include voice, your company will spend a lot of time trashing voice biometrics because of the demonstrated spoofs against voices.
- Similarly, a face-only company will argue that facial recognition is a very fast, very secure, and completely frictionless method of verification and authentication. When opponents bring up the demonstrated spoofs against faces, you will argue that your iBeta-conformant presentation attack detection methodology guards against such spoofing attempts.
- On the other hand, a company that uses multiple biometric modalities will argue that ANY single biometric modality can be spoofed, but that it is much, much harder to spoof multiple biometric modalities at once.
Of course, if you initially only offer a face solution and then offer a second biometric, you’ll have to rewrite all your material. “You know how we said that face is great? Well, face and gait are even greater!”
If biometrics is your only factor
It’s no secret that I am NOT a fan of the “passwords are dead” movement.
It seems that many of the people that are waiting the long-delayed death of the password think that biometrics is the magic solution that will completely replace passwords.
For this reason, your company might have decided to use biometrics as your sole factor of identity verification and authentication.
Or perhaps your company took a different approach, and believes that multiple factors—perhaps all five factors—are required to truly verify and/or authenticate an individual. Use some combination of biometrics, secure documents such as driver’s licenses, geolocation, “something you do” such as a particular swiping pattern, and even (horrors!) knowledge-based authentication such as passwords or PINs.
This naturally shapes your positioning and messaging.
- The single factor companies will argue that their approach is very fast, very secure, and completely frictionless. (Sound familiar?) No need to drag out your passport or your key fob, or to turn off your VPN to accurately indicate your location. Biometrics does it all!
- The multiple factor companies will argue that ANY single factor can be spoofed, but that it is much, much harder to spoof multiple factors at once. (Sound familiar?)
So position yourself however you need to position yourself. Again, be prepared to change if your single factor solution adopts a second factor.
A final thought
Every company has its own way of approaching a problem, and your company is no different. As you prepare to market your products, survey your product, your customers, and your prospects and choose the correct positioning (and messaging) for your own circumstances.
And if you need help with biometric positioning and messaging, feel free to contact the biometric product marketing expert, John E. Bredehoft. (Full-time employment opportunities via LinkedIn, consulting opportunities via Bredemarket.)
In the meantime, take care of yourself, and each other.
A 20-Minute Peek Behind LinkedIn Recruiter
Of all the technologies I don’t know about, jobseeker technology is the most important. Between July 2000 and today, I’ve spent over 30 months searching for full-time employment. So it helps to know how employers search for potential employees.
And a lot of those 30-plus months have been filled with self-styled experts advising people “how to beat the applicant tracking system (ATS)” (as if there were only one) and “how to access the hidden job market” (because of course employers don’t want anyone to know that they’re searching for talent).
So when Melanie Woods of CGL Recruiting offered 20 jobseekers the chance to see how their LinkedIn Profile appears to users of LinkedIn Recruiter, I really wanted to win one of those 20 slots.
I won a slot, and in our 20-minute session Melanie Woods imparted a great deal of knowledge, including the 7 LinkedIn Recruiter tips highlighted at the end of this post.
If I could boil all 7 tips down to 1, I’d emphasize that recruiters have limited time, and something a recruiter can understand in 0 seconds is much better than something that would take a recruiter 5 seconds to understand.
Melanie’s offer…and what she wanted in return
A few days ago, I ran across Melanie’s post that described her offer. It opened as follows:
Instead of spending money on advertising, my team is going to be taking a different approach and it involves YOU #jobseekers!
Sounds like a plan, since a word-of-mouth testimonial converts more effectively than copy written by a marketing hack. (But what if the testimonial is FROM a marketing hack?)
The offer
She then described the offer.
We are going to be offering 20 free 20 minute sessions to job seekers who are currently out of work. During your session I will pull you up live in LinkedIn Recruiter and test your profile to show you where you are coming up in searches and where you are falling out. I will help you adjust your profile so you can appear in more searches for the jobs you are targeting.
What is LinkedIn Recruiter?
As you can probably guess, LinkedIn Recruiter is the premium-priced service that recruiters use to search LinkedIn for job candidates. The top-tier package (“contact Sales” for the price) includes:
- Unlimited LinkedIn network access: Find and engage anyone on LinkedIn
- 150 InMail messages/month per license and bulk messaging
- 40+ advanced search filters, including “Open to work” and “More likely to respond”
- Multi-user collaboration tools
- Prepaid slots to rotate job postings in and out as needed
A comparison of all of LinkedIn’s talent solutions is provided here.
If your company is recruiting more than 4 positions a year, the high-end version of LinkedIn Recruiter could be the tool for you.
But when recruiters use LinkedIn Recruiter, they don’t look at a candidate’s LinkedIn profile—they look at the LinkedIn Recruiter view of the candidate’s profile, optimized for their purposes.
Hence Melanie was offering job applicants the opportunity to see how their profile appears to a recruiter. Valuable information to have.
What CGL Recruiting wanted in return
But remember that the lucky winners had to provide “advertising” to CGL Recruiting in return.
Here is where the advertising piece comes in….if you feel that the 20 minutes was helpful to you and your job search, we would appreciate you doing a review of our services on LinkedIn and one other social media platform (your choice), sharing how the time spent was useful to you and your job search.
After I indicated my interest, and after Dee Daniel provided a boost to my application, I was one of the lucky 40 winners. (Yes, they increased the number of winners due to high demand.)
Melanie’s top 7 LinkedIn Recruiter tips
Melanie and I met via Zoom early Monday afternoon Pacific Time (late afternoon Central Time), and I received a firehose of information during the 20-minute session. I’m not going to cover ALL the information she provided; instead, I’ll confine myself to the top 7 tips.
- The first job on the LinkedIn profile is the most important.
- Use all 5 “job title” slots.
- Some employers AREN’T 1st and 2nd degree connections.
- You can have 6 on-site job locations, not just 5.
- Consider listing at least one college-related date.
- Ampersands are bad.
- Temperamental writers shouldn’t fall in love with pet phrases.
Tip 1: The first job on the LinkedIn profile is the most important
For my job search for a Senior Product Marketing Manager role, my Incode position is (maybe) more important than my current Bredemarket position. On my resume, I take care of this by listing Incode BEFORE Bredemarket. But because LinkedIn profiles are chronological, and Bredemarket is my current “employer,” I can’t reorder like that.
The LinkedIn Recruiter view of the profile doesn’t show all the positions, but only the top 3. And the first position takes great prominence.
In the default view, the recruiter can’t see my fourth position (Strategic/Product Marketing Manager from 2015 to 2017), but only the first three. And only one of those three positions is product marketing-related.
Melanie zeroed in on my “Sole Proprietor” position, which tells a recruiter nothing about what I actually DO at Bredemarket. Sure the recruiter could click through and read about the marketing and writing services that Bredemarket provides…but recruiters have limited time.
I thought about her advice after the call, and for LinkedIn (and resume) purposes I’m changing my Bredemarket job title to “Product Marketing Consultant.” My work for my clients is all product/service-related, so the job title makes sense.
Now recruiters will see that two of my three most recent positions were product marketing-related, which makes me more attractive to the one position that I’m targeting.
One position? Wait a minute…
Tip 2: Use all 5 “job title” slots
That’s right. In my “job preferences,” my only listed job title was “Senior Product Marketing Manager.”
I can list up to 5.
Why not use all 5?
So now my job titles include the following:
- Senior Product Marketing Manager
- Product Marketing Manager
- Marketing Content Manager
- Global Product Marketing Manager
- Product Marketing Consultant
So I have the position title from Incode, the consulting title from Bredemarket, two product marketing title variants, and a content marketing title for good measure (Bredemarket readers know why).
Now some people question why I’d list all these similar titles, since anyone who takes a few seconds can figure out that I’d be interested in a global product marketing manager position or whatever.
That’s the problem. Recruiters DON’T HAVE a few seconds. When hundreds or thousands of people apply for positions, recruiters need to get through the profiles as quickly as possible.
So Melanie wanted me to make her job easier.
Tip 3: Some employers AREN’T 1st and 2nd degree connections
You can control the visibility of your email address and your phone number on LinkedIn. While I don’t list a phone number on my LinkedIn profile, I do make my jobseeking email address (which is separate from my Bredemarket email address) visible. In fact, I configured my email address visibility for viewing by my 1st degree and 2nd degree connections.
But there was a fallacy in that tactic.
It became obvious in the session because Melanie (not a connection since her LinkedIn connections are maxed out) could NOT see my email address. Therefore, if recruiter Melanie wanted to contact me, she could ONLY contact me via InMail.
If you want ANY potential recruiter to see your email, increase its visibility to all connections. Obviously there are risks to this, so you need to judge what visibility is right for you. (Especially for phone numbers.)
Tip 4: You can have 6 on-site job locations, not just 5
While all of Bredemarket’s work is remote, and my previous work at Incode was remote, I’m not averse to on-site work. As long as it’s within driving distance.
To help local companies, I listed a selected five cities (the maximum) where I am available for on-site work:
- Ontario, California, United States
- San Bernardino, California, United States
- Covina, California, United States
- Pasadena, California, United States
- Anaheim, California, United States
But Melanie pointed out that I didn’t need to list Ontario, since my profile already states that I live in Ontario. That freed up one slot to add another city. I chose to list Riverside, although I could have listed Brea or Fullerton or Industry or Pomona or Corona or many other cities. (LinkedIn, your on-site locations feature needs work.)
Tip 5: Consider listing at least one college-related date
Now let’s get into age discrimination talk.
If a company desires to discriminate against job applicants due to age, one effective way to do so is to look at the dates the applicants attended college. It’s pretty easy to quietly filter out the geezer applicants with no one the wiser.
Well, maybe.
For this reason I didn’t bother to add my college attendance dates to my LinkedIn profile. Why give the discriminating (in a negative way, not a positive way) firm the ammo they need to get the young, cheap workers they really want? (Of course those workers are inexperienced, but that’s another topic entirely.)
But Melanie pointed out one truth about companies that want to discriminate: if they don’t discriminate against you when they read your LinkedIn profile or resume, they can easily discriminate against you when they SEE you.
Oh, and there’s one more thing: if recruiters search for candidates based upon their graduation dates, profiles without graduation dates will never been seen by recruiters.
So I mulled over her advice.
- I decided not to list the date that I started attending Cal State Fullerton’s MBA program.
- And I decided not to list the date I graduated from Reed College.
- I certainly didn’t list the date I started attending Reed College. (But I will confess that this song blasted from the Old Dorm Block. And I’ll also confess that I could lose the last 4 1/2 minutes.)
But I did pencil in my 1991 graduation date from Cal State Fullerton’s MBA program. Since my LinkedIn profile includes ALL my biometric positions going back to 1994, this isn’t a shocking revelation.
Tip 6: Ampersands are bad
LinkedIn profiles can include skills. I’ve listed near the limit of 50 skills, some of which are tied to particular positions, LinkedIn Learning courses, and other education and certifications.
Among many others, two of my listed skills are “identity & access management” and “sales & marketing management.”
Technology experts immediately see where this is going. So why didn’t I?
Melanie immediately noted that the ampersand character in those two skill descriptions can wreak havoc with some computerized systems.
I swapped out those skills for some new ones: identity and access management, and sales and marketing management, removing the problem.
Tip 7: Temperamental writers shouldn’t fall in love with pet phrases
Melanie’s biggest concern about my LinkedIn profile involved the very first sentence.
The one that appears below my profile, name, and preferred pronouns, but above my city of residence.
Senior Product Marketing Manager in identity/technology who is expert in describing why customers benefit.
She read that sentence word for word.
- “Senior Product Marketing Manager”? She liked that.
- “In identity/technology”? I guess she liked that; at least she didn’t comment on it.
- The rest of the sentence? Not so much.
Regular Bredemarket readers are familiar with the last three words of that sentence, and realize that every one of those three words is critically important. Why rather than what, customers rather than producers, and benefits rather than features. I’ve devoted a post (plus another post) to those three words. If I only had a few seconds to explain the importance of those three words…
Um, yet again, recruiters aren’t interested in taking a few minutes to read everything I have written about Simon Sinek’s Golden Circle, customer focus, or benefits. They don’t even want to watch a short reel on the topic.
So I have to rewrite the last part of that first sentence. As I write this post, I’m still mulling over alternatives.
CGL Recruiting’s expertise was highly beneficial
The 7 items above were just some of the tips that Melanie Woods imparted to me, all in the space of 20 minutes.
Again, the common theme is that recruiters have limited time, LinkedIn Recruiter lets them maximize that limited time, and jobseeker data also has to let recruiters maximize that limited time. If you can do something in 0 seconds, don’t take 5 seconds to do it.
I haven’t even explored some of the other features that CGL Recruiting offers, including Melanie Woods’ YouTube channel.
But the 20 minutes I spent with her were certainly valuable.
Now I just have to figure out another way to say “why customers benefit.”
When Rapid DNA Isn’t
(Part of the biometric product marketing expert series)
Have you heard of rapid DNA?
Perhaps not as fast as Brazilian race car driver Antonella Bassani, but fast enough.
This post discusses the pros and cons of rapid DNA, specifically in the MV Conception post mortem investigation.
DNA…and fingerprints
I’ve worked with rapid DNA since I was in Proposals at MorphoTrak, when our corporate parent Safran had an agreement with IntegenX (now part of Thermo Fisher Scientific). Rapid DNA, when suitable for use, can process a DNA sample in 90 minutes or less, providing a quick way to process DNA in both criminal and non-criminal cases.
But as I explain below, sometimes rapid DNA isn’t so rapid. In those cases, investigators have to turn to boring biometric technologies such as fingerprints instead. Fingerprints are a much older identification modality, but they still work.
DNA, fingerprints…and dental records
Bredemarket recently purchased access to a Journal of Forensic Sciences article entitled “Advances in postmortem fingerprinting: Applications in disaster victim identification” (https://doi.org/10.1111/1556-4029.15513) by Bryan T. Johnson MSFS of the Federal Bureau of Investigation Laboratory in Quantico. The abstract (which is NOT behind the paywall) states the following, in part:
In disaster victim identification (DVI), fingerprints, DNA, and dental examinations are the three primary methods of identification….As DNA technology continues to evolve, RAPID DNA may now identify a profile within 90 min if the remains are not degraded or comingled. When there are true unknowns, however, there is usually no DNA, dental, or medical records to retrieve for a comparison without a tentative identity.
In the body of the paper itself (which IS behind the paywall), Johnson cites one example in which use of rapid DNA would have DELAYED the process.
DVI depends upon comparison of a DNA sample from a victim with a previous DNA sample taken from the victim. If this is not available, then the victim’s DNA is compared against the DNA of a family member.
Identifying foreign nationals aboard the MV Conception
When the MV Conception boat caught fire and sank in September 2019, 34 people lost their lives and had to be positively identified.
While most of the MV Conception victims were California residents, some victims were from Singapore and India. It would take weeks to collect and transport the DNA samples from the victims’ family members back to the United States for comparison against the DNA samples from the victims. Weeks of uncertainty during which family members had no confirmation that their relatives were among the deceased.
However, because the foreign victims were visitors to the United States, they had fingerprints on file with the Department of Homeland Security. Interagency agreements allowed the investigating agencies to access the DHS fingerprints and compare them against the fingerprints of the foreign victims, providing tentative identifications within three days. (Fingerprint identification is a 100+ year old method, but it works!) These tentative identifications were subsequently confirmed when the familial DNA samples arrived.
What does this mean?
The message here is NOT that “fingerprints rule, DNA drools.” In some cases the investigators could not retrieve fingerprints from the bodies and HAD to use rapid DNA.
The message here is that when identifying people, you should use ANY biometric (or non-biometric) modality that is available: fingerprints, DNA, dental records, driver’s licenses, Radio Shack Battery Club card, or anything else that provides an investigative lead or a positive identification.
And ideally, you should use more than one factor of authentication.
And now a word from our sponsor
By the way, if you have a biometric story to tell, Bredemarket can help…um…drive results. Perhaps not as fast as Bassani, but fast enough.
Authenticator Assurance Levels (AALs) and Digital Identity
(Part of the biometric product marketing expert series)
Back in December 2020, I dove into identity assurance levels (IALs) and digital identity, subsequently specifying the difference between identity assurance levels 2 and 3. These IALs are defined in section 4 of NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing Requirements.
It’s past time for me to move ahead to authenticator assurance levels (AALs).
Where are authenticator assurance levels defined?
Authenticator assurance levels are defined in section 4 of NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. As with IALs, the AALs progress to higher levels of assurance.
- AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
- AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
- AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”
This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.
Which authenticator assurance level should you use?
NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.
One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).
So what?
Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?
Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?
- Could the fraudster cause financial loss to a government agency?
- Threaten personal safety?
- Commit civil or criminal violations?
- Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?
If some or all of these are true, then a high authenticator assurance level is VERY beneficial.
Reasonable Minds Vehemently Disagree On Three Biometric Implementation Choices
(Part of the biometric product marketing expert series)
There are a LOT of biometric companies out there.
With over 100 firms in the biometric industry, their offerings are going to naturally differ—even if all the firms are TRYING to copy each other and offer “me too” solutions.
I’ve worked for over a dozen biometric firms as an employee or independent contractor, and I’ve analyzed over 80 biometric firms in competitive intelligence exercises, so I’m well aware of the vast implementation differences between the biometric offerings.
Some of the implementation differences provoke vehement disagreements between biometric firms regarding which choice is correct. Yes, we FIGHT.
Let’s look at three (out of many) of these implementation differences and see how they affect YOUR company’s content marketing efforts—whether you’re engaging in identity blog post writing, or some other content marketing activity.
The three biometric implementation choices
Firms that develop biometric solutions make (or should make) the following choices when implementing their solutions.
- Presentation attack detection. Assuming the solution incorporates presentation attack detection (liveness detection), or a way of detecting whether the presented biometric is real or a spoof, the firm must decide whether to use active or passive liveness detection.
- Age assurance. When choosing age assurance solutions that determine whether a person is old enough to access a product or service, the firm must decide whether or not age estimation is acceptable.
- Biometric modality. Finally, the firm must choose which biometric modalities to support. While there are a number of modality wars involving all the biometric modalities, this post is going to limit itself to the question of whether or not voice biometrics are acceptable.
I will address each of these questions in turn, highlighting the pros and cons of each implementation choice. After that, we’ll see how this affects your firm’s content marketing.
Choice 1: Active or passive liveness detection?
Back in June 2023 I defined what a “presentation attack” is.
(I)nstead of capturing a true biometric from a person, the biometric sensor is fooled into capturing a fake biometric: an artificial finger, a face with a mask on it, or a face on a video screen (rather than a face of a live person).
This tomfoolery is called a “presentation attack” (becuase you’re attacking security with a fake presentation).
Then I talked about standards and testing.
But the standards folks have developed ISO/IEC 30107-3:2023, Information technology — Biometric presentation attack detection — Part 3: Testing and reporting.
And an organization called iBeta is one of the testing facilities authorized to test in accordance with the standard and to determine whether a biometric reader can detect the “liveness” of a biometric sample.
(Friends, I’m not going to get into passive liveness and active liveness. That’s best saved for another day.)
Well…that day is today.
A balanced assessment
Now I could cite a firm using active liveness detection to say why it’s great, or I could cite a firm using passive liveness detection to say why it’s great. But perhaps the most balanced assessment comes from facia, which offers both types of liveness detection. How does facia define the two types of liveness detection?
Active liveness detection, as the name suggests, requires some sort of activity from the user. If a system is unable to detect liveness, it will ask the user to perform some specific actions such as nodding, blinking or any other facial movement. This allows the system to detect natural movements and separate it from a system trying to mimic a human being….
Passive liveness detection operates discreetly in the background, requiring no explicit action from the user. The system’s artificial intelligence continuously analyses facial movements, depth, texture, and other biometric indicators to detect an individual’s liveness.
Pros and cons
Briefly, the pros and cons of the two methods are as follows:
- While active liveness detection offers robust protection, requires clear consent, and acts as a deterrent, it is hard to use, complex, and slow.
- Passive liveness detection offers an enhanced user experience via ease of use and speed and is easier to integrate with other solutions, but it incorporates privacy concerns (passive liveness detection can be implemented without the user’s knowledge) and may not be used in high-risk situations.
So in truth the choice is up to each firm. I’ve worked with firms that used both liveness detection methods, and while I’ve spent most of my time with passive implementations, the active ones can work also.
A perfect wishy-washy statement that will get BOTH sides angry at me. (Except perhaps for companies like facia that use both.)
Choice 2: Age estimation, or no age estimation?
There are a lot of applications for age assurance, or knowing how old a person is. These include smoking tobacco or marijuana, buying firearms, driving a car, drinking alcohol, gambling, viewing adult content, using social media, or buying garden implements.
If you need to know a person’s age, you can ask them. Because people never lie.
Well, maybe they do. There are two better age assurance methods:
- Age verification, where you obtain a person’s government-issued identity document with a confirmed birthdate, confirm that the identity document truly belongs to the person, and then simply check the date of birth on the identity document and determine whether the person is old enough to access the product or service.
- Age estimation, where you don’t use a government-issued identity document and instead examine the face and estimate the person’s age.
I changed my mind on age estimation
I’ve gone back and forth on this. As I previously mentioned, my employment history includes time with a firm produces driver’s licenses for the majority of U.S. states. And back when that firm was providing my paycheck, I was financially incentivized to champion age verification based upon the driver’s licenses that my company (or occasionally some inferior company) produced.
But as age assurance applications moved into other areas such as social media use, a problem occurred since 13 year olds usually don’t have government IDs. A few of them may have passports or other government IDs, but none of them have driver’s licenses.
Pros and cons
But does age estimation work? I’m not sure if ANYONE has posted a non-biased view, so I’ll try to do so myself.
- The pros of age estimation include its applicability to all ages including young people, its protection of privacy since it requires no information about the individual identity, and its ease of use since you don’t have to dig for your physical driver’s license or your mobile driver’s license—your face is already there.
- The huge con of age estimation is that it is by definition an estimate. If I show a bartender my driver’s license before buying a beer, they will know whether I am 20 years and 364 days old and ineligible to purchase alcohol, or whether I am 21 years and 0 days old and eligible. Estimates aren’t that precise.
How precise is age estimation? We’ll find out soon, once NIST releases the results of its Face Analysis Technology Evaluation (FATE) Age Estimation & Verification test. The release of results is expected in early May.
Choice 3: Is voice an acceptable biometric modality?
Fingerprints, palm prints, faces, irises, and everything up to gait. (And behavioral biometrics.) There are a lot of biometric modalities out there, and one that has been around for years is the voice biometric.
I’ve discussed this topic before, and the partial title of the post (“We’ll Survive Voice Spoofing”) gives away how I feel about the matter, but I’ll present both sides of the issue.
No one can deny that voice spoofing exists and is effective, but many of the examples cited by the popular press are cases in which a HUMAN (rather than an ALGORITHM) was fooled by a deepfake voice. But voice recognition software can also be fooled.
(Incidentally, there is a difference between voice recognition and speech recognition. Voice recognition attempts to determine who a person is. Speech recognition attempts to determine what a person says.)
Finally facing my Waterloo
Take a study from the University of Waterloo, summarized here, that proclaims: “Computer scientists at the University of Waterloo have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries.”
If you re-read that sentence, you will notice that it includes the words “up to.” Those words are significant if you actually read the article.
In a recent test against Amazon Connect’s voice authentication system, they achieved a 10 per cent success rate in one four-second attack, with this rate rising to over 40 per cent in less than thirty seconds. With some of the less sophisticated voice authentication systems they targeted, they achieved a 99 per cent success rate after six attempts.
Other voice spoofing studies
Similar to Gender Shades, the University of Waterloo study does not appear to have tested hundreds of voice recognition algorithms. But there are other studies.
- The 2021 NIST Speaker Recognition Evaluation (PDF here) tested results from 15 teams, but this test was not specific to spoofing.
- A test that was specific to spoofing was the ASVspoof 2021 test with 54 team participants, but the ASVspoof 2021 results are only accessible in abstract form, with no detailed results.
- Another test, this one with results, is the SASV2022 challenge, with 23 valid submissions. Here are the top 10 performers and their error rates.
You’ll note that the top performers don’t have error rates anywhere near the University of Waterloo’s 99 percent.
So some firms will argue that voice recognition can be spoofed and thus cannot be trusted, while other firms will argue that the best voice recognition algorithms are rarely fooled.
What does this mean for your company?
Obviously, different firms are going to respond to the three questions above in different ways.
- For example, a firm that offers face biometrics but not voice biometrics will convey how voice is not a secure modality due to the ease of spoofing. “Do you want to lose tens of millions of dollars?”
- A firm that offers voice biometrics but not face biometrics will emphasize its spoof detection capabilities (and cast shade on face spoofing). “We tested our algorithm against that voice fake that was in the news, and we detected the voice as a deepfake!”
There is no universal truth here, and the message your firm conveys depends upon your firm’s unique characteristics.
And those characteristics can change.
- Once when I was working for a client, this firm had made a particular choice with one of these three questions. Therefore, when I was writing for the client, I wrote in a way that argued the client’s position.
- After I stopped working for this particular client, the client’s position changed and the firm adopted the opposite view of the question.
- Therefore I had to message the client and say, “Hey, remember that piece I wrote for you that said this? Well, you’d better edit it, now that you’ve changed your mind on the question…”
Bear this in mind as you create your blog, white paper, case study, or other identity/biometric content, or have someone like the biometric content marketing expert Bredemarket work with you to create your content. There are people who sincerely hold the opposite belief of your firm…but your firm needs to argue that those people are, um, misinformed.
And as a postscript I’ll provide two videos that feature voices. The first is for those who detected my reference to the ABBA song “Waterloo.”
The second features the late Steve Bridges as President George W. Bush at the White House Correspondents Dinner.
Doing Double Duty (from the biometric product marketing expert)
I’ve previously noted that product marketers sometimes function as de facto content marketers. I oughta know.
For example, during my most recent stint as a product marketing employee at a startup, the firm had no official content marketers, so the product marketers had to create a lot of non-product related content. So we product marketers were the de facto content marketers for the company too. (Sadly, we didn’t get two salaries for filling two roles.)
Why did the product marketers end up as content marketers? It turns out that it makes sense—after all, people who write about your product in the lower funnel stages can also write about your product in the upper funnel stages, and also can certainly write about OTHER things, such as company descriptions, speaker submissions, and speaker biographies.
From https://bredemarket.com/2023/08/28/the-22-or-more-types-of-content-that-product-marketers-create/.
That’s from my post describing the 22 (or more) types of content that product marketers create. Or the types that one product marketer in particular has created.
So it stands to reason that I am not only the biometric content marketing expert, but also the biometric product marketing expert.
I just wanted to put that on the record.
And in case you were wondering what the 22 types of content are, here is the external content:
- Articles
- Blog Posts (500+, including this one)
- Briefs/Data/Literature Sheets
- Case Studies (12+)
- Proposals (100+)
- Scientific Book Chapters
- Smartphone Application Content
- Social Media (Facebook, Instagram, LinkedIn, Threads, TikTok, Twitter)
- Web Page Content
- White Papers and E-Books
And here is the internal content:
- Battlecards (80+)
- Competitive Analyses
- Event/Conference/Trade Show Demonstration Scripts
- Plans
- Playbooks
- Proposal Templates
- Quality Improvement Documents
- Requirements
- Strategic Analyses
And here is the content that can be external or internal on any given day:
- Email Newsletters (200+)
- FAQs
- Presentations
So if you need someone who can create this content for your identity/biometrics product, you know where to find me.
Avoiding Antiquated Product Marketing
Identity/biometrics firms don’t just create social media channels for the firms themselves. Sometimes they create social media channels dedicated to specific products and services.
That’s the good news.
Here’s the bad news.
As I write this, it’s March 3. A firm hasn’t updated one of its product-oriented social media channels since February 20.
That’s February 20, 2020…back when most of us were still working in offices.
It’s not like the product no longer exists…but to the casual viewer it seems like it. As I noted in a previous post, a 2020 survey showed that 76% of B2B buyers make buying decisions primarily based on the winning vendor’s online content.
Now I’ll admit that I don’t always update all of Bredemarket’s social media platforms in a timely manner, but at least I update them more than once every four years. I even updated my podcast last month.
Sadly, I can’t help THIS product marketer, since Instagram posts are not one of my primary offerings.
If you’re an identity/biometric company that needs help with blogs, case studies, white papers, and similar text content, Bredemarket can work with you to deliver fresh content.
Personally Protected: PII vs. PHI
(Part of the biometric product marketing expert series)
Before you can fully understand the difference between personally identifiable information (PII) and protected health information (PHI), you need to understand the difference between biometrics and…biometrics. (You know sometimes words have two meanings.)
The definitions of biometrics
To address the difference between biometrics and biometrics, I’ll refer to something I wrote over two years ago, in late 2021. In that post, I quoted two paragraphs from the International Biometric Society that illustrated the difference.
Since the IBS has altered these paragraphs in the intervening years, I will quote from the latest version.
The terms “Biometrics” and “Biometry” have been used since early in the 20th century to refer to the field of development of statistical and mathematical methods applicable to data analysis problems in the biological sciences.
Statistical methods for the analysis of data from agricultural field experiments to compare the yields of different varieties of wheat, for the analysis of data from human clinical trials evaluating the relative effectiveness of competing therapies for disease, or for the analysis of data from environmental studies on the effects of air or water pollution on the appearance of human disease in a region or country are all examples of problems that would fall under the umbrella of “Biometrics” as the term has been historically used….
The term “Biometrics” has also been used to refer to the field of technology devoted to the identification of individuals using biological traits, such as those based on retinal or iris scanning, fingerprints, or face recognition. Neither the journal “Biometrics” nor the International Biometric Society is engaged in research, marketing, or reporting related to this technology. Likewise, the editors and staff of the journal are not knowledgeable in this area.
From https://www.biometricsociety.org/about/what-is-biometry.
In brief, what I call “broad biometrics” refers to analyzing biological sciences data, ranging from crop yields to heart rates. Contrast this with what I call “narrow biometrics,” which (usually) refers only to human beings, and only to those characteristics that identify human beings, such as the ridges on a fingerprint.
The definition of “personally identifiable information” (PII)
Now let’s examine an issue related to narrow biometrics (and other things), personally identifiable information, or PII. (It’s also represented as personal identifiable information by some.) I’ll use a definition provided by the U.S. National Institute of Standards and Technology, or NIST.
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
From https://csrc.nist.gov/glossary/term/PII.
Note the key words “alone or when combined.” The ten numbers “909 867 5309” are not sufficient to identify an individual alone, but can identify someone when combined with information from another source, such as a telephone book.
Yes, a telephone book. Deal with it.
What types of information can be combined to identify a person? The U.S. Department of Defense’s Privacy, Civil Liberties, and Freedom of Information Directorate provides multifarious examples of PII, including:
- Social Security Number.
- Passport number.
- Driver’s license number.
- Taxpayer identification number.
- Patient identification number.
- Financial account number.
- Credit card number.
- Personal address.
- Personal telephone number.
- Photographic image of a face.
- X-rays.
- Fingerprints.
- Retina scan.
- Voice signature.
- Facial geometry.
- Date of birth.
- Place of birth.
- Race.
- Religion.
- Geographical indicators.
- Employment information.
- Medical information.
- Education information.
- Financial information.
Now you may ask yourself, “How can I identify someone by a non-unique birthdate? A lot of people were born on the same day!”
But the combination of information is powerful, as researchers discovered in a 2015 study cited by the New York Times.
In the study, titled “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” a group of data scientists analyzed credit card transactions made by 1.1 million people in 10,000 stores over a three-month period. The data set contained details including the date of each transaction, amount charged and name of the store.
Although the information had been “anonymized” by removing personal details like names and account numbers, the uniqueness of people’s behavior made it easy to single them out.
In fact, knowing just four random pieces of information was enough to reidentify 90 percent of the shoppers as unique individuals and to uncover their records, researchers calculated. And that uniqueness of behavior — or “unicity,” as the researchers termed it — combined with publicly available information, like Instagram or Twitter posts, could make it possible to reidentify people’s records by name.
From https://archive.nytimes.com/bits.blogs.nytimes.com/2015/01/29/with-a-few-bits-of-data-researchers-identify-anonymous-people/.
So much for anonymization. And privacy.
Now biometrics only form part of the multifarious list of data cited above, but clearly biometric data can be combined with other data to identify someone. An easy example is taking security camera footage of the face of a person walking into a store, and combining that data with the same face taken from a database of driver’s license holders. In some jurisdictions, some entities are legally permitted to combine this data, while others are legally prohibited from doing so. (A few do it anyway. But I digress.)
Because narrow biometric data used for identification, such as fingerprint ridges, can be combined with other data to personally identify an individual, organizations that process biometric data must undertake strict safeguards to protect that data. If personally identifiable information (PII) is not adequately guarded, people could be subject to fraud and other harms.
The definition of “protected health information” (PHI)
In this case, I’ll refer to information published by the U.S. Department of Health and Human Services.
Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
From https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Now there’s obviously an overlap between personally identifiable information (PII) and protected health information (PHI). For example, names, dates of birth, and Social Security Numbers fall into both categories. But I want to highlight two things are are explicitly mentioned as PHI that aren’t usually cited as PII.
- Physical or mental health data. This could include information that a medical professional captures from a patient, including biometric (broad biometric) information such as heart rate or blood pressure.
- Health care provided to an individual. This not only includes written information such as prescriptions, but oral information (“take two aspirin and call my chatbot in the morning”). Yes, chatbot. Deal with it. Dr. Marcus Welby and his staff retired a long time ago.
Because broad biometric data used for analysis, such as heart rates, can be combined with other data to personally identify an individual, organizations that process biometric data must undertake strict safeguards to protect that data. If protected health information (PHI) is not adequately guarded, people could be subject to fraud and other harms.
Simple, isn’t it?
Actually, the parallels between identity/biometrics and healthcare have fascinated me for decades, since the dedicated hardware to capture identity/biometric data is often similar to the dedicated hardware to capture health data. And now that we’re moving away from dedicated hardware to multi-purpose hardware such as smartphones, the parallels are even more fascinating.
Bredemarket 