“Comply with all privacy laws and regulations. This should be a given, but sometimes vendors are lax in this area. If your firm violates the law, and you are caught, you will literally pay the price.”
Ask companies doing business in the GDPR region, Illinois, Texas, and elsewhere how hefty those fines could be. Meta alone has received billions of dollars of fines in Ireland (EU) and over a billion dollars in Texas.
“Store only the minimum necessary personal information. If you don’t need to keep certain data, don’t store it. I’m sure our decentralized identity friends will agree with this.”
“Convert biometric into sharded, anonymized bits (“anonybits”)
“Distribute the “anonybits” throughout the multi-party cloud environment for storage, where they are kept and never retrieved or reassembled, even for matching”
“Collect only the minimum necessary personal information. If you don’t need certain data, don’t collect it. If it’s never collected, fraudster hackers can never steal it.”
Let’s pick on Workday. Job applicants know why. Workday’s default configuration (which many companies don’t change) is to require job applicants to set up an account with login and password.
But what happens to that data when—not if—Workday is hacked?
Get ready for repurposing gone wild. This is the first of seven vendor suggestions I made in my Biometric Update guest post.
“Exercise transparency. Remember that some people are convinced that every piece of data collected by every biometric vendor is fed into a super-secret worldwide surveillance supercomputer maintained by shadowy forces. If you don’t educate your customers and their users on the truth—how data is shared, and how data is not shared—they will believe the lies.”
“Usually, the government agency or private organization acts as the “controller” or owner of the biometric data, while the biometric vendor is just the “processor” of the data.
“But there are exceptions. In late April, Joel R. McConvey described a proposal in which the Milwaukee, Wisconsin Police Department would provide Biometrica with 2.5 million facial images from its jail records.
“Why would any biometric vendor want to be the controller of biometric data? One plausible reason is for internal testing to improve the vendor’s algorithms by continuously testing them against live data. There may be other reasons, such as offering new services.”
But this is actually the SECOND time I have been featured by Biometric Update. If you check its YouTube channel, you can find the 2015 gem “MorphoTrak (Safran) – MorphoWay demo”: https://youtube.com/shorts/mqfHAc227As
Stay tuned for my next Biometric Update appearance in 2035.
“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”
Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.
I had previously designated a payment card to use with Amazon One (Card #1). When I went to check out and provided my palm, I was asked to insert this card.
The reader said there was a problem with this card, so I inserted a different card (Card #2) and the payment processed on that card.
After my purchase I went back to my Amazon One app…which still showed Card #1 as my purchase card.
So I figured I should pre-investigate what was necessary to enroll in the Amazon One palm vein system once I arrived at the store.
My first discovery was that Amazon One has its own app, separate from the Amazon app. I don’t know how many apps Amazon has, but if Amazon and Meta ever merge (Amameta?), I will need a separate phone just for its apps.
So I downloaded Amazon One, linked it to my Amazon account, and waited for the instructions on how to enroll my palm at an Amazon location…
…only to find that Amazon One wanted to take pictures of both my palms, right there on my smartphone. Just like any contactless fingerprint app.
Enrolled in Amazon One.
So I am now enrolled, and I have confirmed that my local Amazon Fresh accepts Amazon Go.
Um…that is not East Foothill.
However, as even non-locals will realize, this is NOT 235 East Foothill, but WEST Foothill. So much for geolocation. (And the location of the Madonna of the Trail statue is wrong also, but I digress.)
(With a special message at the end for facial recognition and cybersecurity marketing leaders)
Years ago, when I was in Mexico City on a business trip, one of my coworkers stated that he never uses biometrics to protect the data on his smartphone.
His rationale?
Government officials can compel you to use your biometrics to unlock your smartphone. They can’t compel you to provide your passcode to government officials.
Ironically, we both worked for a biometric company at the time.
But my former coworker isn’t the only one making this statement. With the recent protests, and with the recent searches of people crossing the U.S. border by plane or otherwise, this same advice is echoed everywhere.
ZDNET quotes law firm managing partner Ignacio Alvarez on passcodes:
“But the majority of the courts have found that being required by law enforcement to give your code to your devices violates your Fifth Amendment right against self-incrimination.”
Note what Alvarez said: the MAJORITY of the courts. So if you end up before the “wrong” court, you might have to provide your passcode anyway.
ZDNET also quotes attorney Joseph Rosenbaum:
“Passwords or passcodes, because they represent information contained in a person’s mind, seem to generally be considered the same as requiring someone to testify against themselves in court or in a deposition,” he told ZDNET. “That information is more likely to be legally protected under the Fifth Amendment as potentially self-incriminating.”
Notice his “seem to generally be” and “more likely to be” language. Again, you could still be compelled to give your passcode.
But that’s the easy part.
Biometrics: it’s complicated
But passcodes are the easy part. Biometrics are much more of a gray area.
The rationale behind not giving up your biometric is similar to the rationale behind the Miranda warning. As Dragnet fans know, “Anything you say can and will be used against you in a court of law.” Regarding passcodes, the courts…well, some of the courts, hold that since a passcode can be “spoken,” it’s covered under Miranda and therefore can’t be given without violating your Fifth Amendment rights.
What about biometrics? (Excluding voice biometrics for the moment.)
“…since a biometric isn’t spoken, production of that biometric may not legally qualify as the act of testifying against yourself and therefore, you can be compelled to unlock a phone or an app without necessarily having your rights violated.”
Again, note the use of the words “may not.” It isn’t clear here either.
And even these wishy-washy definitions may change.
“This area of law is a seriously moving target. Over time, things could favor passcodes being non-testimonial or biometrics being testimonial.”
In other words, a few years from now lawyers may advise you to use biometrics rather than passcodes to protect your private data on your smartphone.
Or maybe they’ll say both methods protect you equally.
Or maybe they’ll say neither method protects you, and your private data is no longer private.
But most likely they’ll say “It depends.” In the same way that our 18,000 law enforcement agencies have 18,000 different definitions of forensic science, they could have 18,000 different definitions of Miranda rights.
And one more thing…
Bredemarket has two openings!
The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
Because my local Amazon Fresh post is taking off, it’s a good time to revisit the “one” thing Uplanders will encounter when they get there.
I’ve talked about Amazon One palm/vein biometrics several times in the past.
The August 2021 post about Amazon paying $10 for your biometrics, long before World (Worldcoin) did something similar. Hmm…wonder if the $10 deal is still on?
And it’s also available (or soon will be) on TP-Link door locks. But the How-To Geek writer is confused:
“TP-Link says that these palm vein patterns are so unique that they can even tell the difference between identical twins, making them safer than regular fingerprint or facial recognition methods.”
And the TP-Link page for the product has no sales restrictions. Even Illinois residents can buy it. Presumably there’s an ironclad consent agreement with every enrollment to prevent BIPA lawsuits.
Bredemarket 