So I figured I should pre-investigate what was necessary to enroll in the Amazon One palm vein system once I arrived at the store.
My first discovery was that Amazon One has its own app, separate from the Amazon app. I don’t know how many apps Amazon has, but if Amazon and Meta ever merge (Amameta?), I will need a separate phone just for its apps.
So I downloaded Amazon One, linked it to my Amazon account, and waited for the instructions on how to enroll my palm at an Amazon location…
…only to find that Amazon One wanted to take pictures of both my palms, right there on my smartphone. Just like any contactless fingerprint app.
Enrolled in Amazon One.
So I am now enrolled, and I have confirmed that my local Amazon Fresh accepts Amazon Go.
Um…that is not East Foothill.
However, as even non-locals will realize, this is NOT 235 East Foothill, but WEST Foothill. So much for geolocation. (And the location of the Madonna of the Trail statue is wrong also, but I digress.)
(With a special message at the end for facial recognition and cybersecurity marketing leaders)
Years ago, when I was in Mexico City on a business trip, one of my coworkers stated that he never uses biometrics to protect the data on his smartphone.
His rationale?
Government officials can compel you to use your biometrics to unlock your smartphone. They can’t compel you to provide your passcode to government officials.
Ironically, we both worked for a biometric company at the time.
But my former coworker isn’t the only one making this statement. With the recent protests, and with the recent searches of people crossing the U.S. border by plane or otherwise, this same advice is echoed everywhere.
ZDNET quotes law firm managing partner Ignacio Alvarez on passcodes:
“But the majority of the courts have found that being required by law enforcement to give your code to your devices violates your Fifth Amendment right against self-incrimination.”
Note what Alvarez said: the MAJORITY of the courts. So if you end up before the “wrong” court, you might have to provide your passcode anyway.
ZDNET also quotes attorney Joseph Rosenbaum:
“Passwords or passcodes, because they represent information contained in a person’s mind, seem to generally be considered the same as requiring someone to testify against themselves in court or in a deposition,” he told ZDNET. “That information is more likely to be legally protected under the Fifth Amendment as potentially self-incriminating.”
Notice his “seem to generally be” and “more likely to be” language. Again, you could still be compelled to give your passcode.
But that’s the easy part.
Biometrics: it’s complicated
But passcodes are the easy part. Biometrics are much more of a gray area.
The rationale behind not giving up your biometric is similar to the rationale behind the Miranda warning. As Dragnet fans know, “Anything you say can and will be used against you in a court of law.” Regarding passcodes, the courts…well, some of the courts, hold that since a passcode can be “spoken,” it’s covered under Miranda and therefore can’t be given without violating your Fifth Amendment rights.
What about biometrics? (Excluding voice biometrics for the moment.)
“…since a biometric isn’t spoken, production of that biometric may not legally qualify as the act of testifying against yourself and therefore, you can be compelled to unlock a phone or an app without necessarily having your rights violated.”
Again, note the use of the words “may not.” It isn’t clear here either.
And even these wishy-washy definitions may change.
“This area of law is a seriously moving target. Over time, things could favor passcodes being non-testimonial or biometrics being testimonial.”
In other words, a few years from now lawyers may advise you to use biometrics rather than passcodes to protect your private data on your smartphone.
Or maybe they’ll say both methods protect you equally.
Or maybe they’ll say neither method protects you, and your private data is no longer private.
But most likely they’ll say “It depends.” In the same way that our 18,000 law enforcement agencies have 18,000 different definitions of forensic science, they could have 18,000 different definitions of Miranda rights.
And one more thing…
Bredemarket has two openings!
The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
Because my local Amazon Fresh post is taking off, it’s a good time to revisit the “one” thing Uplanders will encounter when they get there.
I’ve talked about Amazon One palm/vein biometrics several times in the past.
The August 2021 post about Amazon paying $10 for your biometrics, long before World (Worldcoin) did something similar. Hmm…wonder if the $10 deal is still on?
And it’s also available (or soon will be) on TP-Link door locks. But the How-To Geek writer is confused:
“TP-Link says that these palm vein patterns are so unique that they can even tell the difference between identical twins, making them safer than regular fingerprint or facial recognition methods.”
And the TP-Link page for the product has no sales restrictions. Even Illinois residents can buy it. Presumably there’s an ironclad consent agreement with every enrollment to prevent BIPA lawsuits.
“[N]ew Okta Platform capabilities…help businesses secure AI agents and other non-human identities with the same level of visibility, control, governance, and automation as human ones. The Okta Platform will now bring a unified, end-to-end identity security fabric to organizations for managing and securing all types of identities across their ecosystem, from AI agents to API keys to employees.”
I think that “unified” will take the place of “trust” as the identity buzzword. Thankfully.
If you’re only selling biometrics, or maybe biometrics and ID cards, where will your customers go to get the rest of their systems? Or will you just be a commodity supplier to the companies that provide the REAL systems?
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Currently, passengers must verify their identity at multiple checkpoints throughout a single journey, leading to delays and increased congestion at airports. To address this challenge, Facephi has developed technology that enables identity validation before arriving at the airport, reducing wait times and ensuring a seamless and secure travel experience. This innovation has already been successfully tested in collaboration with IATA through a proof of concept conducted last November.
The idea of creating an ecosystem in which identity is known throughout the entire passenger journey is not new to Facephi, of course. I remember that Safran developed a similar concept in the 2010s before it sold off Morpho, MorphoTrust, MorphoTrak, and Morpho Detection. And I’ve previously discussed the SITA-IDEMIA-Indico “Digital Travel Ecosystem.”
But however it’s accomplished, seamless travel benefits everyone…except the terrorists.
But I provided external samples of what I do anyway: two client short data sheets, three client long data sheets, three Bredemarket data sheets, two client landing pages, one Bredemarket landing page, and two other samples.
So I will share one of the landing pages with you, but not a client one. This is one of mine, for Bredemarket’s identity/biometric prospects.
This metal injection attack isn’t from an Ozzy Osbourne video, but from a video made by an expert lock picker in 2019 against a biometric gun safe.
The biometric gun safe is supposed to deny access to a person whose fingerprint biometrics aren’t registered (and who doesn’t have the other two access methods). But as Hackaday explains:
“(T)he back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint.”
Biometric protection is of no use if you can bypass the biometrics.
But was the safe (subsequently withdrawn from Amazon) over promising? The Firearm Blog asserts that we shouldn’t have expected much.
“To be fair, cheap safes like this really are to keep kids, visitors, etc from accessing your guns. Any determined person will be able to break into these budget priced sheet metal safes….”
But still the ease at bypassing the biometric protection is deemed “inexcusable.”
So how can you detect this injection attack? One given suggestion: only allow the new biometric registration control to work when the safe is open (meaning that an authorized user has presumably opened the safe). When the safe is closed, insertion of a thin piece of metal shouldn’t allow biometric registration.
For other discussions of injection attack detection, see these posts: one, two.
By the way, this is why I believe passwords will never die. If you want a cheap way to lock something, just use a combination. No need to take DNA samples or anything.
Oh, and a disclosure: I used Google Gemini to research this post. Not that it really helped.
Bredemarket 