Identity/biometrics/technology marketing and writing services
Someone who is a biometric product marketing expert.
Someone who has three decades of expertise in biometrics.
Someone who has worked with fingerprints, faces, irises, voices, DNA, and other biometric modalities.
Someone who understands the privacy landscape in Europe (GDPR), Illinois (BIPA), California, and elsewhere.
Oh…and someone who can write.
I know someone. Bredemarket.
Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)
In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:
1. Nearly all fraud is based on impersonation.
2. Never expose your fraud prevention techniques.
3. Preventing fraud usually increases friction.
4. Fraud prevention is a business strategy.
5. Whatever you do, fraudsters will adapt to it.
All good points. But I want to dig into rule 2, which is valid…to a point.
If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.
In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.
But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.
One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.
Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.
Unless you’re an employer in Illinois, or a biometric time clock vendor to employers in Illinois.
And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.
Because that’s a violation of BIPA, Illinois’ Biometric Information Privacy Act. And you can be liable for damages for violating it.
In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.
But if there’s no law to the contrary, obfuscate at will.
Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.
That’s where Bredemarket can help.
As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.
And I can help your firm also.
Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.
More information:
(Part of the biometric product marketing expert series)
Biometric Update reports that Amazon’s Ring products are offering a feature called “Familiar Faces.”
“In September, Amazon revealed a revamped Ring camera lineup featuring two notable AI features, Familiar Faces and Search Party. Familiar Faces uses facial recognition and lets users tag neighbors or friends so future alerts identify them by name rather than generic motion.”
If this sounds, um, familiar, it’s because Google also has a similar feature, called familiar face alerts, in its Nest offerings.
And like Google, Amazon’s Familiar Faces won’t be available to everyone. If you are, um, familiar withg the acronym BIPA, you will know why.
“The feature is slated for December, though it will be disabled in places with stricter biometric laws such as Illinois, Texas, and Portland.”
Illinois music lovers, wanna see a concert? Sounds like you may have to surrender your BIPA protections.
Specifically, if the concert venue uses Ticketmaster (who doesn’t?), and if the concert venue captures your biometric data without your consent, you may not have legal recourse.
“These Terms of Use (“Terms”) govern your use of Live Nation and Ticketmaster’s websites and applications…
“The Terms contain an arbitration agreement and class action waiver—along with some limited exceptions—in Section 14, below. Specifically, you and we agree that any dispute or claim relating in any way to the Terms, your use of the Marketplace, or products or services sold, distributed, issued, or serviced by us or through us, will be resolved by binding arbitration, rather than in court…
“By agreeing to arbitration, you and we each waive any right to participate in a class action lawsuit or class action arbitration, except those already filed and currently pending as of August 12, 2025.”
I was recently talking with a former colleague, whose name I am not at liberty to reveal, and they posed a question that stymied me.
What happens when multiple people join a videoconference, and they all reside in jurisdictions with different privacy regulations?
An example will illustrate what would happen, and I volunteer to be the evil party in this one.
Let’s say:
On a particular day in April 2026, a Californian launches a videoconference on Zoom.
The Californian invites an Illinoisan.
And also invites a Dane.
And then—here’s the evil part—records and gathers images from the videoconference without letting the other two know.
Despite the fact that the Illinois Biometric Information Privacy Act, or BIPA, requires written consent before acquiring Abe’s facial geometry. And if Cali John doesn’t obtain that written consent, he could lose a lot of money.
And what about Freja? Well, if the Danish Copyright Act takes effect on March 31, 2026 as expected, Cali John can get into a ton of trouble if he uses the video to create a realistic, digitally generated imitation of Freja. Again, consent is required. Again, there can be monetary penalties if you don’t get that consent.
But there’s another question we have to consider.
Does the videoconference provider bear any responsibility for the violations of Illinois and Danish law?
Since I used Zoom as my example, I looked at Zoom’s EULA Terms of Service.
TL;DR: not our problem, that’s YOUR problem.
“5. USE OF SERVICES AND YOUR RESPONSIBILITIES. You may only use the Services pursuant to the terms of this Agreement. You are solely responsible for Your and Your End Users’ use of the Services and shall abide by, and ensure compliance with, all Laws in connection with Your and each End User’s use of the Services, including but not limited to Laws related to recording, intellectual property, privacy and export control. Use of the Services is void where prohibited.”
But such requirements haven’t stopped BIPA lawyers from filing lawsuits against deep pocketed software vendors. Remember when Facebook settled for $650 million?
So remember what could happen the next time you participate in a multinational, multi-state, or even multi-city videoconference. Hope your AI note taker isn’t capturing screen shots.
For years I have maintained that the difficulties in technology are not because of the technology itself.
Technology can do wonderful things.
The difficulties lie with the need for people to agree to use the technology.
And not beg ignorance by saying “I know nothing.”
(Image of actor John Banner as Sgt. Schultz on Hogan’s Heroes is public domain.)
I just saw an article with the title “TPRM weaknesses emerge as relationship owners fail to report red flags.”
Unlike some clickbait-like article titles, this one from Communications Today succinctly encapsulates the problem up front.
It’s not that the TPRM software is failing to find the red flags. Oh, it finds them!
But the folks at Gartner discovered something:
“A Gartner survey of approximately 900 third-party relationship owners…revealed that while 95% saw a third-party red flag in the past 12 months, only around half of them escalate it to compliance teams.”
Among other things, the relationship owners worry about “the perceived return on investment (ROI) of sharing information.”
And that’s not a software issue. It’s a process issue.
No amount of coding or AI can fix that.
And this is not unique to the cybersecurity world. Let’s look at facial recognition.
I’ve said this over and over, but for U.S. criminal purposes, facial recognition results should ONLY be used as investigative leads.
It doesn’t matter whether they’re automated results, or if they have been reviewed by a trained forensic face examiner.
Facial recognition results should only be used as investigative leads.
Sorry for the repetition, but some people aren’t listening.
But it’s not the facial recognition vendors. Bredemarket has worked with numerous facial recognition vendors over the years, and of those who work with law enforcement, ALL of them have emphatically insisted that their software results should only be used as investigative leads.
All of them. Including…that one.
But the vendors have no way to control the actions of customers who feed poor-quality data into their systems, get a result…and immediately run out and get an arrest warrant without collecting corroborating evidence.
And that’s not a software issue. It’s a process issue.
No amount of coding or AI can fix that.
I hope the TPRM folks don’t mind my detour into biometrics, but there’s a good reason for it.
Some product marketers, including myself, believe that it’s not enough to educate prospects and customers about your product. You also need to educate them about proper use of the product, including legal and ethical concerns.
If you don’t, your customers will do dumb things in Europe, Illinois, or elsewhere—and blame you when they are caught.
Be a leader in your industry by doing or saying the right thing.
And now here’s a word from our sponsor.
There’s a reason why this post specifically focused on cybersecurity and facial recognition.
If you need product marketing assistance with your product, Bredemarket has two openings. One for a cybersecurity client, and one for a facial recognition client.
I can offer
If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/
Because my local Amazon Fresh post is taking off, it’s a good time to revisit the “one” thing Uplanders will encounter when they get there.
I’ve talked about Amazon One palm/vein biometrics several times in the past.
Meanwhile, Amazon One is available at over 400 U.S. locations, with more on the way.
And it’s also available (or soon will be) on TP-Link door locks. But the How-To Geek writer is confused:
“TP-Link says that these palm vein patterns are so unique that they can even tell the difference between identical twins, making them safer than regular fingerprint or facial recognition methods.”
Um…fingerprints? Must be a Columbia University grad.
And the TP-Link page for the product has no sales restrictions. Even Illinois residents can buy it. Presumably there’s an ironclad consent agreement with every enrollment to prevent BIPA lawsuits.
(Picture from Imagen 3)
(Part of the biometric product marketing expert series)
You may remember the May hoopla regarding amendments to Illinois’ Biometric Information Privacy Act (BIPA). These amendments do not eliminate the long-standing law, but lessen its damage to offending companies.
Back on May 29, Fox Rothschild explained the timeline:
The General Assembly is expected to send the bill to Illinois Governor JB Pritzker within 30 days. Gov. Pritzker will then have 60 days to sign it into law. It will be immediately effective.
According to the Illinois General Assembly website, the Senate sent the bill to the Governor on June 14.
While the BIPA amendment has passed the Illinois House and Senate and was sent to the Governor, there is no indication that he has signed the bill into law within the 60-day timeframe.
So BIPA 1.0 is still in effect.
A proposed class action claims Photomyne, the developer of several photo-editing apps, has violated an Illinois privacy law by collecting, storing and using residents’ facial scans without authorization….
The lawsuit contends that the app developer has breached the BIPA’s clear requirements by failing to notify Illinois users of its biometric data collection practices and inform them how long and for what purpose the information will be stored and used.
In addition, the suit claims the company has unlawfully failed to establish public guidelines that detail its data retention and destruction policies.
(Part of the biometric product marketing expert series)
If your biometric firm conducts business in the United States, then your biometric firm probably conducts business in Illinois.
Your firm and your customers are impacted by Illinois’ Biometric Information Privacy Act, or BIPA.
Including requirements for consumer consent for use of biometrics.
And heavy fines (currently VERY heavy fines) if you don’t obtain that consent.
What is your firm telling your customers about BIPA?
Bredemarket has mentioned BIPA several times in the Bredemarket blog.
But what has YOUR firm said about BIPA?
And if your firm has said nothing about BIPA, why not?
Perhaps the biometric product marketing expert can ensure that your product is marketed properly in Illlinois.
Contact Bredemarket before it’s too late.
(Part of the biometric product marketing expert series)
If you’re a biometric product marketing expert, or even if you’re not, you’re presumably analyzing the possible effects to your identity/biometric product from the proposed changes to the Biometric Information Privacy Act (BIPA).
As of May 16, the Illinois General Assembly (House and Senate) passed a bill (SB2979) to amend BIPA. It awaits the Governor’s signature.
What is the amendment? Other than defining an “electronic signature,” the main purpose of the bill is to limit damages under BIPA. The new text regarding the “Right of action” codifies the concept of a “single violation.”
| 2 | (b) For purposes of subsection (b) of Section 15, a |
| 3 | private entity that, in more than one instance, collects, |
| 4 | captures, purchases, receives through trade, or otherwise |
| 5 | obtains the same biometric identifier or biometric information |
| 6 | from the same person using the same method of collection in |
| 7 | violation of subsection (b) of Section 15 has committed a |
| 8 | single violation of subsection (b) of Section 15 for which the |
| 9 | aggrieved person is entitled to, at most, one recovery under |
| 10 | this Section. |
| 11 | (c) For purposes of subsection (d) of Section 15, a |
| 12 | private entity that, in more than one instance, discloses, |
| 13 | rediscloses, or otherwise disseminates the same biometric |
| 14 | identifier or biometric information from the same person to |
| 15 | the same recipient using the same method of collection in |
| 16 | violation of subsection (d) of Section 15 has committed a |
| 17 | single violation of subsection (d) of Section 15 for which the |
| 18 | aggrieved person is entitled to, at most, one recovery under |
| 19 | this Section regardless of the number of times the private |
| 20 | entity disclosed, redisclosed, or otherwise disseminated the |
| 21 | same biometric identifier or biometric information of the same |
| 22 | person to the same recipient. |
So does this mean that Google Nest Cam’s “familiar face alert” feature will now be available in Illinois?
Probably not. As Doug “BIPAbuzz” OGorden has noted:
(T)he amended law DOES NOT CHANGE “Private Right of Action” so BIPA LIVES!
Companies who violate the strict requirements of BIPA aren’t off the hook. It’s just that the trial lawyers—whoops, I mean the affected consumers make a lot less money.
Bredemarket