Contactless fingerprint scanning (almost) software at #connectID

Let me kick off this post by quoting from another post that I wrote:

I’ve always been of the opinion that technology is moving away from specialized hardware to COTS hardware. For example, the fingerprint processing and matching that used to require high-end UNIX computers with custom processor boards in the 1990s can now be accomplished on consumer-grade smartphones.

Further evidence of this was promoted in advance of #connectID by Integrated Biometrics.

And yes, for those following Integrated Biometrics’ naming conventions, there IS a 1970s movie called “Slap Shot,” but I don’t think it has anything to do with crime solving. Unless you count hockey “enforcers” as law enforcement. And the product apparently wasn’t named by Integrated Biometrics anyway.

But back to the product:

SlapShot supports the collection of Fingerprint and facial images suitable for use with state of the art matching algorithms. Fingerprints can now be captured by advanced software that enables the camera in your existing smart phones to generate images with a quality capable of precise identification. Facial recognition and metadata supplement the identification process for any potential suspect or person of interest.

This groundbreaking approach turns almost any smart phone into a biometric capture device, and with minimal integration, your entire force can leverage their existing smart phones to capture fingerprints for identification and verification, receiving matching results in seconds from a centralized repository.

Great, you say! But there’s one more thing. Two more things, actually:

SlapShot functions on Android devices that support Lollipop or later operating systems and relies on the device’s rear high-resolution camera. Images captured from the camera are automatically processed on the device in the background and converted into EBTS files. Once the fingerprint image is taken, the fingerprint matcher in the cloud returns results instantly.

The SlapShot SDK allows developers to capture contactless fingerprints and other biometrics within their own apps via calls to the SlapShot APIs.

Note that SlapShot is NOT intended for end users, but for developers to incorporate into existing applications. Also note that it is (currently) ONLY supported on Android, not iOS.

But this does illustrate the continuing move away from dedicated devices, including Integrated Biometrics’ own line of dedicated devices, to multi-use devices that can also perform forensic capture and perform or receive forensic matching results.

And no, Integrated Biometrics is not cannibalizing its own market. I say this for two reasons.

  1. First, there are still going to be customers who will want dedicated devices, for a variety of reasons.
  2. Second, if Integrated Biometrics doesn’t compete in the smartphone contactless fingerprint capture market, it will lose sales to the companies that DO compete in this market.

Contactless fingerprint capture has been pursued by multiple companies for years, ever since the NIST CRADA was issued a few years ago. (Integrated Biometrics’ partner Sciometrics was one of those early CRADA participants, along with others.) Actually this effort launched before that, as there were efforts in 2004 and following years to capture a complete set of fingerprints within 15 seconds; those efforts led, among other things, to the smartphone software we are seeing today. Not only from Integrated Biometrics/Sciometrics, but also from other CRADA participants. (Don’t forget this one.)

Of the CRADA partners, MorphoTrak is now IDEMIA, Diamond Fortress is now Telos ID, Hoyos Labs is now Veridium, AOS is no longer in operation, and 3M’s biometric holdings are now part of Thales. Slide 10 from the NIST presentation posted at https://www.nist.gov/system/files/documents/2016/12/14/iai_2016-nist_contactless_fingerprints-distro-20160811.pdf

Of course these smartphone capture software packages aren’t Electronic Biometric Transmission Specification (EBTS) Appendix F certified, but that’s another story entirely.

The (possible) Afghan data treasure trove doesn’t just threaten the Taliban’s enemies

Recent events in Afghanistan have resulted in discussions among information technology and security professionals.

Taliban fighters in Kabul, Afghanistan, 17 August 2021. By VOA – https://www.youtube.com/watch?v=nAg7egiXClU, Public Domain, https://commons.wikimedia.org/w/index.php?curid=109043891

One August 17 article from the Intercept hit close to home for me:

THE TALIBAN HAVE seized U.S. military biometrics devices that could aid in the identification of Afghans who assisted coalition forces, current and former military officials have told The Intercept.

This post talks about the data the Taliban could POTENTIALLY get from captured biometric devices and other sources, and how that data could conceivably pose a threat to the Taliban’s enemies AND the Taliban itself.

What data could the Taliban get from biometric devices?

The specific device referenced by the Intercept article was HIIDE…and let’s just say that while I don’t know as much about that device as I should, I do know a little bit about it. (It was manufactured by a company that was subsequently acquired by Safran.)

Another source implies that the Taliban may have acquired another device that the Intercept DIDN’T reference. The Taliban may not only have acquired live HIIDE devices, but also may have acquired devices from another company called SEEK.

(Yes, folks, these devices are called HIIDE and SEEK.)

At the time that this was revealed, I posted the following comment on LinkedIn:

Possession is not enough. Can the Taliban actually access the data? And how much data is on the devices themselves?

Someone interviewed by the Intercept speculated that even if the Taliban did not have the technological capability to hack the devices, it could turn to Pakistan’s Inter-Service Intelligence to do so. As we’ve learned over the years, Pakistan and the Taliban (and the Taliban’s allies such as al Qaeda) are NOT bitter enemies.

As I said, I don’t know enough about HIIDE and SEEK, so I’m not sure about some key things.

  • For example, I don’t know whether their on-board biometric data is limited to just biometric features (rather than images). While there’s the possibility that the devices stored biometric images, that has a drawback because of the large size of the images. Features derived from the images (which are necessary in matching anyway) take up much less storage space. And while biometric images are necessary in some cases (such as forensic latent fingerprint examination), there’s no need for images in devices that make a hit/no-hit decision without human intervention.
  • In addition, I don’t know what textual data is linked to the features (or images) on these devices. Obviously the more textual information that is available, such as a name, the more useful the data can be.
  • Also, the features stored on the devices may or may not be useful. There is no one standard for the specification of biometric features (each vendor has its own proprietary feature specification), and while it may be possible to convert fingerprint features from one vendor system to be used by another vendor’s system, I don’t know if this is possible for face and iris features.

Best-case scenario? Even if the Taliban or its friends can access the data on the devices, the data does not provide enough information for it to be used.

Worst-case scenario? The data DOES provide enough information so that EVERY PERSON whose data is stored on the device can be identified by a Taliban-equivalent device, which would presumably be called FIND (Find Infidels, Neutralize, Destroy).

I’ll return to that “every person” point later in this post.

But biometric data isn’t the only data that might have fallen into the Taliban’s hands.

What data could the Taliban get from non-biometric devices?

Now Politico has come out with its own article that asserts that the Taliban can potentially acquire a lot of other data. And Politico is not as pessimistic as the Intercept about the Taliban’s tech capabilities:

That gives today’s technologically adept Taliban tools to target Afghans who worked with the U.S. or the deposed Afghan government with unprecedented precision, increasing the danger for those who don’t get out on evacuation flights.

Before looking at the data the Taliban may have acquired, it’s useful to divide the data sources between data acquired from clients and data acquired from on-premise servers. HIIDE and SEEK, for example, are clients. (I’m only talking about on-premise servers because any data stored in a US government cloud can hopefully be secured so that the Taliban can’t get it. Hopefully.)

Unlike HIIDE and SEEK, which are mobile client devices, the Politico article focuses on data that is stored on on-premise Afghan government servers. It notes that American IT officials were more likely than Afghan IT officials to scrub their systems before the Taliban takeover, and one would hope that any data stored in US government cloud systems could also be secured before the Taliban could access it.

So what types of data would the Afghan government servers store?

Telecom companies store reams of records on who Afghan users have called and where they’ve been. Government databases include records of foreign-funded projects and associated personnel records.

More specifics are provided regarding telecom company data:

Take call logs. Telecommunications companies keep a record of nearly every phone call placed and to whom. U.S. State Department officials used the local cell networks to make calls to those who were working with the United States, including interpreters, drivers, cooks and more…

And mobile phone data is even more revealing:

Cell phones and mobile apps share data about users with third-party apps, such as location data, that the Taliban could easily get…

The geolocation issue has been known for years. Remember the brouhaha when military users of a particular fitness app effectively revealed the locations of secret U.S. military facilities?

Helmand province in Afghanistan. Photograph: Strava heatmap. Reproduced at https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.

Now perhaps enemy forces already knew about these locations, but it doesn’t help to broadcast them to everyone.

Back to Afghanistan and other data sources.

Afghan citizens’ ethnicity information can also be found in databases supporting the national ID system and voter registration.

This can be used by digital identity opponents to argue that digital identity, or any identity, is dangerous. I won’t dive into that issue right now.

Politico mentions other sources of data that the Taliban could conceivably access, including registration information (including identity documents) for non-governmental organization workers, tax records, and military commendation records.

So if you add up all of the data from all of the Afghan servers, and if the Taliban or its allies are able to achieve some level of technical expertise, then the data provides enough information so that EVERY PERSON whose data is stored on the servers can be identified by the Taliban.

Before we completely panic…

Of course it takes some effort to actually EMPLOY all of this data. In the ideal world, the Taliban would create a supercomputer system that aggregates the data and creates personal profiles that provide complete pictures of every person. But the world is not ideal, even in technologically advanced countries: remember that even after 9/11, it took years for the U.S. Departments of Justice, Homeland Security, and Defense to get their biometric systems to talk to each other.

Oh, and there’s one more thing.

Remember how I’ve mentioned a couple of times that the Taliban could conceivably get information on EVERY PERSON whose data is stored on these devices and servers?

One thing that’s been left unsaid by all of these commentaries is that this data trove not only reveals information about the enemies of the Taliban, but also reveals information about the Taliban itself.

  • The HIIDE and SEEK devices could include biometric templates of Taliban members (who would be considered “enemies” by these devices and may have been placed on “deny lists”).
  • The telecommunications records could reveal calls placed and received by Taliban members, including calls to Afghan government officials and NATO members that other Taliban members didn’t know about.
  • Mobile phone records could reveal the geolocations of Taliban members at any time, including locations that they didn’t want their fellow Taliban members to know about.
  • In general, the records could reveal Taliban members, including high-ranking Taliban members, who were secretly cooperating with the Taliban’s enemies.

With the knowledge that all of this data is now available, how many Taliban members will assist in decrypting this data? And how many will actively block this?

Oh, and even if all of the Taliban were completely loyal, any entity (such as the Pakistani Inter-Service Intelligence) that gets a hold of the data will NOT restrict its own data acquisition efforts to American, NATO, and former Afghan government intelligence. No, it will acquire information on the Taliban itself.

After all, this information could help the Pakistanis (or Chinese, or Russians, or whoever) put the, um, finger on Taliban members, should it prove useful to do so in the future.

Then again, Pakistan may want to ensure that its own digital data treasure trove is safe.

When people confuse the two companies Integrated Biometric Technology and Integrated Biometrics

This is the “oops” of the month (actually for the month of July).

By U.S. Government – ATSDR (part of the CDC) series of state-specific fact sheets. Bitmap versions have been seen on US Embassy websites. Direct PDF URL [1], Public Domain, https://commons.wikimedia.org/w/index.php?curid=14801198

On Monday, July 26 the Tennessee Department of Economic and Community Development made an important announcement:

Tennessee Gov. Bill Lee, Department of Economic and Community Development Commissioner Bob Rolfe and Integrated Biometric Technology, LLC (IBT) officials announced today that the company will establish new operations and locate its corporate headquarters in Franklin.

For those who aren’t familiar with the Nashville area, Franklin is a suburb of Nashville. Coincidentally, IDEMIA (IBT President & CEO Charles Carroll’s former employer) used to have an office in Franklin (I visited it in June 2019), but it has since moved to another Nashville suburb.

This job-related news obviously pleased a number of other Tennessee government officials, including one whom (in this post at least) will remain nameless. The government official tweeted the following, along with a link to the announcement:

Congratulations to @IntegratedBiome on their decision to locate their facility in Franklin and to all our state and local officials who helped bring these jobs home!

A nice sentiment to be sure…except for one teeny problem.

The government official didn’t tag Integrated Biometric Technology (who appears to have a Twitter account, but it isn’t live yet), but instead tagged a SOUTH CAROLINA company with a similar name, Integrated Biometrics. (I’ve discussed this company before. They’re the ones who really like 1970s TV crime fighters.)

Book ’em, Danno! By CBS Television – eBay item photo front photo back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=19674714

Integrated Biometrics’ social media person set the record straight.

Hi there! That article is actually about Integrated Biometric Technology – not us (Integrated Biometrics)

It turns out that the two companies with similar names have existed in one form or another for nearly two decades. The first iteration of Integrated Biometric Technology was established in 2005, while Integrated Biometrics dates back to 2002. I was in Motorola at the time and can’t remember any name confusion in those days, since I was busy concentrating on other things…such as AFIX Tracker.

Cue the “It’s a Small World” music. Trust me, the biometrics world can be very small at times…

Telos enters the touchless fingerprint market

Years before COVID became a thing, the U.S. government had a desire to encourage touchless fingerprint technologies. This began many years ago with a concerted effort to capture a complete set of fingerprints in less than 15 seconds. By 2016, this had evolved to a set of Cooperative Research and Development Agreements (CRADA) entered into by the National Institute of Standards and Technology and several private companies.

For purposes of this post, I’m going to concentrate on just one of the listed mobile fingerprint capture technology solutions. The mobile fingerprint capture technologies from these companies were intended to support the capture of fingerprints from a standard smartphone without any additional capture equipment. (Compare this to the portal/kiosk category, which employed specialized capture equipment.)

One of NIST’s CRADA partners for mobile fingerprint capture was a company called Diamond Fortress Technologies.

Via our CRADA  relationship (Cooperative Research and Development Agreement), Diamond Fortress is currently working with NIST to develop standards dealing with best practices, certification methodology, data formatting and interoperability with legacy contact-based and inked print databases for optical acquisition systems. This will support future certification for purchase on the Government Certified Products lists.

Fast forward a few years, and Diamond Fortress Technologies’ offering is back in the news again.

Telos Corporation has acquired the ONYX touchless fingerprint biometric software and other assets of Diamond Fortress Technologies (DFT), and appears to be targeting new verticals with the technology.

Now that happened to catch my eye for one particular reason.

You see, my former employer IDEMIA used to have a monopoly on the TSA PreCheck program. If you wanted to enroll in TSA PreCheck, you HAD to go to IDEMIA. This provided a nice revenue stream for IDEMIA…well, perhaps not so nice when all of the airports lost traffic due to COVID.

Anyway, the Congress decided that one provider wasn’t optimal for government purposes, so in early 2020 other vendors were approved as TSA PreCheck providers.

WASHINGTON – Transportation Security Administration (TSA) today announced that TSA PreCheck™ enrollment services will now be provided by Alclear, LLC; Telos Identity Management Solutions, LLC; and Idemia Identity & Security USA, LLC, expanding the opportunities that enable travelers to apply for TSA PreCheck.

Just to clarify, the company then known as Alclear is better known to the general public as CLEAR.

And the third company is Telos.

Which is now apparently moving into the touchless fingerprint space.

Now THAT is going to have an impact on enrollment.

Build your own automated fingerprint identification system…for FREE!

At Bredemarket, I work with a number of companies that provide biometric systems. And I’ve seen a lot of other systems over the years, including fingerprint, face, DNA, and other systems.

The components of a biometric system

While biometric systems may seem complex, the concept is simple. Years ago, I knew a guy who asserted that a biometric system only needs to contain two elements:

  • An algorithm that takes a biometric sample, such as a fingerprint image, and converts it into a biometric template.
  • An algorithm that can take these biometric templates and match them against each other.

If you have these two algorithms, my friend stated that you had everything you need for an biometric system.

Well, maybe not everything.

Today, I can think of a few other things that might be essential, or at least highly recommended. Here they are:

  • An algorithm that can measure the quality of a biometric sample. In some cases, the quality of the sample may be important in determining how reliable matching results may be.
  • For fingerprints, an algorithm that can classify the prints. Forensic examiners routinely classify prints as arches, whorls, loops, or variants of these three, and classifications can sometimes be helpful in the matching process.
  • For some biometric samples, utilities to manage the compression and decompression of the biometric images. Such images can be huge, and if they can be compressed by a reliable compression methodology, then processing and transmission speeds can be improved.
  • A utility to manage the way in which the biometric data is accessed. To ensure that biometric systems can talk to each other, there are a number of related interchange standards that govern how the biometric information can be read, written, edited, and manipulated.
  • For fingerprints, a utility to segment the fingerprints, in cases where multiple fingerprints can be found in the same image.

So based upon the two lists above, there are seven different algorithms/utilities that could be combined to form an automated fingerprint identification system, and I could probably come up with an eighth one if I really felt like it.

My friend knew about this stuff, because he had worked for several different firms that produced fingerprint identification systems. These firms spent a lot of money hiring many engineers and researchers to create all of these algorithms/utilities and sell them to customers.

How to get these biometric system components for free

But what if I told you that all of these firms were wasting their time?

And if I told you that since 2007, you could get source code for ALL of these algorithms and utilities for FREE?

Well, it’s true.

To further its testing work, the National Institute of Standards and Technology (NIST) created the NIST Biometric Image Software (NBIS), which currently has eight algorithms/utilities. (The eighth one, not mentioned above, is a spectral validation/verification metric for fingerprint images.) Some of these algorithms and utilities are available separately or in other utilities: anyone can (and is encouraged to) use the quality algorithm, called NFIQ, and the minutiae detector MINDTCT is used within the FBI’s Universal Latent Workstation (ULW).

If the FBI had just waited until 2007, it could have obtained the IAFIS software for free. FBI image taken from Chapter 6 of the Fingerprint Sourcebook, https://www.ojp.gov/pdffiles1/nij/225326.pdf.

As I write this, NBIS has not been updated in six years, when Release 5.0.0 came out.

Is anyone using this in a production system?

And no, I am unaware of any law enforcement agency or any other entity that has actually USED NBIS in a production system, outside of the testing realm, with the exception of limited use of selected utilities as noted above. Although Dev Technology Group has compiled NBIS on the Android platform as an exercise. (Would you like an AFIS on your Samsung phone?)

But it’s interesting to note that the capability is there, so the next time someone says, “Hey, let’s build our own AFIS!” you can direct them to https://www.nist.gov/itl/iad/image-group/products-and-services/image-group-open-source-server-nigos#Releases and let the person download the source code and build it.

Maryland will soon deal with privacy stakeholders (and they CAN’T care about the GYRO method)

Just last week, I mentioned that the state of Utah appointed the Department of Government Operations’ first privacy officer. Now Maryland is getting into the act, and it’s worth taking a semi-deep dive into what Maryland is doing, and how it affects (or doesn’t affect) public safety.

By François Jouffroy – Christophe MOUSTIER (1994), Attribution, https://commons.wikimedia.org/w/index.php?curid=727606

According to Government Technology, the state of Maryland has created two new state information technology positions, one of which is the State Chief Privacy Officer. Because government, I will refer to this as the SCPO throughout the remainder of this post. If you are referring to this new position in verbal conversation, you can refer to the “Maryland skip-oh.” Or the “crab skip-oh.”

From https://teeherivar.com/product/maryland-is-for-crabs/. Fair use. Buy it if you like it. Virginians understand the origins of the phrase.

Governor Hogan announced the creation of the SCPO position via an Executive Order, a PDF of which can be found here.

Let me call out a few provisions in this executive order.

  • A.2. defines “personally identifiable information,” consisting of a person’s name in conjunction with other information, including but not limited to “[b]iometric information including an individual’s physiological or biological characteristics, including an individual’s deoxyribonucleic acid.” (Yes, that’s DNA.) Oh, and driver’s license numbers also.
  • At the same time, A.2 excludes “information collected, processed, or shared for the purposes of…public safety.”
  • But on the other hand, A.5 lists specific “state units” covered by certain provisions of the law, including both The Department of Public Safety and Correctional Services and the Department of State Police.
  • The reason for the listing of the state units is because every one of them will need to appoint “an agency privacy official” (C.2) who works with the SCPO.

There are other provisions, including the need for agency justification for the collection of personally identifiable information (PII), and the need to provide individuals with access to their collected PII along with the ability to correct or amend it.

But for law enforcement agencies in Maryland, the “public safety” exemption pretty much limits the applicability of THIS executive order (although other laws to correct public safety data would still apply).

Therefore, if some Maryland sheriff’s department releases an automated fingerprint identification system Request for Proposal (RFP) next month, you probably WON’T see a privacy advocate on the evaluation committee.

But what about an RFP released in 2022? Or an RFP released in a different state?

Be sure to keep up with relevant privacy legislation BEFORE it affects you.

You will soon deal with privacy stakeholders (and they won’t care about the GYRO method)

I’ve written about the various stakeholders at government agencies who have an interest in biometrics procurements- not only in this post, but also in a post that is available to Bredemarket Premium subscribers. One of the stakeholders that appeared on my list was this one.

The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.

Broken Liberty: Istanbul Archaeology Museum. By © Nevit Dilmen, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1115936

If you haven’t encountered a privacy advocate in your marketing or proposal efforts…you will.

Utah Gov. Spencer Cox has appointed Christopher Bramwell as the Department of Government Operations’ first privacy officer….As privacy officer, Bramwell will be responsible for surveying and compiling information about state agencies’ privacy practices to discern which poses a risk to individual privacy. He will also work with the personal privacy oversight commission and state privacy officer to provide government privacy practice reports and recommendations.

Obviously this affects companies that work with government agencies on projects such as digital identity platforms. After all, mobile driver’s licenses contain a wealth of personally identifiable information (PII), and a privacy advocate will naturally be concerned about who has access to this PII.

But what about law enforcement? Do subjects in law enforcement databases have privacy rights that need to be respected? After all, law enforcement agencies legally share PII all the time.

However, there are limitations on what law enforcement agencies can share.

  • First off, remember that not everyone in a law enforcement database is an arrested individual. For example, agencies may maintain exclusion databases of police officers and crime victims. When biometric evidence is found at a crime scene, agencies may compare the evidence against the exclusion database to ensure that the evidence does not belong to someone who is NOT a suspect. (This can become an issue in DNA mixtures, by the way.)
  • Second off, even arrested individuals have rights that need to be respected. While arrested individuals lose some privacy rights (for example, prisoners’ cells can be searched and prisoners’ mail can be opened), a privacy advocate should ensure that any system does not deny prisoners protections to which they are entitled.

So expect to see a raised concern about privacy rights when dealing with law enforcement agencies. This concern will vary from jurisdiction to jurisdiction based upon the privacy (and biometric) laws that apply in each jurisdiction, but vendors that do business with government agencies need to stay abreast of privacy issues.

A little more about stakeholders, or actors, or whoever

Whether you’re talking about stakeholders in a government agency, stakeholders at a vendor, or external stakeholders, it’s important to identify all of the relevant stakeholders.

Or whatever you call them. I’ve been using the term “stakeholders” to refer to these people in this post and the prior posts, but there are other common terms that could be used. People who construct use cases refer to “actors.” Marketers will refer to “personas.”

Whatever term you use, it’s important to distinguish between these stakeholders/actors/personas/whatever. They have different motivations and need to be addressed in different ways.

When talking with Bredemarket clients, I often need to distinguish between the various stakeholders, because this can influence my messaging significantly. For example, if a key decision-maker is a privacy officer, and I’m communicating about a fingerprint identification system, I’m not going to waste a lot of time talking about the GYRO method.

My time wouldn’t be wasted effort if I were talking to a forensic examiner, but a privacy advocate just wouldn’t care. They would just sit in silence, internally musing about the chances that a single latent examiner’s “green” determination could somehow expose a private citizen to fraud or doxxing or something.

This is why I work with my clients to make sure that the messaging is appropriate for the stakeholder…and when necessary, the client and I jointly develop multiple messages for multiple stakeholders.

If you need such messaging help, please contact Bredemarket for advice and assistance. I can collaborate with you to ensure that the right messages go to the right stakeholders.

Pangiam, CLEAR, and others make a “sporting” effort to deny (or allow) stadium access

Back when I initially entered the automated fingerprint identification systems industry in the last millennium, I primarily dealt with two markets: the law enforcement market that seeks to solve crimes and identify criminals, and the welfare benefits market that seeks to make sure that the right people receive benefits (and the wrong people don’t).

Other markets simply didn’t exist. If I pulled out my 1994-era mobile telephone and looked at it, nothing would happen. Today, I need to look at my 2020-era mobile telephone to obtain access to its features.

And there are other biometric markets also.

Pangiam and stadium bans

Back in 1994 I couldn’t envision a biometrics story in Sports Illustrated magazine. But SI just ran a story on how facial recognition can be used to keep fans out of stadiums who shouldn’t be there.

Some fans (“fanatics”) perform acts in stadiums that cause the sports teams and/or stadium authorities to officially ban them from the stadium, sometimes for life.

John Green is the man in the blue shirt and white baseball cap to Artest’s left. By Copyright 2004 National Basketball Association. – Television broadcast of the Pacers-Pistons brawl on ESPN., Fair use, https://en.wikipedia.org/w/index.php?curid=6824157

But in the past, these measures were ineffective.

For a long time, those “measures” were limited at best. Fans do not have to show ID upon entering arenas. Teams could run checks on all the credit cards to purchase tickets to see whether any belonged to banned fans, but those fans could easily have a friend buy the tickets. 

But there are other ways to enforce stadium bans, and Sports Illustrated quoted an expert on the matter.

“They’ve kicked the fan out; they’ve taken a picture—that fan they know,” says Shaun Moore, CEO of a facial-recognition company called Trueface. “The old way of doing things was, you give that picture to the security staff and say, ‘Don’t let this person back in.’ It’s not really realistic. So the new way of doing it is, if we do have entry-level cameras, we can run that person against everyone that’s coming in. And if there’s a hit, you know then; then there’s a notification to engage with that person.”

This, incidentally, is an example of a “deny list,” or the use of a security system to deny a person access. We’ll get to that later.

But did you notice the company that was mentioned in the last quote? I’ve mentioned that company before, because Trueface was the most recent acquisition by the company Pangiam, a company that has also acquired airport security technology.

But Pangiam/Trueface isn’t the only company serving stadium (and entertainment) venues.

CLEAR and stadium entry

Most of the time, sports stadiums aren’t concentrating on the practice of DENYING people entry to a stadium. They make a lot more money by ALLOWING people entry to a stadium…and allowing them to enter as quickly as possible so they can spend money on concessions.

One such company that supports this is CLEAR, which was recently in the news because of its Initial Public Offering. Coincidentally, CLEAR also provides airport security technology, but it has branched out from that core market and is also active in other areas.

For example, let’s say you’re a die-hard New York Mets fan, and you head to Citi Field to watch a game.

By Chris6d – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=101751795

The Mets don’t just let anyone into the stadium; you have to purchase a ticket. So you need to take your ticket out of your pocket and show it to the gate staff, or you need to take your smartphone out of your pocket and show your digital ticket to the gate staff.

What if you could get into the stadium without taking ANYTHING out of your pocket? Well, you can.

In the CLEAR Lane, your fingerprint is all you need to use tickets in your MLB Ballpark app – no need to pull out your phone or printed ticket as you enter the game.

Now that is really easy.

Pangiam and CLEAR aren’t the only companies in this space, as I well know. But there’s the possibility that biometrics will be used more often for access to sports games, concerts, and similar events.

How livescan fingerprinting enrollment service providers win business

One of the tasks that I used to perform as an employee of IDEMIA was to track the state-by-state status of livescan fingerprinting enrollment services. And I soon discovered that enrollment services differed substantially from IDEMIA’s other major product lines.

This post describes the nuances in livescan fingerprinting enrollment services, the many players that are involved, the livescan technology, and (most importantly) how enrollment service providers win business.

Why enrollment services differ from driver’s license and AFIS services

At IDEMIA, I tracked the company’s presence in three major product lines (and a slew of others). And IDEMIA’s presence in each market differed depending upon the nuances of the markets.

  • For IDEMIA’s driver’s license services, there was only one provider for each state. Let’s face it, you can’t have two agencies issuing state driver’s licenses. (Although I guess this would satisfy someone’s libertarian fantasy.)
  • For IDEMIA’s automated fingerprint identification systems (AFIS), there was only one provider of law enforcement AFIS in each state. However, there were other statewide fingerprinting systems back in the days when fingerprints were used for welfare benefits, and a number of county and city law enforcement agencies had their own AFIS systems.
  • But for IDEMIA’s enrollment services, there could potentially be dozens or hundreds of small businesses that provided the service. All of this depended upon how the state authorized enrollment. In some states, only one private entity could provide enrollment services, while in some other states multiple private entities could do so.

Why we have enrollment services

So what are “enrollment services”? I’ll defer to my former employer IDEMIA and use the description from its IdentoGO website.

IdentoGO by IDEMIA provides a wide range of identity-related services with our primary service being the secure capture and transmission of electronic fingerprints for employment, certification, licensing and other verification purposes – in professional and convenient locations.

Of course IdentoGO isn’t the only “channeler” in town. A number of these small businesses that provide enrollment services are allied with Certifix Livescan, others with Thales (Gemalto), others with Fieldprint, others with Biometrics4All, and others with many other FBI-approved channelers.

And in some cases, you can go to your local police agency and have the police capture your fingerprints for enrollment purposes.

The Ripon (California) Police Department provides LiveScan fingerprinting service to the public. https://riponpd.org/?page_id=1226

The channelers, and the hundreds upon hundreds of local businesses that are supported by them, handle some or all of a variety of fingerprint verification tasks, including (depending upon the individual state or Federal regulations) banking, education, firearm permits, health care, insurance, legal services, real estate, social services, state employment, transportation, and many others.

  • The basic theory is that if you are, for example, applying for a banking position, your fingerprints are searched against the FBI’s fingerprint database to make sure you don’t have a prior fraud conviction.
  • Or if you’re applying for an education position, you weren’t previously convicted of committing a crime at a school or with children.
  • Or if you’re applying for a transportation position, those multiple drunk driving convictions may cause a problem.

You get the idea.

Who are the end enrollment service providers?

So who are these small business owners who offer these livescan fingerprinting enrollment services?

In most cases, enrollment services are an add-on to a small firm’s existing business.

  • Maybe the business is a travel agency, and it offers fingerprinting along with other travel-related services (such as passport photos).
  • Maybe the business is a tax preparation service.
  • Maybe it’s an insurance agency.

So the business buys or leases a desktop livescan station, aligns with one of the major channelers, gets the necessary state approvals (in California, from the Office of the Attorney General), and waits for the applicants to…well, apply.

Livescan fingerprint capture isn’t idiot-proof, but if I can do it, you probably can also

“But wait,” you may say. “Isn’t the capture of fingerprints a specialized process requiring substantial forensic knowledge?”

She’s not a CSI, but she played one on TV. By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=17752707

While you do need to take care to capture fingerprints correctly, livescan systems have dramatically improved in quality, allowing a travel agent or insurance agent to capture high-quality prints.

(I’ll let you in on a little secret: even the law enforcement officers who capture livescan prints from criminals don’t necessarily have years of experience in fingerprint capture.)

As someone who has worked with livescan systems since the mid 1990s, I can attest to the dramatic improvements in livescan technology. I wasn’t around in the early 1990s when Printrak and Digital Biometrics partnered to provide an AFIS-compatible livescan, but I was certainly around when Printrak introduced its own livescan, the LiveScan Station 2000 (LSS 2000), that competed with Digital Biometrics, Identix, and other livescan providers. (Today, former competitors Digital Biometrics, Identix, and Printrak are all part of a single company, IDEMIA.) The LSS 2000 used a Printrak-manufactured capture device attached to a computer running Digital UNIX.

By the time I became a product manager (not for livescans, but for AFIS servers), Motorola introduced two new livescan devices, the LiveScan Station 3000U and the LiveScan Station 3000N. (The “U” stood for Unix, the “N” for the Windows NT family.) The capture device for these two workstations was manufactured by Heimann Biometric Systems, which through a series of subsequent mergers is now part of HID Global.

When you’re an employee of a fingerprinting company, you’re often asked to participate in fingerprint scanner tests. (At least you were in the days before GDPR and CCPA.) So the livescan engineers decided to compare the capture quality of the LSS 2000, the LSS 3000U, and the LSS 3000N. I joined several others in participating in the scanner tests.

But I ran into a problem.

At the time that I participated in this scanner test, I had been working with paper for about two decades, and as a result of this and other things I have very light fingerprints. This isn’t an issue if you’re using a subdermal fingerprint capture system (Lumidigm, one manufacturer of such systems, was also acquired by HID Global), but it’s definitely an issue with the average optical system.

Oh, and did I mention that we were capturing our OWN fingerprints as part of this test? Rather than getting a trainer or someone with law enforcement experience to take our prints, this motley assemblage of marketers and engineers was following the DIY route.

With the result that the fingerprints that I captured on the LSS 2000 were pretty much unusuable.

But the later generation LSS 3000 prints looked a lot better. (I believe that the LSS 3000N prints were the best, which heralded the last hurrah for UNIX workstations in the AFIS world, as Windows computers proved their ability to perform AFIS work.)

And of course time has not stood still since those experiments in the early 2000s. (Although you can still buy a LiveScan 3000N today, for the price of $1.00.)

Today you can buy livescan stations that capture prints at 1000 pixels per inch (ppi), 4 times the resolution of the 500 ppi stations that were prevalent in the 1990s and early 2000s. And frankly, that are still prevalent today; most law enforcement agencies see no need to buy the more expensive 1000 ppi stations, so 500 ppi stations still prevail.

So how does a customer select a livescan fingerprinting enrollment service provider?

So let’s say a customer is applying for a position at a bank or at a school or somewhere else that asks for a fingerprint check. In the state of California, there’s not just one place that you can go to get this service. For example, there are probably a dozen or more enrollment service providers within a few miles of Bredemarket’s corporate headquarters in Ontario.

So how does a customer select a livescan fingerprinting enrollment service provider?

Well, customers do so just like they do with any other business.

IdentoGO Mobile Enrollment RV. https://www.identogo.com/mobile-enrollment-rv
  • Maybe they saw a picture of the IdentoGO RV and that caused “IdentoGO” to stick in their mind when searching for an enrollment service provider.
  • Or maybe they’re driving down a street in the neighborhood and they see a sign that mentions “livescan fingerprinting.”
  • Or maybe they’re on Facebook and see a page that promotes a specific livescan fingerprint enrollment service provider.

The key for the enrollment service provider, of course, is to make sure that your message stays top of customer’s mind when the time comes for the customer to need your service.

  • Your message needs to appear where the customer will see it.
  • Your message has to speak to the customer’s needs.
  • And your message must explain how to obtain the service. Does the customer have to make an appointment? If so, how does the customer make the appointment?

If the customer never sees your message, it’s going to be a lot harder for the customer to use your business. While the California Office of the Attorney General does include a list of all of the authorized livescan fingerprinting providers in California, and all of the various channelers maintain their own lists, neither the Attorney General nor your friendly channeler is going to necessarily direct someone to YOUR business.

You need to let your customers know of your existence, and WHY your service BENEFITS them as opposed to the service down the street.

Bredemarket can help.

If you provide livescan fingerprinting enrollment services and need experienced and knowledgeable help in getting your message out to your customers, contact me:

Read Mike French’s “Why agencies should conduct their own AFIS benchmarks rather than relying on others.”

Today my content calendar says that I’m supposed to be posting about social media, so I’m going to discuss a LinkedIn article. That fits, doesn’t it?

Seriously, Mike French has posted his long-awaited (by me, anyway) article on the need for automated fingerprint identification system (AFIS) benchmarks. And his perspective is valuable.

People enter the AFIS industry in different ways. I entered the industry as a writer, and therefore needed some time to master the forensic and technical concepts. Mike came from the forensic disciplines, having worked in the Latent Print Unit at the King County Sheriff’s Office before joining Sagem Morpho, which became MorphoTrak, which became IDEMIA Identity & Security N.A.

Because of this background, Mike obviously has an appreciation for a law enforcement agency’s forensic requirements, and why it is important for the agency to conduct its own benchmark of AFIS vendors. As Mike notes, more and more agencies are choosing to rely on independent measurements based on test data. This may not be the best course for an agency.

But go read Mike’s words yourself.

https://www.linkedin.com/pulse/why-agencies-should-conduct-own-afis-benchmarks-rather-mike-french/