Two companies that can provide friction ridge/face marketing and writing services, now that Bredemarket won’t

I recently announced a change in business scope for my DBA Bredemarket. Specifically, Bredemarket will no longer accept client work for solutions that identify individuals using (a) friction ridges (including fingerprints and palm prints) and/or (b) faces.

This impacts some companies that previously did business with me, and can potentially impact other companies that want to do business with me. If you are one of these companies, I am no longer available.

Fingerprint evidence
From https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-290e3.pdf (a/k/a “leisure reading for biometric system professionals”).

Since Bredemarket will no longer help you with your friction ridge/face marketing and writing needs, who will? Who has the expertise to help you? I have two suggestions.

Tandem Technical Writing

Do you need someon who is not only an excellent communicator, but also knows the ins and outs of AFIS and ABIS systems? Turn to Tandem Technical Writing LLC.

I first met Laurel Jew back in 1995 when I started consulting with, and then working for, Printrak. In fact, I joined Printrak when Laurel went on maternity leave. (I was one of two people who joined Printrak at that time. As I’ve previously noted, Laurel needed two people to replace her.)

Laurel worked for Printrak and its predecessor De La Rue Printrak for several years in its proposals organization.

Today, her biometric and communication experience is available to you. Tandem Technical Writing provides its clients with “15 years of proposal writing and biometrics technology background with high win %.”

Why does this matter to you? Because Laurel not only understands your biometric business, but also understands how to communicate to your biometric clients. Not many people can do both, so Laurel is a rarity in this industry.

The Tandem Technical Writing website is here.

To schedule a consultation, click here.

Applied Forensic Services

Perhaps your needs are more technical. Maybe you need someone who is a certified forensics professional, and who has also implemented many biometric systems. If that is your need, then you will want to consider Applied Forensic Services LLC.

I met Mike French in 2009 when Safran acquired Motorola’s biometric business and merged it into its U.S. subsidiary Sagem Morpho, creating MorphoTrak (“Morpho” + “Printrak”). I worked with him at MorphoTrak and IDEMIA until 2020.

Unlike me, Mike is a true forensic professional. (See his LinkedIn profile.) Back in 1994, when I was still learning to spell AFIS, Mike joined the latent print unit at the King County (Washington) Sheriff’s Office, where he spent over a decade before joining Sagem Morpho. He is an IAI-certified Latent Print Examiner, an IEEE-certified Biometric Professional, and an active participant in IAI and other forensic activities. I’ve previously referenced his advice on why agencies should conduct their own AFIS benchmarks.

Why does this matter to you? Because Mike’s consultancy, Applied Forensic Services, can provide expert advice on biometric procurements and implementation, ensuring that you get the biometric system that addresses your needs.

Applied Forensic Services offers the following consulting services:

The Applied Forensic Services website is here.

To schedule a consultation, click here.

Yes, there are others

There are other companies that can help you with friction ridge and face marketing, writing, and consultation services.

I specifically mention these two because I have worked with their principals both as an employee during my Printrak-to-IDEMIA years, and as a sole proprietor during my Bredemarket years. Laurel and Mike are both knowledgeable, dedicated, and can add value to your firm or agency.

And, unlike some experienced friction ridge and face experts, Laurel and Mike are still working and have not retired. (“Where have you gone, Peter Higgins…”)

Bredemarket announcement: change in business scope

Effective immediately:

  1. Bredemarket does not accept client work for solutions that identify individuals using (a) friction ridges (including fingerprints and palm prints) and/or (b) faces.
  2. Bredemarket does not accept client work for solutions that identify individuals using secure documents, such as driver’s licenses or passports. 

Is “common sense” enough for a jury to consider expert testimony? (min version)

(Welcome to my A/B test. For the other version of this post, click here.)

As I’ve previously noted, the 2009 NAS report on forensic science has revolutionized fingerprint identification and a number of other forensic disciplines.

One part of this revolution was the Department of Justice 2018 document entitled “UNIFORM LANGUAGE FOR TESTIMONY AND REPORTS FOR THE FORENSIC LATENT PRINT DISCIPLINE.” A PDF version of the report can be found here.

This document applies to Department of Justice examiners who are authorized to prepare reports and provide expert witness testimony regarding the forensic examination of latent print evidence.

From https://www.justice.gov/olp/page/file/1083691/download

Based upon the NAS report and subsequent efforts, Part IV of the DOJ document (“Qualifications and Limitations of Forensic Latent Print Examinations”) sets some clear guidelines about how a latent print examiner should describe his or her findings.

From https://www.justice.gov/olp/page/file/1083691/download

So a pre-2009 latent print examiner who appeared in court and said “I am 100% certain that these two fingerprints belong to the same person, to the exclusion of all other persons, because I have never been wrong in the last 25 years” would fail the 2018 DOJ criteria.

But would a jury know that?

That’s what CSAFE discussed in a recent post, “AAFS 2022 RECAP: UNDERSTANDING JUROR COMPREHENSION OF FORENSIC TESTIMONY: ASSESSING JURORS’ DECISION MAKING AND EVIDENCE EVALUATION.” Feel free to read the entire article, or if you like you can read my “succinct” excerpt from two portions of the article:

Koolmees and her colleagues examined whether jurors could distinguish low-quality testimony from high-quality testimony of forensic experts, using the language guidelines released by the Department of Justice (DOJ) in 2018 as an indicator of quality….

Only when comparing the conditions of zero guideline violations and four and five violations were there any changes in guilty verdicts, signifying jurors may notice a change in the quality of forensic testimony only when the quality is severely low.

From https://forensicstats.org/blog/2022/03/29/aafs-2022-recap-understanding-juror-comprehension-of-forensic-testimony-assessing-jurors-decision-making-and-evidence-evaluation/

So this raises the question of whether the NAS report, for all of its revolutionary effects, will have any true results in courtroom testimony.

  • Will jurors heed the advice from the DOJ guidelines to accurately consider the testimony of a forensic expert?
  • Or will the jurors’ “common sense,” based on old Perry Mason and C.S.I. TV shows, prevent jurors from consiering expert testimony in the correct light?

Is “common sense” enough for a jury to consider expert testimony? (max version)

(Welcome to my A/B test. For the other version of this post, click here.)

I feel like Ben Maller, a sports radio broadcaster who likes to take three seemingly unrelated phrases and spin them into a monologue.

For this post, the three phrases are “common sense,” “succinct,” and “expert juror testimony.”

I want to (succinctly) pose the question, “Is ‘common sense’ enough for a jury to consider expert testimony?'”

Common Sense

Mitch Wagner recently shared a New Yorker article by Matthew Hutson that claimed that artificial intelligence was lacking in “common sense.” Here is one of the examples cited in the article:

By definition, common sense is something everyone has; it doesn’t sound like a big deal. But imagine living without it and it comes into clearer focus. Suppose you’re a robot visiting a carnival, and you confront a fun-house mirror; bereft of common sense, you might wonder if your body has suddenly changed. 

From https://www.newyorker.com/tech/annals-of-technology/can-computers-learn-common-sense

But is the human ability to discern that one’s body was NOT modified truly “common sense”? I argued otherwise in a comment on Wagner’s LinkedIn post.

But is there really a difference between “common sense” and the data acquisition that AI engines perform?

Take the fun-house mirror example in the article. When I first encountered a fun-house mirror, I would either (a) think like a robot and wonder if my body had changed, or (b) draw upon a vast reservoir of past experiences with mirrors and bent objects to deduce that this particular mirror had properties that would display my body in a different way. A person who had never encountered a mirror or a bent object would not have the “common sense” to realize how a fun-house mirror operates.

From https://www.linkedin.com/feed/update/urn:li:activity:6917849217554100225/?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6917849217554100225%2C6917865639671980032%29

Perhaps I’m wrong, but it seems that everyone takes cues from their past experiences (touching a hot stove, or watching “Perry Mason” or “C.S.I.” on TV), and that helps form our “common sense.”

Succinct

If you read my original comment on Wagner’s post, you’ll notice that I only reproduced the first part here, since the other parts weren’t relevant to this post.

Concise writing is something that Becca Phengvath of Robin Writers reminded us about in a recent post. She started by telling a story about a meeting with one of her college English teachers to review a writing assignment.

“This is good,” she said. But I felt her preparing to say more. 

“But look what happens when you remove ‘able to’,” she added, pointing to several spots where I wrote the phrase. “It’s never really needed, see?” 

She read a few of my sentences with “able to” omitted and I was shocked at how it immediately strengthened my writing. Since then, I have very very rarely used that phrase in my writing thanks to her.

From https://robinwriters.com/2022/04/07/how-to-make-your-writing-more-concise/

I liked this post so much that I shared in on various social accounts, with the following comment:

I really need to do this more often.

I should do this more.

Expert Juror Testimony

Now let’s get to the meat of the post. (I could have left the first two parts of the post out, I guess, but I wanted to provide some background.)

As I’ve previously noted, the 2009 NAS report on forensic science has revolutionized fingerprint identification and a number of other forensic disciplines.

One part of this revolution was the Department of Justice 2018 document entitled “UNIFORM LANGUAGE FOR TESTIMONY AND REPORTS FOR THE FORENSIC LATENT PRINT DISCIPLINE.” A PDF version of the report can be found here.

This document applies to Department of Justice examiners who are authorized to prepare reports and provide expert witness testimony regarding the forensic examination of latent print evidence.

From https://www.justice.gov/olp/page/file/1083691/download

Based upon the NAS report and subsequent efforts, Part IV of the DOJ document (“Qualifications and Limitations of Forensic Latent Print Examinations”) sets some clear guidelines about how a latent print examiner should describe his or her findings.

From https://www.justice.gov/olp/page/file/1083691/download

So a pre-2009 latent print examiner who appeared in court and said “I am 100% certain that these two fingerprints belong to the same person, to the exclusion of all other persons, because I have never been wrong in the last 25 years” would fail the 2018 DOJ criteria.

(Remember that even experienced examiners have been wrong before, as was shown in the Brandon Mayfield case.)

But would a jury know that?

That’s what CSAFE discussed in a recent post, “AAFS 2022 RECAP: UNDERSTANDING JUROR COMPREHENSION OF FORENSIC TESTIMONY: ASSESSING JURORS’ DECISION MAKING AND EVIDENCE EVALUATION.” Feel free to read the entire article, or if you like you can read my “succinct” excerpt from two portions of the article:

Koolmees and her colleagues examined whether jurors could distinguish low-quality testimony from high-quality testimony of forensic experts, using the language guidelines released by the Department of Justice (DOJ) in 2018 as an indicator of quality….

Only when comparing the conditions of zero guideline violations and four and five violations were there any changes in guilty verdicts, signifying jurors may notice a change in the quality of forensic testimony only when the quality is severely low.

From https://forensicstats.org/blog/2022/03/29/aafs-2022-recap-understanding-juror-comprehension-of-forensic-testimony-assessing-jurors-decision-making-and-evidence-evaluation/

Think about it. While forensic and criminal justice professionals, who have been immersed in forensic science testimony debates for over a decade, would be unimpressed by someone testifying that two fingerprints are a “100% match,” there’s a good chance that a jury would be very impressed with an “expert” who provided such convincing testimony.

So this raises the question of whether the NAS report, for all of its revolutionary effects, will have any true results in courtroom testimony.

  • Will jurors heed the advice from the DOJ guidelines to accurately consider the testimony of a forensic expert?
  • Or will the jurors’ “common sense,” based on old Perry Mason and C.S.I. TV shows, prevent jurors from consiering expert testimony in the correct light?

Tech5: Updating my contactless fingerprint capture post from October 2021

I’ve worked in the general area of contactless fingerprint capture for years, initially while working for a NIST CRADA partner. While most of the NIST CRADA partners are still pursuing contactless fingerprint technology, there are also new entrants.

In the pre-COVID days, the primary advantage of contactless fingerprint capture was speed. As I noted in an October 2021 post:

Actually this effort launched before that, as there were efforts in 2004 and following years to capture a complete set of fingerprints within 15 seconds; those efforts led, among other things, to the smartphone software we are seeing today.

From https://bredemarket.com/2021/10/04/contactless-fingerprint-scanning-almost-software-at-connectid/

By 2016, several companies had entered into cooperative research and development agreements with NIST to develop contactless fingerprint capture software, either for dedicated devices or for smartphones. Most of those early CRADA participants are still around today, albeit under different names.

Of the CRADA partners, MorphoTrak is now IDEMIA, Diamond Fortress is now Telos ID, Hoyos Labs is now Veridium, AOS is no longer in operation, and 3M’s biometric holdings are now part of Thales. Slide 10 from the NIST presentation posted at https://www.nist.gov/system/files/documents/2016/12/14/iai_2016-nist_contactless_fingerprints-distro-20160811.pdf

I’ve previously written posts about two of these CRADA partners, Telos ID (previously Diamond Fortress) and Sciometrics (the supplier for Integrated Biometrics).

But these aren’t the only players in the contactless fingerprint market. There are always new entrants in a market where there is opportunity.

A month before I wrote my post about Integrated Biometrics/Sciometrics’ SlapShot, a company called Tech5 released its own product.

T5-AirSnap Finger uses a smartphone’s built-in camera to perform finger detection, enhancement, image processing and scaling, generating images that can be transmitted for identity verification or registration within seconds, according to the announcement. The resulting images are suitable for use with standard AFIS solutions, and comparison against legacy datasets…

From https://www.biometricupdate.com/202109/tech5-contactless-fingerprint-biometrics-for-mobile-devices-unveiled

This particular article quoted Tech5 Co-founder/CEO Machiel van der Harst. A subsequent article quoted Tech5 Co-Founder/CTO Rahul Parthe. Both co-founders previously worked for L-1 Identity Solutions (now part of IDEMIA).

Parthe has noted the importance of smartphone-based contactless fingerprint capture:

“We all carry these awesome computers in our hands,” Parthe explains. “It’s a perfectly packaged hardware device that is ideal for any capture technology. Smartphones are powerful compute devices on the edge, with a nice integrated camera with auto-focus and flash. And now phones also come with multiple cameras which can help with better focus and depth estimation. This allows the users to take photos of their fingers and the software takes care of the rest. I’d just like to point out here that we’re talking about using the phone’s camera to capture biometrics and using a smartphone to take the place of a dedicated reader. We’re not talking about the in-built fingerprint acquisition we’re all familiar with on many devices which is the means of accessing the device itself.”

From https://www.biometricupdate.com/202202/contactless-fingerprinting-maturation-allows-the-unification-of-biometric-capture-using-smartphones

I’ve made a similar point before. While dedicated devices may not completely disappear, multi-purpose devices that we already have are the preferable way to go.

For more information about T5-AirSnap Finger, visit this page.

Tech5’s results for NIST’s Proprietary Fingerprint Template (PFT) Evaluation III, possibly using an algorithm similar to that in T5-AirSnap Finger, are detailed here.

The probability of determining the probability of matching fingerprints

I’m on the periphery of the forensic science/law enforcement world.

By CBS Television – eBay itemphoto frontphoto back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=74918903

Yes, I have completed training on forensic face recognition, but that doesn’t qualify me as an expert in courtroom testimony. (Forensic face recognition expert testimony isn’t admissible in court anyway, but you get the idea.)

But even I am well aware that the forensic world changed dramatically in 2009.

Before 2009, the dialog below only represents a slight exaggeration.

Question: Why do you say that these two fingerprints belong to the same person?

Answer: Because I said so.

After 2009, specifically after the release of what is called “the NAS report,” there has been an effort to make forensic science…a science.

Ideally, this means that when a fingerprint expert testifies in court, the expert can state that there is a 99.9978% probability that two fingerprints belong to the same person. Or something like that.

Ideally.

We’re not there yet, as this 2017 IAI position paper implicitly states.

It is the position of the IAl that examiners are encouraged to articulate conclusion decisions as specifically as possible, as to not overstate decisions regarding source attribution. In addition to stating conclusions, examiners are encouraged to state the basis for resulting conclusions; including the associative strength and limitations. The strength and limitations of conclusions may include the quality and quantity of data, the validity of method/mathematical model used, and the repeatability of the conclusion. Examiners are encouraged to continually reassess methods and/or mathematical models used to arrive at the best conclusions possible.

International Association for Identification, Position Statement on Conclusions, Qualified Opinions, and Probability Modeling, February 5, 2017.

In other words, while the IAI discourages the use of the old “Because I said so” articulation, the conclusions stated in court lean more toward qualitative rather than quantitative criteria. There’s not a probabilistic model for fingerprints.

Or, as Mike French notes, there’s not a publicly available probabilistic model.

As organizations like the Center for Statistics and Applications in Forensic Evidence (CSAFE) explore the viability of statistical modeling in pattern evidence disciplines, they will probably notice that AFIS (automated fingerprint identification system) vendors have already done decades of research, and those vendors have fielded operational systems, to solve the same type of problem forensic researchers are now investigating. 

From https://www.linkedin.com/pulse/do-afis-vendors-hold-key-measuring-latent-print-probative-mike-french-1e/

French notes a number of challenges to using AFIS vendor data to derive probabilistic models for fingerprints, but the chief challenge is the fact that the AFIS vendor data is proprietary and therefore carefully guarded. After all, AFIS vendors understandably don’t want their competitors to be able to reverse engineer their algorithms.

If you read French’s article, you’ll see that even if the AFIS vendors made all of the relevant data available, significant testing would still have to take place before reliable, fit for purpose probabilistic models can be created.

Are there other ways to develop a probabilistic fingerprint model? Maybe, but these would require (among other things) access to a lot of fingerprints, and considering the resistance of privacy advocates to biometric collection—even when such collection can mitigate privacy advocate concern about biometric inaccuracy—the chances of collecting a bunch of fingerprints for a probability study are approximately 23 (and me?) in 7 billion.

Putting your finger on the distribution of latent prints (the 30% palm estimate)

Back when automated fingerprint identification systems (AFIS) were originally expanded to become automated fingerprint/palmprint identification systems (AFPIS), a common rationale for the expansion was the large number of unsolved latent palmprints at crime scenes.

By Etan J. Tal – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=41152228

The statistic that everyone cited was a statistic that 30% of all latent friction ridge prints at crime scenes were from palmprints. Here’s a citation from the National Institute of Justice.

Anecdotally, it is estimated that approximately 30% of comparison cases involve palm impressions.

Note that the NIJ took care to include the word “anecdotally.” Others don’t.

It is estimated that 30 percent of latent prints found at crime scenes come from palms.

But who provided the initial “30% of latents are palms” estimate long ago? And what was the basis for this estimate? This critical information seems to have been lost.

By Apneet Jolly – originally posted to Flickr as Candy corn contest jar, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=10317287

Now I don’t have a problem with imprecise estimates, provided that the assumptions that go behind the estimate are well-documented. I’ve done this many times myself.

But sadly, any assumptions for the “30% of latents are palms” figure have disappeared over the years, and only the percentage remains.

Is there any contemporary evidence that can be used to check the 30% estimate?

Yes.

The blind proficiency study wasn’t blind regarding the test data

Latent print quality in blind proficiency testing: Using quality metrics to examine laboratory performance. https://lib.dr.iastate.edu/csafe_pubs/84/

A Center for Statistics and Applications in Forensic Science study (downloadable here) was published earlier this year. Although the study was devoted to another purpose, it touched upon this particular issue.

The “Latent print quality in blind proficiency testing: Using quality metrics to examine laboratory performance” study obviously needed some data, so it analyzed a set of latent prints examined by the Houston Forensic Science Center (HFSC) over a multi-year period.

In the winter of 2017, HFSC implemented a blind quality control
program in latent print comparison. Since its implementation, the
Quality Division within the laboratory has developed and inserted
290 blind cases/requests for analysis into the latent print comparison unit as of August 4, 2020….

Of the 290 blind cases inserted into casework, we were able to
obtain print images for 144 cases, with report dates spanning approximately two years (i.e., January 9, 2018 to January 8, 2020)….

In total, examiners reviewed 376 latent prints submitted as part
of the 144 blind cases/requests for analysis.

So, out of those 376 latent prints, how many were from palms?

The majority of latent prints were fingerprints (94.3%;
n = 350) or palm prints (4.9%; n = 18). Very few were joint impressions or unspecified impressions (0.8%; n = 3)….

The remaining 5 of 376 prints were not attributed to an anatomical source because examiners determined them to be of no comparative value and did not consider them to be latent prints.

For those who are math-challenged, 5 percent is not equal to 30 percent. In fact, 5 percent is much less than 30 percent. (And 4.9% is even less, if you want to get precise about it.)

Now I’ll grant that this is just one study, and other latent examinations may have wildly different percentages. At a minimum, though, this data should cause us to question the universally-accepted “30%” figure.

As any scientific institute that desires funding would proclaim, further research is needed.

And I’ll grant that. Well, I won’t grant it, but some government or private funding entity might.

Contactless fingerprint scanning (almost) software at #connectID

Let me kick off this post by quoting from another post that I wrote:

I’ve always been of the opinion that technology is moving away from specialized hardware to COTS hardware. For example, the fingerprint processing and matching that used to require high-end UNIX computers with custom processor boards in the 1990s can now be accomplished on consumer-grade smartphones.

Further evidence of this was promoted in advance of #connectID by Integrated Biometrics.

And yes, for those following Integrated Biometrics’ naming conventions, there IS a 1970s movie called “Slap Shot,” but I don’t think it has anything to do with crime solving. Unless you count hockey “enforcers” as law enforcement. And the product apparently wasn’t named by Integrated Biometrics anyway.

But back to the product:

SlapShot supports the collection of Fingerprint and facial images suitable for use with state of the art matching algorithms. Fingerprints can now be captured by advanced software that enables the camera in your existing smart phones to generate images with a quality capable of precise identification. Facial recognition and metadata supplement the identification process for any potential suspect or person of interest.

This groundbreaking approach turns almost any smart phone into a biometric capture device, and with minimal integration, your entire force can leverage their existing smart phones to capture fingerprints for identification and verification, receiving matching results in seconds from a centralized repository.

Great, you say! But there’s one more thing. Two more things, actually:

SlapShot functions on Android devices that support Lollipop or later operating systems and relies on the device’s rear high-resolution camera. Images captured from the camera are automatically processed on the device in the background and converted into EBTS files. Once the fingerprint image is taken, the fingerprint matcher in the cloud returns results instantly.

The SlapShot SDK allows developers to capture contactless fingerprints and other biometrics within their own apps via calls to the SlapShot APIs.

Note that SlapShot is NOT intended for end users, but for developers to incorporate into existing applications. Also note that it is (currently) ONLY supported on Android, not iOS.

But this does illustrate the continuing move away from dedicated devices, including Integrated Biometrics’ own line of dedicated devices, to multi-use devices that can also perform forensic capture and perform or receive forensic matching results.

And no, Integrated Biometrics is not cannibalizing its own market. I say this for two reasons.

  1. First, there are still going to be customers who will want dedicated devices, for a variety of reasons.
  2. Second, if Integrated Biometrics doesn’t compete in the smartphone contactless fingerprint capture market, it will lose sales to the companies that DO compete in this market.

Contactless fingerprint capture has been pursued by multiple companies for years, ever since the NIST CRADA was issued a few years ago. (Integrated Biometrics’ partner Sciometrics was one of those early CRADA participants, along with others.) Actually this effort launched before that, as there were efforts in 2004 and following years to capture a complete set of fingerprints within 15 seconds; those efforts led, among other things, to the smartphone software we are seeing today. Not only from Integrated Biometrics/Sciometrics, but also from other CRADA participants. (Don’t forget this one.)

Of the CRADA partners, MorphoTrak is now IDEMIA, Diamond Fortress is now Telos ID, Hoyos Labs is now Veridium, AOS is no longer in operation, and 3M’s biometric holdings are now part of Thales. Slide 10 from the NIST presentation posted at https://www.nist.gov/system/files/documents/2016/12/14/iai_2016-nist_contactless_fingerprints-distro-20160811.pdf

Of course these smartphone capture software packages aren’t Electronic Biometric Transmission Specification (EBTS) Appendix F certified, but that’s another story entirely.

The (possible) Afghan data treasure trove doesn’t just threaten the Taliban’s enemies

Recent events in Afghanistan have resulted in discussions among information technology and security professionals.

Taliban fighters in Kabul, Afghanistan, 17 August 2021. By VOA – https://www.youtube.com/watch?v=nAg7egiXClU, Public Domain, https://commons.wikimedia.org/w/index.php?curid=109043891

One August 17 article from the Intercept hit close to home for me:

THE TALIBAN HAVE seized U.S. military biometrics devices that could aid in the identification of Afghans who assisted coalition forces, current and former military officials have told The Intercept.

This post talks about the data the Taliban could POTENTIALLY get from captured biometric devices and other sources, and how that data could conceivably pose a threat to the Taliban’s enemies AND the Taliban itself.

What data could the Taliban get from biometric devices?

The specific device referenced by the Intercept article was HIIDE…and let’s just say that while I don’t know as much about that device as I should, I do know a little bit about it. (It was manufactured by a company that was subsequently acquired by Safran.)

Another source implies that the Taliban may have acquired another device that the Intercept DIDN’T reference. The Taliban may not only have acquired live HIIDE devices, but also may have acquired devices from another company called SEEK.

(Yes, folks, these devices are called HIIDE and SEEK.)

At the time that this was revealed, I posted the following comment on LinkedIn:

Possession is not enough. Can the Taliban actually access the data? And how much data is on the devices themselves?

Someone interviewed by the Intercept speculated that even if the Taliban did not have the technological capability to hack the devices, it could turn to Pakistan’s Inter-Service Intelligence to do so. As we’ve learned over the years, Pakistan and the Taliban (and the Taliban’s allies such as al Qaeda) are NOT bitter enemies.

As I said, I don’t know enough about HIIDE and SEEK, so I’m not sure about some key things.

  • For example, I don’t know whether their on-board biometric data is limited to just biometric features (rather than images). While there’s the possibility that the devices stored biometric images, that has a drawback because of the large size of the images. Features derived from the images (which are necessary in matching anyway) take up much less storage space. And while biometric images are necessary in some cases (such as forensic latent fingerprint examination), there’s no need for images in devices that make a hit/no-hit decision without human intervention.
  • In addition, I don’t know what textual data is linked to the features (or images) on these devices. Obviously the more textual information that is available, such as a name, the more useful the data can be.
  • Also, the features stored on the devices may or may not be useful. There is no one standard for the specification of biometric features (each vendor has its own proprietary feature specification), and while it may be possible to convert fingerprint features from one vendor system to be used by another vendor’s system, I don’t know if this is possible for face and iris features.

Best-case scenario? Even if the Taliban or its friends can access the data on the devices, the data does not provide enough information for it to be used.

Worst-case scenario? The data DOES provide enough information so that EVERY PERSON whose data is stored on the device can be identified by a Taliban-equivalent device, which would presumably be called FIND (Find Infidels, Neutralize, Destroy).

I’ll return to that “every person” point later in this post.

But biometric data isn’t the only data that might have fallen into the Taliban’s hands.

What data could the Taliban get from non-biometric devices?

Now Politico has come out with its own article that asserts that the Taliban can potentially acquire a lot of other data. And Politico is not as pessimistic as the Intercept about the Taliban’s tech capabilities:

That gives today’s technologically adept Taliban tools to target Afghans who worked with the U.S. or the deposed Afghan government with unprecedented precision, increasing the danger for those who don’t get out on evacuation flights.

Before looking at the data the Taliban may have acquired, it’s useful to divide the data sources between data acquired from clients and data acquired from on-premise servers. HIIDE and SEEK, for example, are clients. (I’m only talking about on-premise servers because any data stored in a US government cloud can hopefully be secured so that the Taliban can’t get it. Hopefully.)

Unlike HIIDE and SEEK, which are mobile client devices, the Politico article focuses on data that is stored on on-premise Afghan government servers. It notes that American IT officials were more likely than Afghan IT officials to scrub their systems before the Taliban takeover, and one would hope that any data stored in US government cloud systems could also be secured before the Taliban could access it.

So what types of data would the Afghan government servers store?

Telecom companies store reams of records on who Afghan users have called and where they’ve been. Government databases include records of foreign-funded projects and associated personnel records.

More specifics are provided regarding telecom company data:

Take call logs. Telecommunications companies keep a record of nearly every phone call placed and to whom. U.S. State Department officials used the local cell networks to make calls to those who were working with the United States, including interpreters, drivers, cooks and more…

And mobile phone data is even more revealing:

Cell phones and mobile apps share data about users with third-party apps, such as location data, that the Taliban could easily get…

The geolocation issue has been known for years. Remember the brouhaha when military users of a particular fitness app effectively revealed the locations of secret U.S. military facilities?

Helmand province in Afghanistan. Photograph: Strava heatmap. Reproduced at https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.

Now perhaps enemy forces already knew about these locations, but it doesn’t help to broadcast them to everyone.

Back to Afghanistan and other data sources.

Afghan citizens’ ethnicity information can also be found in databases supporting the national ID system and voter registration.

This can be used by digital identity opponents to argue that digital identity, or any identity, is dangerous. I won’t dive into that issue right now.

Politico mentions other sources of data that the Taliban could conceivably access, including registration information (including identity documents) for non-governmental organization workers, tax records, and military commendation records.

So if you add up all of the data from all of the Afghan servers, and if the Taliban or its allies are able to achieve some level of technical expertise, then the data provides enough information so that EVERY PERSON whose data is stored on the servers can be identified by the Taliban.

Before we completely panic…

Of course it takes some effort to actually EMPLOY all of this data. In the ideal world, the Taliban would create a supercomputer system that aggregates the data and creates personal profiles that provide complete pictures of every person. But the world is not ideal, even in technologically advanced countries: remember that even after 9/11, it took years for the U.S. Departments of Justice, Homeland Security, and Defense to get their biometric systems to talk to each other.

Oh, and there’s one more thing.

Remember how I’ve mentioned a couple of times that the Taliban could conceivably get information on EVERY PERSON whose data is stored on these devices and servers?

One thing that’s been left unsaid by all of these commentaries is that this data trove not only reveals information about the enemies of the Taliban, but also reveals information about the Taliban itself.

  • The HIIDE and SEEK devices could include biometric templates of Taliban members (who would be considered “enemies” by these devices and may have been placed on “deny lists”).
  • The telecommunications records could reveal calls placed and received by Taliban members, including calls to Afghan government officials and NATO members that other Taliban members didn’t know about.
  • Mobile phone records could reveal the geolocations of Taliban members at any time, including locations that they didn’t want their fellow Taliban members to know about.
  • In general, the records could reveal Taliban members, including high-ranking Taliban members, who were secretly cooperating with the Taliban’s enemies.

With the knowledge that all of this data is now available, how many Taliban members will assist in decrypting this data? And how many will actively block this?

Oh, and even if all of the Taliban were completely loyal, any entity (such as the Pakistani Inter-Service Intelligence) that gets a hold of the data will NOT restrict its own data acquisition efforts to American, NATO, and former Afghan government intelligence. No, it will acquire information on the Taliban itself.

After all, this information could help the Pakistanis (or Chinese, or Russians, or whoever) put the, um, finger on Taliban members, should it prove useful to do so in the future.

Then again, Pakistan may want to ensure that its own digital data treasure trove is safe.

When people confuse the two companies Integrated Biometric Technology and Integrated Biometrics

This is the “oops” of the month (actually for the month of July).

By U.S. Government – ATSDR (part of the CDC) series of state-specific fact sheets. Bitmap versions have been seen on US Embassy websites. Direct PDF URL [1], Public Domain, https://commons.wikimedia.org/w/index.php?curid=14801198

On Monday, July 26 the Tennessee Department of Economic and Community Development made an important announcement:

Tennessee Gov. Bill Lee, Department of Economic and Community Development Commissioner Bob Rolfe and Integrated Biometric Technology, LLC (IBT) officials announced today that the company will establish new operations and locate its corporate headquarters in Franklin.

For those who aren’t familiar with the Nashville area, Franklin is a suburb of Nashville. Coincidentally, IDEMIA (IBT President & CEO Charles Carroll’s former employer) used to have an office in Franklin (I visited it in June 2019), but it has since moved to another Nashville suburb.

This job-related news obviously pleased a number of other Tennessee government officials, including one whom (in this post at least) will remain nameless. The government official tweeted the following, along with a link to the announcement:

Congratulations to @IntegratedBiome on their decision to locate their facility in Franklin and to all our state and local officials who helped bring these jobs home!

A nice sentiment to be sure…except for one teeny problem.

The government official didn’t tag Integrated Biometric Technology (who appears to have a Twitter account, but it isn’t live yet), but instead tagged a SOUTH CAROLINA company with a similar name, Integrated Biometrics. (I’ve discussed this company before. They’re the ones who really like 1970s TV crime fighters.)

Book ’em, Danno! By CBS Television – eBay item photo front photo back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=19674714

Integrated Biometrics’ social media person set the record straight.

Hi there! That article is actually about Integrated Biometric Technology – not us (Integrated Biometrics)

It turns out that the two companies with similar names have existed in one form or another for nearly two decades. The first iteration of Integrated Biometric Technology was established in 2005, while Integrated Biometrics dates back to 2002. I was in Motorola at the time and can’t remember any name confusion in those days, since I was busy concentrating on other things…such as AFIX Tracker.

Cue the “It’s a Small World” music. Trust me, the biometrics world can be very small at times…