Update: A Little Harder to Create Voice Deepfakes?

(Imposter scam wildebeest image from Imagen 3)

(Part of the biometric product marketing expert series)

Remember my post early this morning entitled “Nearly $3 Billion Lost to Imposter Scams in the U.S. in 2024“?

The post touched on many items, one of which was the relative ease in using popular voice cloning programs to create fraudulent voices. Consumer Reports determined that four popular voice cloning programs “did not have the technical mechanisms necessary to prevent cloning someone’s voice without their knowledge or to limit the AI cloning to only the user’s voice.”

Reducing voice clone fraud?

Joel R. McConvey of Biometric Update wrote a piece (“Hi mom, it’s me,” an example of a popular fraudulent voice clone) that included an update on one of the four vendors cited by Consumer Reports.

In its responses, ElevenLabs – which was implicated in the deepfake Joe Biden robocall scam of November 2023 – says it is “implementing Coalition for Content Provenance and Authenticity (C2PA) standards by embedding cryptographically-signed metadata into the audio generated on our platform,” and lists customer screening, voice CAPTCHA and its No-Go Voice technology, which blocks the voices of hundreds of public figures, as among safeguards it already deploys.

Coalition for Content Provenance and Authenticity

So what are these C2PA standards? As a curious sort (I am ex-IDEMIA, after all), I investigated.

The Coalition for Content Provenance and Authenticity (C2PA) addresses the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content. C2PA is a Joint Development Foundation project, formed through an alliance between Adobe, Arm, Intel, Microsoft and Truepic.

There are many other organizations whose logos appear on the website, including Amazon, Google, Meta, and Open AI.

Provenance

I won’t plunge into the entire specifications, but this excerpt from the “Explainer” highlights an important word, “provenance” (the P in C2PA).

Provenance generally refers to the facts about the history of a piece of digital content assets (image, video, audio recording, document). C2PA enables the authors of provenance data to securely bind statements of provenance data to instances of content using their unique credentials. These provenance statements are called assertions by the C2PA. They may include assertions about who created the content and how, when, and where it was created. They may also include assertions about when and how it was edited throughout its life. The content author, and publisher (if authoring provenance data) always has control over whether to include provenance data as well as what assertions are included, such as whether to include identifying information (in order to allow for anonymous or pseudonymous assets). Included assertions can be removed in later edits without invalidating or removing all of the included provenance data in a process called redaction.

Providence

I would really have to get into the nitty gritty of the specifications to see exactly how ElevenLabs, or anyone else, can accurately assert that a voice recording alleged to have been made by Richard Nixon actually was made by Richard Nixon. Hint: this one wasn’t.

From https://www.youtube.com/watch?v=2rkQn-43ixs.

Incidentally, while this was obviously never spoken, and I don’t believe that Nixon ever saw it, the speech was drafted as a contingency by William Safire. And I think everyone can admit that Safire could soar as a speechwriter for Nixon, whose sense of history caused him to cast himself as an American Churchill (with 1961 to 1969 as Nixon’s “wilderness years”). Safire also wrote for Agnew, who was not known as a great strategic thinker.

And the Apollo 11 speech above is not the only contingency speech ever written. Someone should create a deepfake of this speech that was NEVER delivered by then-General Dwight D. Eisenhower after D-Day:

Our landings in the Cherbourg-Havre have failed to gain a satisfactory foothold and I have withdrawn the troops. My decision to attack at this time and place was based upon the best information available. The troops, the air and the Navy did all that bravery and devotion to duty could do. If any blame or fault attaches to the attempt it is mine alone.

How Bredemarket Adopts Your Point of View

The video embedded in my “Where is ByteDance From?” blog post included an interesting frame:

“So depending upon your needs, you can argue that”

This frame was followed by three differing answers to the “Where is ByteDance From?” question.

But isn’t there only one answer to the question? How can there be three?

It all depends upon your needs.

Who is the best age estimation vendor?

I shared an illustrative example of this last year. When the National Institute of Standards and Technology (NIST) tested its first six age estimation algorithms, it published the results for everyone to see.

“Because NIST conducts so many different tests, a vendor can turn to any single test in which it placed first and declare it is the best vendor.

“So depending upon the test, the best age estimation vendor (based upon accuracy and or resource usage) may be Dermalog, or Incode, or ROC (formerly Rank One Computing), or Unissey, or Yoti. Just look for that “(1)” superscript….

“Out of the 6 vendors, 5 are the best. And if you massage the data enough you can probably argue that Neurotechnology is the best also. 

“So if I were writing for one of these vendors, I’d argue that the vendor placed first in Subtest X, Subtest X is obviously the most important one in the entire test, and all the other ones are meaningless.”

Are you the best? Only if I’m writing for you

I will let you in on a little secret.

  • When I wrote things for IDEMIA, I always said that IDEMIA was the best.
  • When I wrote things for Incode, I always said that Incode was the best.
  • And when I write things for each of my Bredemarket clients, I always say that my client is the best.

I recently had to remind a prospect of this fact. This particular prospect has a very strong differentiator from its competitors. When the prospect asked for past writing samples, I included this caveat:

“I have never written about (TOPIC 1) or (TOPIC 2) from (PROSPECT’S) perspective, but here are some examples of my writing on both topics.”

I then shared four writing samples, including something I wrote for my former employer Incode about two years ago. I did this knowing that my prospect would disagree with my assertions that Incode’s product is so great…and greater than the prospect’s product. 

If this loses me the business, I can accept that. Anyone with any product marketing experience in the identity industry is guaranteed to have said SOMETHING offensive to most of the 80+ companies in the industry.

How do I write for YOU?

But let’s say that you’re an identity firm and you decide to contract with Bredemarket anyway, even though I’ve said nice things about your competitors in the past.

How do we work together to ensure that I say nice things about you?

That’s where my initial questions (seven, plus some more) come into play.

My first seven questions.

By the time we’re done, we have hopefully painted a hero picture of your company, describing why you are the preferred solution for your customers—better than IDEMIA, Incode, or anyone else.

(Unless of course IDEMIA or Incode contracts with Bredemarket, in which case I will edit the sentence above just a bit.)

So let’s talk

If you would like to work with Bredemarket for differentiated content, proposal, or analysis work, book a free meeting on my “CPA” page.

CPA

Where is ByteDance From?

Know Your Business!

Where is ByteDance From?

I am VERY familiar with questions regarding the nationality of a company. There are three questions:

  • Where is it incorporated?
  • Where is it headquartered?
  • Who owns it?

IDEMIA

For my former employer IDEMIA, the answers are France, France, and primarily a U.S. investor (Advent International).

(So depending upon your needs, you can argue that IDEMIA is a French company or a U.S. company.)

ByteDance

For ByteDance, the answers are the Cayman Islands, China (Beijing), and primarily global investors (Blackrock, General Atlantic, Susquehanna International Group, etc.).

(So depending upon your needs, you can argue that ByteDance is a Chinese company, a mostly American company, or a British company off the coast of Cuba.)

Your company

Not that I create TikTok videos (at least not for paying clients), but I provide other services.

More information on Bredemarket’s Content-Proposal-Analysis marketing and writing services:

CPA
Bredemarket’s “CPA.”

Career Detective: My AI-generated “Podcast”

I normally don’t listen to 20+ minute podcasts, but I listened to this one because it was all about me.

Seriously…there’s a 20 minute podcast that focuses on me.

The two people on the podcast spent the entire time talking about my most recent ten years of professional experience.

Except…the people weren’t people.

NotebookLM file-to-audio creation

The people were Google bots, powered by Google’s NotebookLM.

Upload PDFs, websites, YouTube videos, audio files, Google Docs, or Google Slides, and NotebookLM will summarize them and make interesting connections between topics, all powered by Gemini 1.5’s multimodal understanding capabilities.

With all of your sources in place, NotebookLM gets to work and becomes a personalized AI expert in the information that matters most to you….

Our new Audio Overview feature can turn your sources into engaging “Deep Dive” discussions with one click.

I uploaded the most recent version of my resume to NotebookLM.

Technically, this is not my resume; this is a PDF version of a portion of my LinkedIn profile. But my resume has similar information.

NotebookLM used the resume as source material to create a 20+ minute podcast called “Career Detective.” In the podcast, a male and a female pair of bots took turns discussing the insights they gleaned from the resume of John E. “Breedehoft.” (I use a short e, not a long e, but people can call me anything if I get business from it.)

Surprisingly, they didn’t really hallucinate. Or at least I don’t think they did. When the bots said I was deeply qualified, as far as I’m concerned they were speaking the truth.

They even filled in some gaps. For example, I used the acronyms for KYC, KYB, and AML on my resume to save space, so one of the bots explained to the other what those acronyms meant, and why they were important.

Probably the most amusing part of the podcast was when they noted that I had worked at two very large companies. (Just so you know, my resume only goes back to 2015, so Motorola isn’t even discussed.) While Incode and IDEMIA are both multinationals, I wouldn’t characterize Incode as massive.

Anyway, judge for yourself

So here’s the audio episode of “Career Detective” that focuses on…me.

By the way, I learned about NotebookLM via the Never Search Alone Slack workspace, but still need to explore NotebookLM’s other features.

California Knows How to Party (California mDL)

Well, it took long enough.

In part because when I first tried to get a mobile driver’s license (mDL), I used my OLD physical driver’s license AFTER I had renewed my driver’s license online (but before I received the new physical license). Data mismatch. Rejected.

And in part because I kept on forgetting to perform the additional steps to confirm my identity.

And in part because I didn’t truly NEED the mDL—I haven’t flown anywhere since April 2023, and for some strange reason no vendor of age-controlled products has insisted on carding me.

California mobile driver’s license (mDL).

But I now have a California mDL. After talking about mDLs for years as a former IDEMIA employee.

I’ve previously espoused the benefits of mDLs. For example, when a retailer DOES check my age before I buy a beer, the retailer doesn’t learn my address or my (claimed) height and weight. The retailer only needs to confirm that I am old enough to buy a beer.

Oddly enough, I had to block out certain information on my displayed mDL in the image above. Because MY privacy requirements obviously don’t conform to California’s privacy requirements.

I’m Shaky

Ever since I started working from home in March 2020 (while I was still at IDEMIA), I’ve gotten used to having work-related brainstorms at 3:30 am.

So it’s Sunday at 3:30 am and I had a brilliant idea for a Wednesday Bredemarket post.

While drafting that post on my phone, I discovered an UTM-related issue in Friday’s Bredemarket post.

I couldn’t fix it on my phone, so I got up to go to the computer.

Then the house shook and a nearby car alarm went off.

Earthquake preliminary reading, Ontario, California, Sunday, October 6, 2024, 3:51 am PDT.

We’ve had a lot of earthquakes in the 3-4 range lately.

As long as they stay small, I’m fine.

Now back to my brilliant idea…

Who Is IN With IDEMIA?

Unlike the other rumors over the last few years, this is official. 

From IDEMIA:

“IN Groupe and IDEMIA Group have entered into exclusive negotiations regarding the acquisition of IDEMIA Smart Identity, one of the three divisions of IDEMIA Group.”

But discussions are one thing, and government approvals are another. By the way, IN Groupe’s sole shareholder is the French state…

Plus IDEMIA, like Motorola before it, will have to figure out how the, um, bifurcated components will work with each other. After all, IDEMIA Smart Identity is intertwined with the other parts of IDEMIA. 

Again, from IDEMIA:

“IDEMIA Smart Identity, a division of IDEMIA Group, is a leader in physical and digital identity solutions. We have fostered longstanding relationships with governments across the globe, based on the shared understanding that a secured legal identity enables citizens to access their fundamental rights in the physical and digital worlds.”

Regardless, this process will take some time.

And what will Advent International eventually do with the other parts of IDEMIA? That will take even more time to figure out.

In Case You Missed My Incessant “Biometric Product Marketing Expert” Promotion

Biometric product marketing expert.

Modalities: Finger, face, iris, voice, DNA.

Plus other factors: IDs, data.

John E. Bredehoft has worked for Incode, IDEMIA, MorphoTrak, Motorola, Printrak, and a host of Bredemarket clients.

(Some images AI-generated by Google Gemini.)

Biometric product marketing expert.

When 250ppi Binary Fingerprint Images Were Acceptable

(Part of the biometric product marketing expert series)

I remember the first computer I ever owned: a Macintosh Plus with a hard disk with a whopping 20 megabytes of storage space. And that hard disk held ALL my files, with room to spare.

For sake of comparison, the video at the end of this blog post would fill up three-quarters of that old hard drive. Not that the Mac would have any way to play that video.

That Mac is now literally a museum piece.

By Tmarki – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=8058630.

And its 20 megabyte hard disk illustrates the limitations of those days. File storage was a precious commodity in the 1980s and 1990s, and we therefore accepted images that we wouldn’t even think about accepting today.

This affected the ways in which entities exchanged biometric information.

The 1993 ANSI/NIST standard

The ANSI/NIST standard for biometric data interchange has gone through several iterations over the years, beginning in 1986 when NIST didn’t even exist (it was called the National Bureau of Standards in those days).

Fingerprints only

When I began working for Printrak in 1994, the image interchange standard in effect was ANSI/NIST-CSL 1-1993, the “Data Format for the Interchange of Fingerprint Information.”

Yes, FINGERPRINT information. No faces. No scars/marks/tattoos. signatures, voice recordings, dental/oral data, irises, DNA, or even palm prints. Oh, and no XML-formatted interchange either. Just fingerprints.

No logical record type 99, or even type 10

Back in 1993, there were only 9 logical record types.

For purposes of this post I’m going to focus on logical record types 3 through 6 and explain what they mean.

  • Type 3, Fingerprint image data (low-resolution grayscale).
  • Type 4, Fingerprint image data (high-resolution grayscale).
  • Type 5, Fingerprint image data (low-resolution binary).
  • Type 6, Fingerprint image data (high-resolution binary).

Image resolution in the 1993 standard

In the 1993 version of the ANSI/NIST standard:

  • “Low-resolution” was defined in standard section 5.2 as “9.84 p/mm +/- 0.10 p/mm (250 p/in +/- 2.5 p/in),” or 250 pixels per inch (250ppi).
  • The “high-resolution” definition in sections 5.1 and 5.2 was twice that, or “19.69 p/mm +/- 20 p/mm (500 p/in +/- 5 p/in.”
  • While you could transmit at these resolutions, the standard still mandated that you actually scan the fingerprints at the “high-resolution” 500 pixels per inch (500ppi) value.

Incidentally, this brings up an important point. The series of ANSI/NIST standards are not focused on STORAGE of data. They are focused on INTERCHANGE of data. They only provided a method for Printrak system users to exchange data with automated fingerprint identification systems (AFIS) from NEC, Morpho, Cogent, and other fingerprint system providers. Just interchange. Nothing more.

Binary and grayscale data in the 1993 standard

Now let’s get back to Types 3 through 6 and note that you were able to exchange binary fingerprint images.

Yup, straight black and white images.

The original uploader was CountingPine at English Wikipedia. – Transferred from en.wikipedia to Commons., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=90286557.

Why the heck would fingerprint experts tolerate a system that transmitted binary images that latent fingerprint examiners considered practically useless?

Because they had to.

Storage and transmission constraints in 1993

Two technological constraints adversely affected the interchange of fingerprint data in 1993:

  • Storage space. As mentioned above, storage space was limited and expensive in the 1980s and the 1990s. Not everyone could afford to store detailed grayscale images with (standard section 4.2) “eight bits (256 gray levels)” of data. Can you imagine storing TEN ENTIRE FINGERS with that detail, at an astronomical 500 pixels per inch?
  • Transmission speed. There was another limitation enforced by the modems of the data. Did I mention that the ANSI/NIST standard was an INTERCHANGE standard? Well, you couldn’t always interchange your data via the huge 1.44 megabyte floppy disks of the day. Sometimes you had to pull your your trusty 14.4k or 28.8k modem and send the images over the telephone. Did you want to spend the time sending those huge grayscale images over the phone line?
Sound effects not included. By Wilton Ramon de Carvalho Machado – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=3572726.

So as a workaround, the ANSI/NIST standard allowed users to interchange binary (black and white) images to save disk space and modem transmission time.

And we were all delighted with the capabilities of the 1993 ANSI/NIST standard.

Until we weren’t.

The 2015 ANSI/NIST standard

The current standard, ANSI/NIST-ITL 1-2011 Update 2015, supports a myriad of biometric types. For fingerprints (and palm prints), the focus is on grayscale images: binary image Type 5 and Type 6 are deprecated in the current standard, and low-resolution Type 3 grayscale images are also deprecated. Even Type 4 is shunned by most people in favor of new friction ridge image types in which the former “high resolution” is now the lowest resolution that anyone supports:

  • Type 13, Variable-resolution latent friction ridge image.
  • Type 14, Variable-resolution fingerprint image.
  • Type 15, Variable-resolution palm print image.

We’ve come a long way.

Now that you’ve read this whole thing, I’ll share my video which covers everything in 25 seconds.

Fade to gray.

By the time I upload this video to Instagram, I’ll probably use Instagram’s music facilities to add this song as background music.

  • And note that the band name is spelled Visage with one I, not Viisage with two I’s. (Now part of IDEMIA, along with Printrak.)
  • But the spelling inaccuracy is not surpring. The band can’t spell “gray” either.
From https://www.youtube.com/watch?v=eZHk4RwIp_g.

Oh, Florida (mobile driver’s licenses)

I should properly open this post by stating any necessary disclosures…but I don’t have any. I know NOTHING about the goings-on reported in this post other than what I read in the papers.

“I know NOTHING.” By CBS Television – eBayfrontback, Public Domain, https://commons.wikimedia.org/w/index.php?curid=73578107.

However, I do know the history of Thales and mobile driver’s licenses. Which makes the recent announcements from Florida and Thales even more surprising.

Gemalto’s pioneering mobile driver’s license pilots

Back when I worked for IDEMIA from 2017 to 2020, many states were performing some level of testing of mobile driver’s licenses. Rather than having to carry a physical driver’s license card, you would be able to carry a virtual one on your phone.

While Louisiana was the first state to release an operational mobile driver’s license (with Envoc’s “LA Wallet”), several states were working on pilot projects.

Some of these states were working with the company Gemalto to create pilots for mobile driver’s licenses. As early as 2016, Gemalto announced its participation in pilot mDL projects in Colorado, Idaho, Maryland, and Washington DC. As I recall, at the time Gemalto had more publicly-known pilots in process than any other vendor, and appeared to be leading the pack in the effort to transition driver’s licenses from the (physical) wallet to the smartphone.

Thales’ operational mobile driver’s license

By the time Gemalto was acquired by and absorbed into Thales, the company won the opportunity to provide an operational (as opposed to pilot) driver’s license. The Florida Smart ID app has been available to both iPhone and Android users since 2021.

From https://www.flhsmv.gov/floridasmartid/ as of July 12. No idea whether this image will still be there on July 15.

What just happened?

This morning I woke up to a slew of articles (such as the LinkedIn post from PEAK IDV’s Steve Craig, and the Biometric Update post from Chris Burt) that indicated the situation had changed.

One of the most important pieces of new information was a revised set of Frequently Asked Questions (or “Question,” or “Statement”) on the “Florida Smart ID” section of the Florida Highway Safety and Motor Vehicles website.

The Florida Smart ID applications will be updated and improved by a new vendor. At this time, the Florida Department of Highway Safety and Motor Vehicles is removing the current Florida Smart ID application from the app store. Please email FloridaSmartID@flhsmv.gov to receive notification of future availability.

Um…that was abrupt.

But a second piece of information, a Thales statement shared by PC Mag, explained the abruptness…in part.

In a statement provided to PCMag, a Thales spokesperson said the company’s contract with the FLHSMV expired on June 30, 2024.

“The project has now entered a new phase in which the FLHSMV requirements have evolved, necessitating a retender,” Thales says. “Thales chose not to compete in this tender. However, we are pleased to have been a part of this pioneering solution and wishes it continued success.”

Now normally when a government project transitions from one vendor to another, the old vendor continues to provide the service until the date that the new vendor’s system is operational. This is true even in contentious cases, such as the North Carolina physical driver’s license transition from IDEMIA to CBN Secure Technologies.

But in the Florida case:

  • Thales chose not to bid on the contract renewal.
  • The new vendor and/or the State of Florida chose not to begin providing services when the Thales contract expired on June 30.
  • Thales and/or the State of Florida chose not to temporarily renew the existing contract until the new vendor was providing services in 2025.

This third point is especially odd. I’ve known of situations where Company A lost a renewal bid to Company B, Company B was unable to deliver the new system on time, and Company A was all too happy to continue to provide service until Company B (or in some cases the government agency itself) got its act together.

Anyway, for whatever reason, those who had Florida mobile driver’s licenses have now lost them, and will presumably have to go through an entirely new process (with an as-yet unknown vendor) to get their mobile driver’s licenses again.

I’m not sure how much more we will learn publicly, and I don’t know how much is being whispered privately. Presumably the new vendor, whoever it is, has some insight, but they’re not talking.