Privacy regulations can change when you cross country or even city lines, and they can also change depending on who you are: an individual, a business, or a government agency.
On the other extreme, some entities in some jurisdictions must obtain express written consent. If I am a homeowner in Schaumburg, Illinois, and I use a doorbell camera to identify friends or foes approaching my door, the Biometric Information Privacy Act (BIPA) prohibits me from capturing their biometrics without their consent, and lets them sue me if I do it anyway.
Before you collect PII, check the laws in your jurisdiction first.
Oh, and check the laws in other jurisdictions in case they try to enforce their laws in your jurisdiction.
By the way: if you’re a software or hardware vendor, don’t assume that you bear no responsibility and that only your customer does.
You must educate your customers.
And Bredemarket can help you with my content-proposal-analysis services.
“I think too much knowledge is actually bad in tech: you’re biased.”
Why does this quote affect me so deeply? Because with my 30-plus years of identity/biometric experience, I obviously have too much knowledge of the industry, which is obviously bad. After all, all a biometric company needs is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else. The company doesn’t need someone who knows that Printrak isn’t spelled with a C.
Google Gemini.
In this post I will share three of the “biases” I have developed in my 30-plus years in identity and biometrics, and how to correct these biases by stripping away that 20th century experience and applying novel thinking.
And if that last paragraph made you throw up in your mouth…read to the end of the post.
But first, let’s briefly explore these three biases that I shamefully hold due to my status as a biometric product marketing expert:
Independent algorithmic confirmation is valuable.
Process is valuable.
Artificial intelligence is merely a tool.
Biometric product marketing expert.
Bias 1: Independent Algorithmic Confirmation is Valuable
But how do prospects know that these algorithms work? How accurate are they? How fast are they? How secure are they?
My bias
My brain, embedded with over 30 years of bias, gravitates to the idea that vendors should submit their algorithms for independent testing and confirmation.
From a NIST facial recognition demographic bias text.
This could be an accuracy test such as the ones NIST and DHS administer, or confirmation of presentation attack detection capabilities (as BixeLab, iBeta, and other organizations perform), or confirmation of injection attack detection capabilities.
Novel thinking
But you’re smarter than that and refuse to support the testing-industrial complex. They have their explicit or implicit agendas and want to force the biometric vendors to do well on the tests. For example, the U.S. Federal Bureau of Investigation’s “Appendix F” fingerprint capture quality standard specifically EXCLUDES contactless solutions, forcing everyone down the same contact path.
But you and your novel thinking reject these unnecessary impediments. You’re not going to constrain yourself by the assertions of others. You are going to assert your own benefits. Develop and administer your own tests. Share with your prospects how wonderful you are without going through an intermediary. That will prove your superiority…right?
Bias 2: Process is Valuable
A biometric company has to perform a variety of tasks. Raise funding. Hire people. Develop, market, propose, sell, and implement products. Throw parties.
How will the company do all these things?
My bias
My brain, encumbered by my experience (including a decade at Motorola), persists in a belief that process is the answer. The process can be as simple as scribblings on a cocktail napkin, but you need some process if you want to cash out in a glorious exit—I mean, deliver superior products to your customers.
Perhaps you need a development processs that defines, among other things, how long a sprint should be. A capture and proposal process (Shipley or simpler) that defines, among other things, who has the authority to approve a $10 million proposal A go-to-market process that defines the deliverables for different tiers, and who is responsible, accountable, consulted, and informed. Or maybe just an onboarding process when starting a new project, dictating the questions you need to ask at the beginning.
Bredemarket’s seven questions. I ask, then I act.
Novel thinking
Sure all that process is fine…if you don’t want to do anything. Do you really want to force your people to wait two weeks for the latest product iteration? Impose a multinational bureauracy on your sales process? Go through an onerous checklist before marketing a product?
Google Gemini.
Just code it.
Just sell it.
Just write it.
Bias 3: Artificial Intelligence is Merely a Tool
The problem with experienced people is that they think that there is nothing new under the sun.
You talk about cloud computing, and they yawn, “Sounds like time sharing.” You talk about quantum computing, and they yawn, “Sounds like the Pentium.” You talk about blockchain, and they yawn, “Sounds like a notary public.”
My bias
As I sip my Pepperidge Farm, I can barely conceal my revulsion at those who think “we use AI” is a world-dominating marketing message. Artificial intelligence is not a way of life. It is a tool. A tool that in and of itself does not merit much of a mention.
Google Gemini.
How many automobile manufacturers proclaim “we use tires” as part of their marketing messaging? Tires are essential to an automobile’s performance, but since everyone has them, they’re not a differentiator and not worthy of mention.
In the same way, everyone has AI…so why talk about its mere presence? Talk about the benefits your implementation provides and how these benefits differentiate you from your competitors.
Novel thinking
Yep, the grandpas that declare “AI is only a tool” are missing the significance entirely. AI is not like a Pentium chip. It is a transformational technology that is already changing the way we create, sell, and market.
Therefore it is critically important to highlight your product’s AI use. AI isn’t a “so what” feature, but an indication of revolutionary transformative technology. You suppress mention of AI at your own peril.
How do I overcome my biases of experience?
OK, so I’ve identified the outmoded thinking that results from too much experience. But how do I overcome it?
I don’t.
Because if you haven’t already detected it, I believe that experience IS valuable, and that all three items above are essential and shouldn’t be jettisoned for the new, novel, and kewl.
Are you a identity/biometric marketing leader who needs to tell your prospects that your algorithms are validated by reputable independent bodies?
Or that you have a process (simple or not) that governs how your customers receive your products?
Or that your AI actually does unique things that your competitors don’t, providing true benefits to your customers?
Bredemarket can help with strategy, analysis, content, and/or proposals for your identity/biometric firm. Talk to me (for free).
By the way, here’s MY process (and my services and pricing).
Why do scammers target anti-fraud experts? Because sometimes we’re dumb too.
But in this case I didn’t fall for the two deepfake recruiters who emailed me yesterday.
However, I have some concerns about the REAL recruiters that the fraudsters were impersonating.
Deepfake recruiter 1, the Senior Vice President
The first fraudster emailed me early Tuesday morning California time:
Hi John,
I hope you’re doing well. My name is Ethan [REDACTED LAST NAME SPELLED WITH AN “E”], Senior Vice President at Aerotek, a national staffing and recruiting firm.
I’m reaching out regarding a confidential, retained search for a Senior Product Marketing Leader with a real, actively operating company in the identity verification and biometrics space. Your background in product marketing, go-to-market strategy, and competitive intelligence across identity technology firms stood out strongly during our shortlist review.
This role is ideal for leaders who drive product launches, shape competitive positioning, and accelerate growth in B2B/B2G SaaS environments.
If this aligns with what you’re exploring, I’d be happy to share the full role brief.
Best regard Ethan [REDACTED LAST NAME SPELLED WITH AN “A”]
When a Senior Vice President can’t spell his own last name consistently, that’s a warning flag.
When said Senior Vice President emails me from ethan.aerotek.desk2@gmail.com, that’s another.
Turns out Ethan is a U.S. based person employed by Aerotek, with the same picture used in the Gmail account (which I guess qualifies this as a “deepfake”), but he is a Recruiter, not a Senior Vice President.
So I messaged the real Ethan on LinkedIn early Tuesday morning, reproducing the email message above and prepending it with:
Ethan, I received this from a Gmail address
Replying to the fake recruiter
Then I responded to the email from the fake Ethan:
Ethan, I have contacted you via LinkedIn. Please provide your Aerotek email address. Your client will understand.
My final comment probably went over the fake Ethan’s head, but any identity verification company would clearly understand why a candidate would insist on an Aerotek address rather than a Gmail address. Except in certain circumstances that I’ll address later.
And of course Aerotek would be very concerned about fraudsters impersonating real Aerotek employees…or so you’d think.
Back to the fake, who responded a few minutes later. Oddly enough, even though Ethan is U.S.-based, this email indicated that my reply was received in a time zone eight hours ahead of the Pacific Time Zone. Anyway, here’s the fake Ethan’s non-surprising response.
Thank you for reaching out. I’ve been experiencing some technical issues with LinkedIn this week, so I appreciate you continuing the conversation here.
This is the usual tactic employed by scammers. Stay off reputable platforms such as LinkedIn and move the conversation to another platform, in this case email. At least fake Ethan didn’t direct me to WhatsApp or Telegram.
As of Wednesday morning I left both conversations there. I didn’t reply to the fake Ethan’s latest email, and the real Ethan didn’t reply to my messsage.
And that’s a problem.
Concerns about the real recruiter
As I mentioned earlier, Aerotek obviously doesn’t want fraudsters impersonating their employees. And Aerotek employees certainly don’t want fraudsters impersonating them and lifting their facial images for fake Gmail accounts.
But the real Ethan apparently hasn’t checked his LinkedIn account in over 24 hours, and is completely unaware that a fraudster is impersonating him.
Causing damage to him and his employer.
If you’re a recruiter (or any professional) and you have a LinkedIn account, check it regularly. You don’t know what you’re missing.
But let’s move on to deepfake 2: technically not a deepfake since the fraudster only appropriated a name and not a likeness, but worrisome all the same.
Deepfake recruiter 2, the independent and invisible recruiter
The second fraudster emailed me late in the afternoon California time.
Hello John,
I hope you’re doing well.
I recently came across your background in B2B/B2G SaaS product marketing, particularly your work across identity, biometrics, and broader technology markets. Your experience driving product launches, developing go-to-market strategy, and building high-impact content and competitive intelligence frameworks really stood out.
I’m currently supporting a respected technology organization operating at the intersection of SaaS, cybersecurity, and identity, and your ability to bridge complex technical solutions with clear market positioning aligns closely with what they’re looking for.
Given your track record of both strategic thinking and execution (“ask, then act” definitely came through), I believe you could be a strong fit for this opportunity.
If you’re open to exploring, I’d be happy to share a brief overview of the role and why I feel it aligns well with your background.
Looking forward to hearing your thoughts.
Again this person emailed me from a Gmail address, consisting of the person’s name with an appended “8.”
Finding the real recruiter
So I checked out this person also, and discovered a few things.
This is also a real person, based in Europe. So she supposedly sent this email after midnight her time.
The real recruiter DOES have a Gmail address, but without the “8.” Why? Because the person is NOT employed by a huge recruiting firm such as Aerotek, but is a self-employed recruiting specialist. So it’s understandable that the real recruiter has a Gmail address. But as we will see, not advisable.
Her company name is her name with the word “Consulting” appended, according to her personal LinkedIn profile.
So I messaged the real recruiter with the message “Possible scam artist” and the email address (with the “8”) that sent the message.
Replying, and not replying, to the fake recruiter
About an hour later (now well after midnight European time), I received a second email from the fake recruiter that didn’t reference my reply to the first one.
Hello John,
I hope you’re doing well.
I recently came across your background in B2B/B2G SaaS product marketing, and your work across identity, biometrics, and go-to-market strategy really stood out—particularly your experience positioning complex technologies like IAM, biometrics, and AI-driven solutions.
Your track record in product launches, competitive intelligence, and building high-impact content at scale aligns closely with what we’re currently prioritizing.
I’m supporting a respected technology organization that is expanding its product marketing leadership team, and based on your experience, you could be a strong fit—especially given your depth across both public sector (B2G) and commercial (B2B) environments.
If you’re open to exploring, I’d be happy to share a brief overview of the role and why I believe it aligns well with your background.
Looking forward to hearing your thoughts.
I didn’t bother to reply to the second email from the fake recruiter, or to notify the real recruiter of the second email.
Eventually I received a reply to my first email early Wednesday morning…oddly enough, indicating that the fake was in the Pacific Time Zone, not Europe. (Note to scammers: change your computer and software settings so that your time zone matches the time zone of the person you’re impersonating.)
Here’s how the reply began:
Thank you for your message here—and I did see your note on LinkedIn as well. Apologies for the slight delay in getting back to you, I was tied up attending to a few things earlier.
Yeah, sure you saw my LinkedIn InMail.
Anyway, forget about the scammer. Let’s look at the real recruiter.
Concerns about the real recruiter
As I mentioned, the real recruiter has a personal LinkedIn profile and a Gmail address.
And that’s it.
I couldn’t find a LinkedIn company page for her consulting company.
A couldn’t find a website for her consulting company.
In fact, the ONLY reference I found to her consulting company was her personal LinkedIn page.
And that’s a problem.
The fact that she has no LinkedIn posts and no LinkedIn recommendations is another.
Now I’ll grant that many consultants get their business from word-of-mouth. Bredemarket certainly does.
But the only publicly-known way to contact THIS consultant is via email or LinkedIn InMail.
And as of now she hasn’t checked her InMail in over 12 hours.
What if she were to lose access to her LinkedIn account?
If you’re an independent recruiting consultant, own your own website, and don’t depend upon someone else’s social platform.
That’s one reason why Bredemarket offers several ways to reach me, most importantly the contact mechanisms available on my own website, free of the control of Microsoft, Meta, or any other company that could yank my access at the drop of a hat.
But there are others.
Bredemarket’s active platforms as of March 29, 2026.
So if you have content or other needs…such as the need to create content to publicize your recruiting consultancy…why don’t you talk to me?
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
In essence, the lattice structure allows more elaborate access rights.
This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:
“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”
It then says
“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”
Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.
But it appears that we sometimes don’t care about the intent of AI agents.
“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”
This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).
Back in 2024 I wrote about contraction in the identity/biometric industry.
In retrospect, that industry has been lucky.
At the time I wrote this (yes, this is a scheduled post), I knew of few if any identity/biometric companies that had “right sized” half its staff. 10% maybe, but not 50%.
When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.
Google Gemini.
I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.
But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.
Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.
If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.
It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.
And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?
“The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).
“PADFAA prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which include North Korea, China, Russia, and Iran, or any entity controlled by those countries. The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behavior information as well as account or device log-in credentials and government-issued identifiers such as Social Security, passport, or driver’s license numbers.”
Although frankly it’s not a good idea to sell PII to our friends either, but that’s another topic.
Bredemarket has adopted two tactics to cut through the slop and ensure my clients’ messages reach those who need to hear it.
Tactic 1: Before I write, I ask
To bound the message I am about to create for an identity/biometric client (or any client), I ask a number of questions. These questions ensure that the question addresses the right people, their concerns, and their fears. I’ve shared seven of my questions elsewhere.
Seven Questions Your Content Creator Should Ask You.
When all the questions are answered, I have a clear roadmap to start writing.
I don’t feed the answers to Bredebot and have it churn out something. I pick the words myself.
Rewrite this. Don’t write it.
Now perhaps I might use generative AI to tweak a phrase or two, but I remain in complete control of the entire creative process.
The result?
I believe, and my clients also believe, that this careful approach to content results in pieces that are differentiated from the mass-churned content of others.
So my clients stand out and aren’t confused with their competitors.
After all, even though Bredebot fakes thirty years of experience in identity and biometrics, it doesn’t really have such experience. I do. That’s why I’m the biometric product marketing expert.
So if you want me, not a bot, to polish your biometric product marketing sentences “until they shine,” let’s talk about how we can move forward.
Bredemarket 