connect:ID 2021 is coming

I have not been to an identity trade show in years, and sadly I won’t be in Washington DC next week for connect:ID…although I’ll be thinking about it.

I’ve only been to connect:ID once, in 2015. Back in those days I was a strategic marketer with MorphoTrak, and we were demonstrating the MorphoWay. No, not the Morpho Way; the MorphoWay.

At connect:ID 2015.

Perhaps you’ve seen the video.

Video by Biometric Update. https://www.youtube.com/watch?v=mqfHAc227As

As an aside, you’ll notice how big MorphoWay is…which renders it impractical for use in U.S. airports, since space is valuable and therefore security features need a minimum footprint. MorphoWay has a maximum footprint…just ask the tradespeople who were responsible for getting it on and off the trade show floor.

I still remember several other things from this conference. For example, in those days one of Safran’s biometric competitors was 3M. Of course both Safran and 3M have exited the biometric industry, but at the time they were competing against each other. Companies always make a point of checking out the other companies at these conferences, but when I went to 3M’s booth, the one person I knew best (Teresa Wu) was not at the booth. Later that year, Teresa would leave 3M and (re)join Safran, where she remains to this day.

Yes, there is a lot of movement of people between firms. Looking over the companies in the connect:ID 2021 Exhibitor Directory, I know people at a number of these firms. Obviously people from IDEMIA, of course (IDEMIA was the company that bought Safran’s identity business), but I also know people at other companies, all of whom who were former coworkers at IDEMIA or one of its predecessor companies:

  • Aware.
  • Clearview AI.
  • GET Group North America.
  • HID Global.
  • Integrated Biometrics.
  • iProov.
  • NEC.
  • Paravision.
  • Rank One Computing.
  • SAFR/RealNetworks.
  • Thales.
  • Probably some others that I missed.

And I know people at some of the other companies, organizations, and governmental entities that are at connect:ID this year.

Some of these entities didn’t even exist when I was at connect:ID six years ago, and some of these entities (such as Thales) have entered the identity market due to acquisitions (in Thales’ case, the acquisition of Gemalto, which had acquired 3M’s biometric business).

So while I’m not crossing the country next week, I’m obviously thinking of everything that will be going on there.

Incidentally, this is one of the last events of the trade show season, which is starting to wind down for the year. But it will ramp up again next spring (for you Northern Hemisphere folks).

Bredemarket remembers the Southern Hemisphere, even though Bredemarket only does business in the United States. https://www.youtube.com/watch?v=HtZCQiN3n50

Regardless of where you are, hopefully the upcoming trade show season will not be adversely impacted by the pandemic.

A view of 9/11 from the 9/11 Commission’s border counsel

There are different ways to look at 9/11. I’m familiar with the reconstructions of Vice President Cheney’s actions in Washington on that day, and of President Bush as he flew around the country on that day (the only plane in the sky).

But what about the activities of the hijackers on that day, and in the months preceding that day?

All of this was examined by the 9/11 Commission. As a result of its investigation, this body made significant recommendations, some of which have only taken nearly two decades to implement, assuming they ARE implemented as (re) scheduled.

By Cleanup by Andrew_pmk (talk · contribs); straightened and cropped by Holek (talk · contribs) – http://www.9-11commission.gov/press/911report_cover_HIGHRES.jpg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=2376314

Janice Kephart was border counsel to the 9/11 Commission, and has been involved in homeland security ever since that time. She is currently CEO and Owner of Identity Strategy Partners.

As the 20th anniversary of 9/11 approaches, Kephart has released a documentary. As she explains, the documentary contains a wealth of information from the 9/11 Commission’s investigation of the hijackers, much of which was never officially released. Her hope:

If we are never to forget, we must educate. That is the purpose of this documentary. It is history, it is legacy, from the person who knows the details of the hijacker’s border story and has continued to live it for the past 20 years. I hope it resonates and educates.

When listening to Kephart’s documentary, keep in mind how much our world has changed since 9/11. Yes, you went through a security screening before you boarded a plane, but it was nothing like the security screenings that we’ve gotten used to in the last 20 years. Before 9/11, you could walk all the way up to the gate to send off departing passengers or greet arriving ones. And identity documents were not usually cross-checked against biometric databases to make sure that applicants were telling the truth.

I personally was not as familiar with the stories of the hijackers as I was with the stories of Bush and Cheney. The documentary provides a wealth of detail on the hijackers. (Helpful hint: don’t be afraid to pause the video when necessary. There’s a lot of visual information to absorb.)

Toward the end of the documentary, Kephart concentrates on Mohamed Atta’s return to the U.S. in January 2001, when his tourist visa had already expired and his student visa application was still pending. Kephart notes that Atta shouldn’t have been allowed back into the country, but that he was let in anyway. The details regarding Atta’s January 2001 entry are discussed in detail in a separate report (see section III.B).

(Incidentally, Atta’s student visa application wasn’t approved until July 2001, and his flight school wasn’t notified until 2002.)

Kephart wonders what might have happened if Mohamed Atta had been denied re-entry into the United States in January 2001 because of the visa irregularities. Since Atta was the ringleader and the driving force behind the attack, would the denial of entry have delayed or even terminated the 9/11 attack plans?

If you want to view the documentary, it is hosted on YouTube.

IATA endorses the EUDCC. But will it matter?

In a Bredemarket blog post in February 2021, I quoted something that I wrote in 2013 in one of my personal blogs, Empoprise-BI.

I’m sure that many people imagine that standards are developed by a group of reasonable people, sitting in a room, who are pursuing things for the good of the world.

You can stop laughing now.

As I noted back in 2013, and again in February, there are many instances in which standards do not evolve from a well-designed process. In reality, standards emerge via that process that I referred to in February as “brute force.”

By イーストプレス – 「ゴング格闘技」=1951年のブラジル地元新聞からの転載, Public Domain, https://commons.wikimedia.org/w/index.php?curid=13320163

For those who are not familiar with the “brute force” process, I’ll provide two illustrations.

  • If a lot of people like something, it’s a standard.
  • If a trillion dollar company likes something, and I like something different, then the thing that the trillion dollar company likes is a standard.

If two trillion dollar companies like two different things…it can get messy.

Back in February, I was just beginning to talk about something that I called “health passports” at the time. Later, I personally decided that “health passports” is a poor choice of words, and have instead gravitated to using the phrase “vaccine certificate.”

Regardless, my concern back in February was that there were all sorts of these things floating around. Even back then, Clear had its own solution, IATA had one, IBM had one, iProov had one, Daon had one, and there were many, many more.

So what happens if I have a Clear vaccine certificate but the airline or building that I’m approaching supports the iProov certificate? Can the iProov certificate read the Clear certificate? Or do I have to get multiple certificates?

This post looks at a new development in the vaccine certificate brouhaha. I’m not talking about what vaccines are honored by the vaccine certificate, but about acceptability of the vaccine certificates themselves. In particular, I’m talking about acceptance of one certificate, the EU Digital COVID Certificate (EUDCC).

Because one big player is getting behind it.

How do international air transport folks feel about the EUDCC?

While the EUDCC can conceivably be used for a number of use cases, such as entering a private business like a restaurant, one of the most popular use cases for the EUDCC is to board an airplane that is crossing an international border.

So if there was an organization that was dedicated to the business of flying airplanes across international borders, and if that organization thought that the EUDCC was pretty cool, then that endorsement would have as much pull as Google (and Facebook) endorsing a web image format.

Enter the (drumroll) International Air Transport Association, which issued a press release on 26 August.

The title?

“IATA Backs European Digital Covid Certificate as Global Standard.”

Now those who read my February post will recall that IATA was one of those groups that was already developing its own vaccination certificate. So how does the EUDCC compare with the the IATA Travel Pass?

The DCC…is fully supported by IATA Travel Pass.

But in addition to mere self-interest, there is another reason why IATA is endorsing the EUDCC: it’s supported by a lot of countries inside the EU, and other countries are looking at the EUDCC as a model.

The EU DCC is implemented in the 27 EU Member states and a number of reciprocal agreements have been agreed with other states’ own vaccination certificates, including Switzerland, Turkey, and Ukraine. In the absence of a single global standard for digital vaccination certificates, up to 60 other countries are looking to use the DCC specification for their own certification. 

Oh no, I’m just looking

However, it’s one thing to be “looking” at something, and another thing entirely to actually “do” something.

Before assuming that the EUDCC will become the de facto DCC, consider how two countries in particular will approach it.

This image or media was taken or created by Matt H. Wade. To see his entire portfolio, click here. @thatmattwade This image is protected by copyright! If you would like to use it, please read this first. – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=5004719

One of those countries is my own, the United States of America. While one can argue whether or not the U.S. enjoys the same level of power that it enjoyed immediately after the end of the Cold War, it is still a major player in world economic and travel affairs. And regardless of who the President of the United States is at any given time, the U.S. has often decided to go its own way. Couple this with the power of individual U.S. states in my country’s federal system, and it’s quite possible that even if the U.S. goes along with IATA, and some form of the EUDCC is adopted by our Transportation Security Administration, that does not necessarily mean that the same certificate can be used as it is in Europe to grant access to museums, sporting events, and concerts.

The other country that may have an issue with the EUDCC is China. If the United States is potentially a waning world power, China is potentially a gaining world power. The relationship between China and the rest of the world varies from time to time and from issue to issue. China may decide that it’s not in its best interest to adhere to an international standard for certifications of COVID vaccination, testing, or contraction. And if it’s not in China’s best interest, China won’t do it.

So before declaring that IATA endorsement of the EUDCC settles the issue…we’ll see.

In this post, “NGI” stands for Non-Governmental Identity

I admit to my biases.

As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.

Because the government is always here to help.

From World War II. By Packer, poster artist, Artist (NARA record: 8467744) – U.S. National Archives and Records Administration, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16929857

What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.

  • Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
  • Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.

However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.

Use of DNA for humanitarian efforts

Take an example that I recently tweeted about.

I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.

One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.

By Nofx221984 – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7429871

Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.

Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.

As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUsUniversity of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).

As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.

And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.

Reluctance to set national standards for mobile driver’s licenses

Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.

Some people are not especially wowed with this use case.

The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.

We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…

You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.

Is a Non-Governmental Identity (NGI) feasible and reliable?

Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).

…others are animated by a vision of “self-sovereign
identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….

DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.

For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.

Who issues Verifiable Credentials?

As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:

There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.

In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)

Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.

Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)

But NGIs are not a cure-all

Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.

Here’s what McKinsey has said:

…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.

Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.

In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several years AFTER 9/11.

And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:

At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.

1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)

Which identiy(ies) will prevail?

Back to governmental recognition of NGI.

Don’t count on it.

Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.

So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.

But frankly, I’m still not sure that I want Facebook to know how much I weigh.

(Although, now that I think about it, Apple already knows.)

(Bredemarket Premium) The big biometric firms and the even bigger tech firms

When I was part of an industry in which the three major players were my employer IDEMIA and its competitors NEC and Thales, I was always aware of a potential threat to these three multi-billion dollar biometric companies. Specifically, there were much, much bigger technology companies (both inside and outside of Silicon Valley) with huge resources and extensive artificial intelligence experience. These firms could put the three biometric firms out of business at any time.

By Syassine – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=31368987

But is this threat a real threat? Or is it overstated?

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

(Bredemarket Premium) Watch a new security market evolve

Markets come and go.

When I first joined the biometrics industry in the 1990s, biometric benefits (welfare) applications were hot in the United States as states and localities deployed biometric verification solutions for benefits recipients.

However, the landscape changed over the years, and most of those biometric systems have since been shut down.

Of course, new markets also appear.

Nokia 3310 3G (20180116). By Santeri Viinamäki, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=65577308

If someone had told me in 1994 that we would use biometrics to “unlock” our phones, I would have had no idea what the person was talking about. Why would we need to unlock our phone, anyway? Sure, if a thief grabbed my cell phone, the thief could make a long distance call to another state. But it’s not like the thief could access my bank account via an unlocked cell phone, right?

And there are other markets.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Franchisees and BIPA

In other contexts, I have written about the relationship between franchisors and franchisees, which in some respects is similar to the way gig drivers work “with” (not “for”) Uber, Lyft, and the like. In many cases, the products that are advertised by a particular company are not made by that company, but by a franchisee of that company who is entirely separate from the parent company, but who is responsible for doing things the way the parent company wants them done. If you’re a franchisee, you CAN’T…um…”have it your way.”

This Whopper probably wasn’t made by Burger King itself, but by a franchisee of Burger King. By Tokfo – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=37367904

Speaking of which, here is an example of an article that confuses franchisor and franchisee. The Buzzfeed article, in typical Buzzfeed style, is entitled “This Is What Happened After A Bunch Of Employees At A Burger King Quit.” (Because of malfunctioning air conditioning, a number of employees put in their two weeks’ notice, leaving a “We All Quit” sign as they left.) You have to read ANOTHER article (from NBC) to find this little statement:

“Our franchisee is looking into this situation to ensure this doesn’t happen in the future,” a Burger King spokesperson said.

Yes, the employees’…um…beef wasn’t with Burger King itself (or its Brazilian/Canadian/American parent Restaurant Brands International), but with whoever manages the local franchise.

Well, now this world of franchisors and franchisees has entered the biometric world, according to a post in Greensfelder, a self-described “franchising & distribution law blog.”

Greensfelder’s post starts by explaining to its readers what BIPA is (something you already know if you read MY blog) and how franchisees are affected.

Plaintiffs are suing both franchisors and franchisees. Franchisors are being sued for collecting the information themselves for their own employees and also for the actions of their franchisees on theories of joint and several liability, vicarious liability, agency and alter ego. A recently filed case alleges that a franchisor mandates and controls virtually every aspect of its franchise locations, including the use of certain equipment that collects biometric information to track employees’ time and attendance and to monitor cash register systems for fraud.

This benefits the lawyers, who get to collect double the damages by claiming that both the franchisor and the franchisee are separately liable.

Greensfelder’s takeaway for franchisors:

Franchisors should be careful about mandating franchisee use of biometric procedures and devices without first checking applicable law and also making sure that their own policies and procedures are in compliance with those laws.

I’m not sure who is providing takeaways for franchisees.

Other than the usual advice to read the franchise agreement very, very carefully.

Biometrics IS the financial sector

“Have to update my chart again.”

C. Maxine Most of Acuity Market Intelligence. From https://twitter.com/cmaxmost/status/1418306725510193152

Since I’m treading into financial territory here, I should disclose that Bredemarket has financial relationships with one or more of the companies mentioned in this post. This is not investment advice, do your own due diligence, bla bla bla.

I don’t monitor the market enough to know if this is part of an overall trend, but there has been a lot of biometric and digital identity investment recently. Both Biometric Update and FindBiometrics (and other publications such as FinLedger) have written about some of these recent investments, and IPVM has published its acquisition analysis (for subscribers only). Here’s a partial list of the biometric and/or digital identity companies who have received new funding (via investors, IPO, or acquisitions) recently:

I am not a financial expert (trust me on this), but I suspect that these companies are benefiting from two contradictory factors.

  • The apparent WANING of the COVID threat suggests better market performance in the future.
  • Some biometric and digital identity investments are very attractive precisely BECAUSE of the COVID threat, and the resulting attractiveness of remote and touchless technologies.

Of course, markets run in cycles, and it’s hard to predict if this is just the beginning of money flowing to biometrics/digital identity companies, or if all of this will suddenly come to a grinding halt. Remember how hot so-called “fever scanners” were a year ago, until their deficiencies were identified? And remember how Microsoft was prompted to divest from Anyvision not too long ago?

It’s possible that a number of external factors, such as an increase in government bans of facial recognition use, consumer resistance to digital identity, or the entry (or re-entry) of much larger players into the biometrics and/or digital identity markets, could dampen the revenue hopes for these funded companies.

Of course, investors are used to analyzing risk, and in many cases the investments with higher risk can yield the greater rewards.

It’s all just a game.

You will soon deal with privacy stakeholders (and they won’t care about the GYRO method)

I’ve written about the various stakeholders at government agencies who have an interest in biometrics procurements- not only in this post, but also in a post that is available to Bredemarket Premium subscribers. One of the stakeholders that appeared on my list was this one.

The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.

Broken Liberty: Istanbul Archaeology Museum. By © Nevit Dilmen, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1115936

If you haven’t encountered a privacy advocate in your marketing or proposal efforts…you will.

Utah Gov. Spencer Cox has appointed Christopher Bramwell as the Department of Government Operations’ first privacy officer….As privacy officer, Bramwell will be responsible for surveying and compiling information about state agencies’ privacy practices to discern which poses a risk to individual privacy. He will also work with the personal privacy oversight commission and state privacy officer to provide government privacy practice reports and recommendations.

Obviously this affects companies that work with government agencies on projects such as digital identity platforms. After all, mobile driver’s licenses contain a wealth of personally identifiable information (PII), and a privacy advocate will naturally be concerned about who has access to this PII.

But what about law enforcement? Do subjects in law enforcement databases have privacy rights that need to be respected? After all, law enforcement agencies legally share PII all the time.

However, there are limitations on what law enforcement agencies can share.

  • First off, remember that not everyone in a law enforcement database is an arrested individual. For example, agencies may maintain exclusion databases of police officers and crime victims. When biometric evidence is found at a crime scene, agencies may compare the evidence against the exclusion database to ensure that the evidence does not belong to someone who is NOT a suspect. (This can become an issue in DNA mixtures, by the way.)
  • Second off, even arrested individuals have rights that need to be respected. While arrested individuals lose some privacy rights (for example, prisoners’ cells can be searched and prisoners’ mail can be opened), a privacy advocate should ensure that any system does not deny prisoners protections to which they are entitled.

So expect to see a raised concern about privacy rights when dealing with law enforcement agencies. This concern will vary from jurisdiction to jurisdiction based upon the privacy (and biometric) laws that apply in each jurisdiction, but vendors that do business with government agencies need to stay abreast of privacy issues.

A little more about stakeholders, or actors, or whoever

Whether you’re talking about stakeholders in a government agency, stakeholders at a vendor, or external stakeholders, it’s important to identify all of the relevant stakeholders.

Or whatever you call them. I’ve been using the term “stakeholders” to refer to these people in this post and the prior posts, but there are other common terms that could be used. People who construct use cases refer to “actors.” Marketers will refer to “personas.”

Whatever term you use, it’s important to distinguish between these stakeholders/actors/personas/whatever. They have different motivations and need to be addressed in different ways.

When talking with Bredemarket clients, I often need to distinguish between the various stakeholders, because this can influence my messaging significantly. For example, if a key decision-maker is a privacy officer, and I’m communicating about a fingerprint identification system, I’m not going to waste a lot of time talking about the GYRO method.

My time wouldn’t be wasted effort if I were talking to a forensic examiner, but a privacy advocate just wouldn’t care. They would just sit in silence, internally musing about the chances that a single latent examiner’s “green” determination could somehow expose a private citizen to fraud or doxxing or something.

This is why I work with my clients to make sure that the messaging is appropriate for the stakeholder…and when necessary, the client and I jointly develop multiple messages for multiple stakeholders.

If you need such messaging help, please contact Bredemarket for advice and assistance. I can collaborate with you to ensure that the right messages go to the right stakeholders.

Biometric (and other) authentication CAN be spoofed…but it isn’t easy

A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”

Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.

Just a picture of candy. Nothing special. By Jebulon – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=27753729

Well, until they come to the third paragraph of the article.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.

However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.

And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.