Identity/biometrics/technology marketing and writing services
Identity/biometric firms: does anyone know who you are?
Who can help your firm create content?
Who knows identity/biometrics:
Who can provide content:
I know who can help.
Contact Bredemarket: https://bredemarket.com/contact/
Identity professionals, what’s in a name?
You cannot uniquely identity someone by name alone.
A unique identification relies on multiple factors.
If your firm desires to tell a story about how your identity solution surpasses name-based solutions, Bredemarket can help.
If you book a free 30 minute meeting with Bredemarket, you’ll now find an additional option in the “What Type of Content Do You Need?” section: Market/competitor analysis. I’ve done these for years, but never added the option to the form.
My analyses ONLY use publicly available information that is NOT subject to NDA. So you won’t get access to the analyses I’ve performed for other clients, and they won’t get access to the analysis I prepare for you.
While I primarily provide these analyses in the identity/biometrics industry, I’m open to discussing analysis needs in other industries.
Book a meeting to discuss your content needs.
(Part of the biometric product marketing expert series)
Yes, I know the differences between the various factors of authentication.
Let me focus on two of the factors.
There’s a very clear distinction between these two factors of authentication: “something you are” for people, and “something you have” for things.
But what happens when we treat the things as beings?
Who, or what, possesses identity?
I’ve spent a decade working with automatic license plate recognitrion (ALPR), sometimes known as automatic number plate recognition (ANPR).
Actually more than a decade, since my car’s picture was taken in Montclair, California a couple of decades ago doing something it shouldn’t have been doing. I ended up in traffic school for that one.
Now license plate recognition isn’t that reliable of an identifier, since within a minute I can remove a license plate from a vehicle and substitute another one in its place. However, it’s deemed to be reliable enough that it is used to identify who a car is.
Note my intentional use of the word “who” in the sentence above.
These days, it’s theoretically possible (where legally allowed) to identify the license plate of the car AND identify the face of the person driving the car.
But you still have this strange merger of who and what in which the non-human characteristics of an entity are used to identify the entity.
What you are.
But that’s nothing compared to what’s emerged over the past few years.
When the predecessors to today’s Internet were conceived in the 1960s, they were intended as a way for people to communicate with each other electronically.
And for decades the Internet continued to operate this way.
Until the Internet of Things (IoT) became more and more prominent.
How prominent? The Hacker News explains:
Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls.
Couple this with the increasing use of chatbots and other artificial intelligence bots to generate content, and the result is that when you are communicating with someone on the Internet, there is often no “who.” There’s a “what.”
What you are.
Between the cars and the bots, there’s a lot going on.
There are numerous legal and technical ramifications, but I want to concentrate on the higher meaning of all this. I’ve spent 29 years professionally devoted to the identification of who people are, but this focus on people is undergoing a seismic change.
The science fiction stories of the past, including TV shows such as Knight Rider and its car KITT, are becoming the present as we interact with automobiles, refrigerators, and other things. None of them have true sentience, but it doesn’t matter because they have the power to do things.
In the meantime, the identification industry not only has to identify people, but also identify things.
And it’s becoming more crucial that we do so, and do it accurately.
“If you’re not careful, you might learn something before it’s done.”
(Quote from William H. Cosby, M.A., Ed.D., L.H.D. (resc), from the Fat Albert TV show theme song. From https://www.streetdirectory.com/lyricadvisor/song/upujwj/fat_albert/.)
When I write about space aliens, there’s a reason. And that reason may be to warn identity vendors that silence is NOT golden.
As a frequent reader and writer on LinkedIn, I’ve seen all the tips and tricks to drive engagement. One popular trick is to make up a story that will resonate with the LinkedIn audience.
For example, the writer (usually a self-proclaimed career expert who is ex-FAANG) will tell the entirely fictional story of a clueless hiring manager and an infinitely wise recruiter. The clueless hiring manager is shocked that a candidate accepted a competing job offer. “Didn’t she like us?” asks the hiring manager. The wise recruiter reminds the clueless hiring manager that the candidate had endured countless delays in numerous interviews with the company, allowing another company to express interest in and snatch her.
Job seekers have endured countless delays in their own employment searches. When they read the post, they hoot and holler for the candidate and boo the clueless hiring manager. Most importantly, readers like and love the writer’s post until it goes viral, making the author an ex-FAANG top recruiting voice.
Even though no sources are cited and the story is fictional, it is very powerful.
Well…until you’ve read the same story a dozen times from a dozen recruiters. Then it gets tiresome.
But those fake stories powerfully drive clicks on LinkedIn, so I wanted to get in on the action. But I was going to add two wrinkles to my fake story.
First, I would explicitly admit that my story is fake. Because authenticity. Sort of.
Second, my story would include space aliens to make it riveting. And to hammer the point that the story is fake.
Now I just had to write a fake story with space aliens.
Or did I?
It turned out that I had already written a fake story. It didn’t have space aliens, but I liked the story I had spun in the Bredemarket blog post “(Pizza Stories) Is Your Firm Hungry for Awareness?”
I just needed to make one of the characters a space alien, and since Jones was based on the striking Grace Jones, I went ahead and did it. If you can imagine Grace Jones with tentacles, two noses, and eight legs.
With a few additional edits, my fake space alien story was ready for the Sunday night LinkedIn audience.
As the space alien’s tentacles quivered, I snuck something else into the LinkedIn story—some facts.
Kids who watched Fat Albert on TV not only enjoyed the antics, but also learned an Important Life Lessons. Now I don’t have multiple advanced degrees like Cosby, but then again I never had multiple degrees rescinded either.
But my life lesson wasn’t to stay in school or pull your pants up. My life lesson was to blog. The lesson was in the form of a statement by Jones’ humanoid colleague Smith, taken verbatim from the Pizza Stories post.
“Take blogging,” replied Smith. “The average company that blogs generates 55% more website visitors. B2B marketers that use blogs get 67% more leads than those who do not. Marketers who have prioritized blogging are 13x more likely to enjoy positive ROI. And 92% of companies who blog multiple times per day have acquired a customer from their blog.”
The stats originally appeared in an earlier post, “How Identity and Biometrics Firms Can Use Blogging to Grow Their Business.”
And the fake story also talked about companies (unnamed, but real) who ignored these facts and remained silent on their blog and social channels.
A huge mistake, because their competitors ARE engaging with their prospects, with real stories.
Is your company making the same mistake?
I guess I should mention David Byrne. OK, I did.
The FBI and others are letting us know that June 3 through June 9 is Medicare Fraud Prevention Week. Pro Seniors:
Fraud costs Medicare an estimated $60 billion per year. It costs Medicare beneficiaries in time, stress, their medical identities, and potentially their health. It costs families, friends, and caregivers in worry and lost work when helping their loved ones recover from falling victim to Medicare fraud.
Of course my primary interest in the topic is ensuring that only the proper people can access Medicare data, preferably through a robust method of identity verification that uses multiple factors.
Not multiple modalities, especially ones that are well-known such as your Social Security Number and your mother’s maiden name.
Multiple factors, such as your government-issued driver’s license, your biometrics, and your geolocation.
For more information, see what these vendors are saying about using biometrics to counter healthcare fraud attempts.
Basically, the difference between “recognition” and “analysis” in this context is that recognition identifies an individual, while analysis identifies a characteristic of an individual….The age of a person is another example of analysis. In and of itself an age cannot identify an individual, since around 385,000 people are born every day. Even with lower birth rates when YOU were born, there are tens or hundreds of thousands of people who share your birthday.
Here’s what ilovemyqa said on Instagram:
(Part of the biometric product marketing expert series)
Normal people look forward to the latest album or movie. A biometric product marketing expert instead looks forward to an inaugural test report from the National Institute of Standards and Technology (NIST) on age estimation and verification using faces.
I’ve been waiting for this report for months now (since I initially mentioned it in July 2023), and in April NIST announced it would be available in the next few weeks.
Yesterday I learned of the report’s public availability via a NIST news release.
A new study from the National Institute of Standards and Technology (NIST) evaluates the performance of software that estimates a person’s age based on the physical characteristics evident in a photo of their face. Such age estimation and verification (AEV) software might be used as a gatekeeper for activities that have an age restriction, such as purchasing alcohol or accessing mature content online….
The new study is NIST’s first foray into AEV evaluation in a decade and kicks off a new, long-term effort by the agency to perform frequent, regular tests of the technology. NIST last evaluated AEV software in 2014….
(The new test) asked the algorithms to specify whether the person in the photo was over the age of 21.
Well, sort of. We’ll get to that later.
I was in the middle of a client project on Thursday and didn’t have time to read the detailed report, but I did have a second to look at the current results. Like other ongoing tests, NIST will update the age estimation and verification (AEV) results as these six vendors (and others) submit new algorithms.
This post looks at my three favorite questions:
Why does NIST test age estmation, or anything else?
One of NIST’s six research laboratories is its Information Technology Laboratory (ITL), charged “to cultivate trust in information technology (IT) and metrology.” Since NIST is part of the U.S. Department of Commerce, Americans (and others) who rely on information technology need an unbiased source on the accuracy and validity of this technology. NIST cultivates trust by a myriad of independent tests.
Some of those tests are carried out by one of ITL’s six divisions, the Information Access Division (IAD). This division focuses on “human action, behavior, characteristics and communication.”
While there is a lot of IAD “characteristics” work that excites biometric folks, including ANSI/NIST standard work, contactless fingerprint capture, the Fingerprint Vendor Technology Evaluation (ugh), and other topics, we’re going to focus on our new favorite acronyms, FRTE (Face Recognition Technology Evaluation) and FATE (Face Analysis Technology Evaluation). If these acronyms are new to you, I talked about them last August (and the deprecation of the old FRVT acronym).
Basically, the difference between “recognition” and “analysis” in this context is that recognition identifies an individual, while analysis identifies a characteristic of an individual. So the infamous “Gender Shades” study, which tested the performance of three algorithms in identifying people’s sex and race, is an example of analysis.
The age of a person is another example of analysis. In and of itself an age cannot identify an individual, since around 385,000 people are born every day. Even with lower birth rates when YOU were born, there are tens or hundreds of thousands of people who share your birthday.
And your age matters in the situations I mentioned above. Even when marijuana is legal in your state, you can’t sell it to a four year old. And that four year old can’t (or shouldn’t) sign up for Facebook either.
You can check a person’s ID, but that takes time and only works when a person has an ID. The only IDs that a four year old has are their passport (for the few who have one) and their birth certificate (which is non-standard from county to county and thus difficult to verify). And not even all adults have IDs, especially in third world countries.
So companies like Yoti developed age estimation solutions that didn’t rely on government-issued identity documents. The companies tested their performance and accuracy themselves (see the PDF of Yoti’s March 2023 white paper here). However, there are two drawbacks to this:
Enter NIST, where the scientists took a break from meterological testing or whatever to conduct an independent test. NIST asked vendors to participate in a test in which NIST personnel would run the test on NIST’s computers, using NIST’s data. This prevented the vendors from skewing the results; they handed their algorithms to NIST and waited several months for NIST to tell them how they did.
I won’t go into it here, but it’s worth noting that a NIST test is just a test, and test results may not be the same when you implement a vendor’s age estimation solution on CUSTOMER computers with CUSTOMER data.
NOW let’s turn to the actual report, NIST IR 8525 “Face Analysis Technology Evaluation: Age Estimation and Verification.”
NIST needed a set of common data to test the vendor algorithms, so it used “around eleven million photos drawn from four operational repositories: immigration visas, arrest mugshots, border crossings, and immigration office photos.” (These were provided by the U.S. Departments of Homeland Security and Justice.) All of these photos include the actual ages of the persons (although mugshots only include the year of birth, not the date of birth), and some include sex and country-of-birth information.
For each algorithm and each dataset, NIST recorded the mean absolute error (MAE), which is the mean number of years between the algorithm’s estimate age and the actual age. NIST also recorded other error measurements, and for certain tests (such as a test of whether or not a person is 17 years old) the false positive rate (FPR).
Many of the tests used a “Challenge-T” policy, such as “Challenge 25.” In other words, the test doesn’t estimate whether a person IS a particular age, but whether a person is WELL ABOVE a particular age. Here’s how NIST describes it:
For restricted-age applications such as alcohol purchase, a Challenge-T policy accepts people with age estimated at or above T but requires additional age assurance checks on anyone assessed to have age below T.
So if you have to be 21 to access a good or service, the algorithm doesn’t estimate if you are over 21. Instead, it estimates whether you are over 25. If the algorithm thinks you’re over 25, you’re good to go. If it thinks you’re 24, pull out your ID card.
And if you want to be more accurate, raise the challenge age from 25 to 28.
NIST admits that this procedure results in a “tradeoff between protecting young people and inconveniencing older subjects” (where “older” is someone who is above the legal age but below the challenge age).
NIST also performed a variety of demographic tests that I won’t go into here.
OK, forget about all that. Let’s dig into the results.
It depends.
I’ve covered this before with regard to facial recognition. Because NIST conducts so many different tests, a vendor can turn to any single test in which it placed first and declare it is the best vendor.
So depending upon the test, the best age estimation vendor (based upon accuracy and or resource usage) may be Dermalog, or Incode, or ROC (formerly Rank One Computing), or Unissey, or Yoti. Just look for that “(1)” superscript.
You read that right. Out of the 6 vendors, 5 are the best. And if you massage the data enough you can probably argue that Neurotechnology is the best also.
So if I were writing for one of these vendors, I’d argue that the vendor placed first in Subtest X, Subtest X is obviously the most important one in the entire test, and all the other ones are meaningless.
But the truth is what NIST said in its news release: there is no single standout algorithm. Different algorithms perform better based upon the sex or national origin of the people. Again, you can read the report for detailed results here.
NIST always clarifies what it did and didn’t test. In addition to the aforementioned caveat that this was a test environment that will differ from your operational environment, NIST provided some other comments.
The report excludes performance measured in interactive sessions, in which a person can cooperatively present and re-present to a camera. It does not measure accuracy effects related to disguises, cosmetics, or other presentation attacks. It does not address policy nor recommend AV thresholds as these differ across applications and jurisdictions.
Of course NIST is just starting this study, and could address some of these things in later studies. For example, its ongoing facial recognition accuracy tests never looked at the use case of people wearing masks until after COVID arrived and that test suddenly became important.
As noted above, the test used a Challenge 25 or Challenge 28 model which measured whether a person who needed to be 21 appeared to be 25 or 28 years old. This makes sense when current age estimation technology measures MAE in years, not days. NIST calculated the “inconvenience” to 21-25 (or 28) year olds affected by this method.
While a lot of attention is paid to the use cases for 21 year olds (buying booze) and 18 year olds (viewing porn), states and localities have also paid a lot of attention to the use cases for 13 year olds (signing up for social media). In fact, some legislators are less concerned about a 20 year old buying a beer than a 12 year old receiving text messages from a Meta user.
NIST tests for these in the “child online safety” tests, particularly these two:
However, the visa database is the only one that includes data of individuals with actual ages below age 13. The youngest ages in the other datasets are 14, or 18, or even 21, rendering them useless for the child online safety tests.
The mark of a great researcher is their ability to continue to get funding for their research, which is why so many scientific papers conclude with the statement “further study is needed.”
Here’s how NIST stated it:
Future work: The FATE AEV evaluation remains open, so we will continue to evaluate and report on newly submitted prototypes. In future reports we will: evaluate performance of implementations that can exploit having a prior known-age reference photo of a subject (see our API); consider whether video clips afford improved accuracy over still photographs; and extend demographic and quality analyses.
Translation: if Congress doesn’t continue to give NIST money, then high school students will get drunk or high, young teens will view porn, and kids will encounter fraudsters on Facebook. It’s up to you, Congress.
(Part of the biometric product marketing expert series)
When marketing your facial recognition product (or any product), you need to pay attention to your positioning and messaging. This includes developing the answers to why, how, and what questions. But your positioning and your resulting messaging are deeply influenced by the characteristics of your product.
There are hundreds of facial recognition products on the market that are used for identity verification, authentication, crime solving (but ONLY as an investigative lead), and other purposes.
Some of these solutions ONLY use face as a biometric modality. Others use additional biometric modalities.
Your positioning depends upon whether your solution only uses face, or uses other factors such as voice.
Of course, if you initially only offer a face solution and then offer a second biometric, you’ll have to rewrite all your material. “You know how we said that face is great? Well, face and gait are even greater!”
It’s no secret that I am NOT a fan of the “passwords are dead” movement.
It seems that many of the people that are waiting the long-delayed death of the password think that biometrics is the magic solution that will completely replace passwords.
For this reason, your company might have decided to use biometrics as your sole factor of identity verification and authentication.
Or perhaps your company took a different approach, and believes that multiple factors—perhaps all five factors—are required to truly verify and/or authenticate an individual. Use some combination of biometrics, secure documents such as driver’s licenses, geolocation, “something you do” such as a particular swiping pattern, and even (horrors!) knowledge-based authentication such as passwords or PINs.
This naturally shapes your positioning and messaging.
So position yourself however you need to position yourself. Again, be prepared to change if your single factor solution adopts a second factor.
Every company has its own way of approaching a problem, and your company is no different. As you prepare to market your products, survey your product, your customers, and your prospects and choose the correct positioning (and messaging) for your own circumstances.
And if you need help with biometric positioning and messaging, feel free to contact the biometric product marketing expert, John E. Bredehoft. (Full-time employment opportunities via LinkedIn, consulting opportunities via Bredemarket.)
In the meantime, take care of yourself, and each other.
(Part of the biometric product marketing expert series)
If you’re a biometric product marketing expert, or even if you’re not, you’re presumably analyzing the possible effects to your identity/biometric product from the proposed changes to the Biometric Information Privacy Act (BIPA).
As of May 16, the Illinois General Assembly (House and Senate) passed a bill (SB2979) to amend BIPA. It awaits the Governor’s signature.
What is the amendment? Other than defining an “electronic signature,” the main purpose of the bill is to limit damages under BIPA. The new text regarding the “Right of action” codifies the concept of a “single violation.”
| 2 | (b) For purposes of subsection (b) of Section 15, a |
| 3 | private entity that, in more than one instance, collects, |
| 4 | captures, purchases, receives through trade, or otherwise |
| 5 | obtains the same biometric identifier or biometric information |
| 6 | from the same person using the same method of collection in |
| 7 | violation of subsection (b) of Section 15 has committed a |
| 8 | single violation of subsection (b) of Section 15 for which the |
| 9 | aggrieved person is entitled to, at most, one recovery under |
| 10 | this Section. |
| 11 | (c) For purposes of subsection (d) of Section 15, a |
| 12 | private entity that, in more than one instance, discloses, |
| 13 | rediscloses, or otherwise disseminates the same biometric |
| 14 | identifier or biometric information from the same person to |
| 15 | the same recipient using the same method of collection in |
| 16 | violation of subsection (d) of Section 15 has committed a |
| 17 | single violation of subsection (d) of Section 15 for which the |
| 18 | aggrieved person is entitled to, at most, one recovery under |
| 19 | this Section regardless of the number of times the private |
| 20 | entity disclosed, redisclosed, or otherwise disseminated the |
| 21 | same biometric identifier or biometric information of the same |
| 22 | person to the same recipient. |
So does this mean that Google Nest Cam’s “familiar face alert” feature will now be available in Illinois?
Probably not. As Doug “BIPAbuzz” OGorden has noted:
(T)he amended law DOES NOT CHANGE “Private Right of Action” so BIPA LIVES!
Companies who violate the strict requirements of BIPA aren’t off the hook. It’s just that the trial lawyers—whoops, I mean the affected consumers make a lot less money.
Bredemarket