Tag Archives: identity

Does Zero Knowledge Equal Zero Privacy?

Perhaps you’ve heard the joke about an anonymous survey managed by a company’s personnel department. In the joke, one employee received two emails:

  • The first was from HR, announcing the anonymous survey.
  • The second was from the employee’s supervisor, reporting that HR says that the employee is the only person who hasn’t completed the “anonymous” survey.

But maybe it’s not a joke.

Is the zero knowledge/World dream of one unique identity per person actually a curse? According to Biometric Update, Vitalik Buterin of Ethereum fame claims it REMOVES privacy.

“[U]nder one-per-person ID, even if ZK-wrapped, we risk coming closer to a world where all of your activity must de-facto be under a single public identity….

“[T]here can’t be an easily legible hard limit on how many identities you can easily get. If you can only have one identity, you do not have pseudonymity, and you can be coerced into revealing it.”

Buterin believes multiple identities, managed separately, provide concurrent identity and privacy.

I Guess I’m Also the Non-Person Entity Product Marketing Expert

I was recently updating my “biometric product marketing expert” page. Because if you haven’t heard, I am the biometric product marketing expert. There’s even a video and stuff.

Make an impact.

In addition to becoming the biometric product marketing expert by studying the biometric modalities and non-biometric factors associated with a person…I’ve also studied the identification of non-person entities.

Bredemarket and Non-Person Entities

I started this study back on August 20, 2024, when I originally wrote about attribute-based access control.

From NIST.

Since then I’ve continued to write about NPEs.

A lot.

9 times during the second quarter of 2025 alone. I don’t know what got into me on April 9.

And I’ve planned at least one more NPE post before the end of the month, possibly on Thursday.

Because as I previously said (on April 9, of course), if your identity system only manages people, it is flawed.

Now I’ll grant that I’m in the minority when I use the phrase “non-person entity.” The phrase “non-human identity” is much more popular.

But all your people and refrigerators know what I’m talking about.

So do I have to remake the 32 second video…again? This was the third go at it, after my second and first versions.

But you don’t want an NPE writing your content

Trust me. You don’t.

You want me.

Because I’m the…you know.

Schedule a free meeting with me to discuss your content needs.

CPA
Bredemarket’s “CPA.”

Possible FinCEN Changes

H/T ComplyAdvantage. From FinCEN.

“[On June 18] the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) held the 62nd semi-annual plenary meeting of the Bank Secrecy Act Advisory Group (BSAAG). Deputy Secretary of the Treasury Michael Faulkender delivered remarks at the event laying out guiding principles for BSA modernization.”

https://www.fincen.gov/news/news-releases/fincen-holds-62nd-bank-secrecy-act-advisory-group-bsaag-plenary

ComplyAdvantage itself states:

“The most eye-catching update is that the Treasury will attempt to “change the AML/CFT [Anti Money Laundering/Combating the Financing of Terrorism] status quo” so the BSA “explicitly permits financial institutions to de-prioritize risks” and direct resources towards higher-risk areas. The Treasury also intends to streamline reporting processes to minimize the SAR [Suspicious Activity Report] and CTR [Currency Transaction Report] burden on organizations.”

https://www.linkedin.com/pulse/us-plans-bsa-modernization-singapore-implements-corporate-iuzxe

Yet Another Video Reel-ease on Monday

[UPDATE: The video is reel-eased.]

I created a new reel for my identity/biometric prospects, but haven’t released it yet.

I’ll release it on Monday, June 23, at 8 am (Pacific Daylight Time).

Where?

I even scheduled a Facebook event. Because Meta wants me to turn every Facebook post into an event, I set one up for Monday at 8 am (Pacific Daylight Time).

Nothing special at the event; I’m not even planning to go live. Just a time to check to see if the video is posted, and to spend 32 seconds watching it.

Enjoy.

HP Instant Ink Users and Identity: 1:1 Person-to-NPE Binding Isn’t Always Enough

How many people should use a SaaS service? If your answer is “only one,” you don’t need to read this post.

Last month I discussed a particular use case in which AI-based non-person entities (NPEs) were bound to the identities of carbon-based life forms. My post “Identity-Bound Non-Person Entities” reviewed the partnership between Anonybit and SmartUp. 

This binding doesn’t need artificial intelligence to work. The NPE may be something as simple as a service.

But how many people can be bound to an NPE?

A company and its service

There is a very large technology company; I won’t reveal the company name, but its initials are HP. And this very large company provides a service; I won’t reveal the service name, but it instantly provides ink for the company’s printers…

Never mind. It turns out that I already discussed HP Instant Ink (Ink as a Service) in the Bredemarket blog before. Plus, the company providing IaaS is no longer known as “the Hewlett-Packard Company,” but as “HP Inc.” So much for my attempts at obfuscation.

The 1:1 binding between me and Instant Ink

Anyway, we did sign up for Instant Ink when we purchased a new printer. Specifically, my HP account was registered as the owner of our Instant Ink account.

(Those of you with a keen eye can already see where this is going.)

As part of the Instant Ink service that we purchased, I can obtain two things:

1. The status of Instant Ink shipments to us

Not that these shipments are all that fast. 

So far we have encountered two instances in which we ran out of ink before the new Instant Ink shipment arrived. 

And when you put a regular ink cartridge into the printer while waiting for the Instant Ink shipment, HP sends a nasty gram stating that I put the wrong ink in the printer, and to put Instant Ink in the printer right now. 

Um, my Instant Ink is in Pennsylvania, and it will take 10 days to reach California. What am I supposed to do, fly to Pennsylvania and get it?

2. HP support

For our printer, I can obtain support from HP. I will have more to say about HP support later.

First person…or people

Do all of you see the issue now? If not, let me spell it out.

I am married, and my wife and I bought the printer together. But she has no access to shipment tracking or support; only I do.

Actually, I must confess that I gave her my HP login and password. So she has access to the shipment tracking information. But since her name is not John, we assumed that HP would never talk to her about the Instant Ink service that we purchased.

There is something in the (so-called) HP Smart App that allows me to “invite” someone to the printer. But when I tried to “invite” my wife, HP briefly flashed a message saying that I could not invite my wife because she already had an HP personal account.

I need support

By this time I had piled up 3 support requests for HP:

  1. How can I get new Instant Ink before my old Instant Ink runs out?
  2. How can my wife see information on our Instant Ink service?
  3. Plus there’s a third one regarding multiple HP accounts that I won’t get into here.

I decided to tackle the second support request first. So I found the support page, started a gust, and got a ticket number.

The first support chat

I was routed to a printer specialist, who informed me that they couldn’t help me and routed me to an Instant Ink specialist.

The Instant Ink person asked for the error code that appeared when I tried to “invite” my wife. I explained that I didn’t know because it disappeared so quickly.

So I tried to invite my wife again, pointing my smartphone camera at the laptop screen so that I could take a picture of the error code the…um…instant that it appeared.

I successfully took the picture, and there was no error code. Just a message saying that I couldn’t invite my wife because she already had an HP personal account. And to contact support.

The Instant Ink specialist instructed me to click on a link, then closed the support ticket.

I clicked on the link…and was asked to create a new support ticket.

The second support chat

I was routed to a printer specialist, who informed me that they couldn’t help me and routed me to an Instant Ink specialist.

(Yes, there’s a lot of repetition in this post.)

By this time I tried to boil my request down to a simple question: how can my wife see Instant Ink shipment status and request support on her own?

The Instant Ink specialist went quiet for a while, and finally—over an hour after I started the initial support chat—provided the solution to my problem.

Give my wife my HP login and password. And sure, she’ll have no problem contacting support, even though I’m the named user.

Suffice it to say that I was not pleased.

A systemic problem

But to be fair, none of the 4 support people I talked to could have solved my problem.

Because HP has made the underlying assumption that its Instant Ink service can only be managed by one person, not two.

And HP is not alone in this. There are multiple services that assume single person management. This affects married couples often, where one spouse is the named user for a service but knows nothing about it because spouse 2 handles it.

This results in a number of conversations like this:

SERVICE: John?

WIFE: No, this is his wife.

SERVICE: I need John’s authorization to continue.

WIFE: (carries phone to me in the Bredemarket world headquarters) Amazing and wonderful husband, could you authorize me to discuss our account?

(Some portions of this conversation may have been fictionalized.)

ME: Hello, this is John.

SERVICE: John, what is your date of birth?

This is not a technology issue, but an organizational issue. Except where laws (such as HIPAA) regulate this, an organization should allow multiple people to be assigned to a service or other NPE.

It would make my—I mean our lives easier.

Know Your Law Enforcement Officer (or ICE Agent)

People can use forged government identities to scare you, rob you, or kill you. How can you protect yourself from fake law enforcement officers, or fake ICE agents? And how can police agencies and ICE protect THEMSELVES from these fakes?

I’ve already shared the story of the person driving around Delaware with flashing lights. Nothing terrible happened in that encounter, but similar impersonation encounters have been more critical.

That was not ICE in Philadelphia

A little over a week ago, an auto repair shop in Philadelphia, Pennsylvania received a surprise visitor.

The visitor, wearing an American flag-adorned baseball cap and a tactical vest with the words “Security Enforcement Agent,” announced the single word “Immigration,” implying that he was from Immigration and Customs Enforcement (ICE).

Several employees fled the scene, but the cashier did not and was immediately zip-tied.

So what happened next?

The so-called ICE agent took $1,000 and was gone 30 seconds later.

That was not police in Minnesota

As I write this, details of an incident in Minnesota are unfolding.

Vance Boelter is alleged to have shot Minnesota State Senator John Hoffman and his wife Yvette at their home, then shot and killed State Representative Melissa Hortman and her husband.

In both cases Boelter presented himself as a police officer.

How do you know if it IS police?

In terms of an encounter from a local law enforcement agency, Colorado State University has provided some tips on verifying the identity of police. While the tips are specifically written for people driving in a car, they can be generalized for cases in which the police officer shows up at a residence or business.

“[C]all 911 from your cell phone. Tell the 911 dispatcher that you are concerned that someone…may not be a police officer.”

Of course a person in a car is generally safer than a person at the front door of a home or business, but in any case you can call 911 and ask for confirmation.

“Do not flee.”

This appears to be sound advice if the person is a real police officer. But if the employees hadn’t fled from the fake ICE officer in Philadelphia, perhaps they would have been robbed also.

“If the dispatcher cannot confirm that you are being [visited] by a police officer, stay on the line with the dispatcher, and ask for police assistance.”

Wise to get the real cops on the scene.

“Do not provide personal documents – driver’s license, insurance information or other documents – to someone who you suspect of being a police impersonator.”

No need to add identity fraud on top of everything else.

How do you know if it IS ICE?

Unfortunately, telling true ICE agents from fake ones is a little more difficult. Your local 911 dispatcher isn’t going to know if that’s a real ICE agent at your door.

5NBCDFW published some tips for those who receive an email, call, or visit from ICE. In regards to personal visits, the station offered this advice:

“ICE agents carry official badges and credentials. They may have identification cards with their name, photo and the department logo. You can ask them to show you their badge or ID.”

The American Civil Liberties Union reminds us that the ICE agent can show their identification (or a warrant signed by a judge) through a window or peephole before you open the door. And according to Motion Law:

“If they refuse to show their identification, you are under no obligation to open the door.”

This of course is not foolproof, since anyone can print a fake business card (perhaps on their own printer, avoiding a commercial business such as the UPS Store), create a fake ID, or create a fake badge.

At least Justin didn’t claim to be with ICE.

And how can you tell whether that ID is real? Remember that in the Leonardo Garcia Venegas episode, ICE agents themselves couldn’t identify an authentic REAL ID.

Challenges of identifying police officers or ICE agents

It’s a challenging identity problem. Especially since police officers may NOT be required to identify themselves. Uniformed officers are required to identify themselves in California (California Penal Code Section 830.10), but plainclothes officers obviously don’t wear badges, and California identification laws don’t apply in other states.

“Hey,” someone suggests. “Why not create a database of all the police officers and ICE agents so that can immediately prove their authenticity?” Unfortunately, that runs into a huge privacy problem, because what happens when (not if) that database is hacked? Or if the data is intentionally leaked?

(And before you say “not my problem, those people need to be in a database,” what if it WAS your problem? In my case, what if all marketing/writing sole proprietors were required to be in a database managed by the Department of Commerce? You’d be worried if it affected YOU.)

The only way that this will change universally is when the police officers, ICE, and other agencies have to deal with impersonators. For example, if fake ICE agents cause problems for the real ones, then ICE itself will insist on positive identification of real ICE agents.

That’s Not Your Job

(Imagen 4)

If you are a jobseeker on LinkedIn, you have probably seen people claim to be recruiters from well-known companies, when in truth they are nothing of the kind.

Faking your employer has existed for a long time. Just ask the Delaware State Police, who for some reason isn’t keen on people who impersonate police officers.

“[A] 23-year-old man from Laurel, Delaware…reported that he had been driving eastbound on Nine Foot Road, east of Laurel Road, when a white Dodge Magnum with Arizona registration pulled behind him and activated flashing red and blue lights. As the victim began to pull over, the Dodge passed him and continued driving.”

Because Arizona police officers patrol Delaware all the time.

The 23 year old was rightfully concerned, called 911, reported the incident, and described the vehicle. But that wasn’t the end of it.

“Shortly after, the driver of the Dodge pulled up next to the victim and verbally confronted him. The victim did not engage, and the suspect eventually fled the scene.”

After an investigation, the Delaware State Police arrested Blayden Rose of Selbyville, Delaware, for impersonating a police officer. 

The real Blayden Rose, courtesy the Delaware State Police. The police like to take pictures of special people.

Rose may or may not be a handyman, and his connection to Arizona is unknown. But at least in Delaware, flashing lights are generally prohibited on non-emergency vehicles.

Not sure if Rose can get off on a technicality (“I wasn’t claiming to be a cop, I was just doing a strobe show”), but it reminds us that we have to trust, but verify.

Is Your Organization (Not) Managing Your Identity Proofing Vendors?

Today I’m doing something different.

  • Normally these blog posts are addressed to Bredemarket’s PROSPECTS, the vendors who provide solutions that use biometrics or other technology. Such as identity proofing solutions.
  • But I’ve targeted this post for another audience, the organizations that BUY biometrics and technology solutions such as identity proofing solutions. Who knows? Perhaps they can use Bredemarket’s content-proposal-analysis services also. Later I will explain why you should use Bredemarket, and how you can use Bredemarket.

So if you are with an organization that SELLS identity proofing solutions, you can stop reading now. You don’t want to know what I am about to tell your prospects…or do you?

But if you BUY identity proofing, read on for some helpful expert advice from the biometric product marketing expert.

Managing an identity proofing solution

When you buy an identity proofing solution, you take on many responsibilities. While your vendor may be able to help, the ultimate responsibility remains with you.

Here are some questions you must answer:

  • What are your business goals for the project? Do you want to confirm 99.9% of all identities? Do you want to reduce fraudulent charges below $10 million? How will you measure this?
  • What are your technology goals for the project? What is your desired balance between false positives and false negatives? How will you measure this?
  • How will the project achieve legal compliance? What privacy requirements apply to your end users—even if they live outside your legal jurisdiction? Are you obtaining the required consents? Can you delete end user data upon request? Are you prepared if an Illinois lawyer sues you? Do you like prison food?
  • What about artificial intelligence? Your vendor probably uses some form of artificial intelligence. What form? What does this mean for you? Again, do you like prison food?

Again…are you ready?

GAO, IRS, and DOA

So how do other organizations manage identity proofing solutions? According to Biometric Update, not well.

A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program…

As many of you know, the IRS’ identity proofing vendor is ID.me. The GAO didn’t find any fault with ID.me. And frankly, it couldn’t…because according to the GAO, the IRS’ management of ID.me was found to be deficient.

“IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.

“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”

So while ID.me meets the IRS’ key requirement of Identity Assurance Level 2 (IAL 2) compliance, is it performing well? The IRS needs to define what “performing well” means.

You would think the IRS had a process for this…but apparently it doesn’t.

Dead on arrival (DOA).

But I’m not the IRS!

I’ll grant that you’re not the IRS. But is your identity proofing program management better…or worse?

Do you know what questions to ask?

Let Bredemarket ask you some questions. Perhaps these can help you create relevant external and internal content (I’ve created over 22 types of content), manage an RFP proposal process, or analyze your industry, company, or competitors.

Let’s set up a free 30-minute consultation to assess your needs.

CPA

In the Distance

Part of Ubiquity Via Focus is knowing whom to EXCLUDE from your focus.

If my former friends’ focus is elsewhere, my focus won’t impede on theirs.

In the distance.

If you are focused on identity/biometric and technology product marketng, here is What I Do: https://bredemarket.com/what-i-do/

If their focus is elsewhere, my focus won’t impede.