Tag Archives: privacy

You’re Not Lost in the Supermarket. The Supermarket Knows Exactly Who and Where You Are.

I’m all lost in the supermarket
I can no longer shop happily

Facial recognition laws and regulations vary from jurisdiction to jurisdiction, and as organizations apply facial recognition, they can’t just assume that facial recognition laws are the same as other privacy laws.

Caution urged as UK supermarkets check out facial recognition

This is the point that UK professor Fraser Sampson makes in a Biometric Update article. Among other things, Sampson (former UK Biometrics & Surveillance Camera Commissioner) notes the following:

This is not just any data processing, this is biometric processing. Major retailers have deep and wide experience handling customer data at macro level, but biometrics are elementally different. Using a biometric recognition system in the UK means they are processing ‘special category data’ and biometric data differs even from other types of special categories. This brings a number of significant risks, obligations and restrictions, some technological, some legal, some societal. The opportunities for missteps are many and the consequences profound. An early decision for the supermarket would be whether they want to be the controller, joint controller or processor; an early mistake would be to think it doesn’t matter.

Data controllers and data processors

For those who don’t inhabit the world of GDPR, the UK GDPR, and other privacy laws, here is Data Grail’s definition of a data controller:

A data controller is a service provider or organization determining the purposes and means of processing personal data. In simpler terms, a data controller decides why and how personal data collection, storage, and use occurs. They have the ultimate responsibility of ensuring data processing activities comply with applicable privacy laws and regulations. Data controllers bear the legal obligations associated with data protection, including providing transparency, obtaining consent, and safeguarding the personal data of data subjects.

Contrast that with a data processor:

Data processors are entities or organizations that process personal data on behalf of data controllers. They act under the authority and instruction of data controllers and handle personal data for the specified purposes defined by the data controller. Data processors are contractually bound to ensure data security and confidentiality. They don’t have the same decision-making power as data controllers and must adhere to the instructions provided by the data controller.

If you’re a supermarket in the United Kingdom, and you’re collecting facial biometric (and other) data, do you want to be a data controller or a data processor? And how will you manage the privacy aspects of your data collection?

Enter the facial recognition vendor

And if you’re a vendor of facial recognition software selling to UK supermarkets, how will you advise them?

And…you should have known this was coming…how will you provide content for your prospects and customers that educates them on the nuances of facial recognition privacy regulations?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Bredemarket has an opening for a facial recognition client.

(All images from Imagen 3)

Facial Recognition Marketing Leaders, Riding on the Metro

I just read a story about a young man who went to the Metro, was identified by a facial recognition system, and was snatched up by authorities.

Who wanted him to fight in Ukraine.

Now some of you are puzzled and wondering why Trump wants to send U.S. troops to fight in Ukraine. That…um…doesn’t sound like him.

I forgot to clarify something. This wasn’t the Washington DC Metro. This was the MOSCOW Metro.

“Timofey Vaskin, a lawyer with the nonprofit human rights project Shkola Prizyvnika, told independent Russian TV channel Dozhd that the illegal detention of those potentially liable for conscription had become a massive problem this year, with young males most at risk of being snatched while using the Moscow metro, which has an advanced facial recognition system in place and police officers on duty at every station.”

For the record, use of facial recognition for this purpose is legal in Russia. In the same way that use of facial recognition for national security purposes is legal in the U.S.A. Because when national security is at stake—or when government agencies say national security is at stake—most notions of INFORMED consent go out the window.

Know your use cases…or get someone who does

Facial recognition isn’t only used for national security, or for after-the-fact analysis of a crime such as the Boston Marathon bombings. It’s also used for less lethal purposes, such as familiar face detection on doorbell cameras…except in Illinois.

If you are marketing a facial recognition product, you need to understand all the different use cases for facial recognition, and understand which use cases your product marketing should address, and which it should not.

And if you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Imagen 3. Bredemarket has client openings.

The One PII/PHI Data Point No One is Discussing

In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.

  • Social Security Number. 
  • Passport number.
  • Driver’s license number.
  • Taxpayer identification number.
  • Patient identification number.
  • Financial account number.
  • Credit card number.
  • Personal address.
  • Personal telephone number.
  • Photographic image of a face.
  • X-rays.
  • Fingerprints.
  • Retina scan.
  • Voice signature.
  • Facial geometry.
  • Date of birth.
  • Place of birth.
  • Race.
  • Religion.
  • Geographical indicators.
  • Employment information.
  • Medical information.
  • Education information.
  • Financial information.

Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)

“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…

“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”

And no, I’m not talking about Jack Appleby’s name.

I’M TALKING ABOUT HIS HOODIE SIZE.

And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.

Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.

But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.

(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)

You’re Fired, This Week’s Version

This week, well-known privacy advocate Alvaro Bedoya is not happy.

““The president just illegally fired me. This is corruption plain and simple,” Bedoya, who was appointed [to the Federal Trade Commission] in 2021 by President Joe Biden and confirmed in May 2022, posted on X. 

“He added, “The FTC is an independent agency founded 111 years ago to fight fraudsters and monopolists” but now “the president wants the FTC to be a lapdog for his golfing buddies.””

The other ousted FTC Commissioner, Rebecca Kelly Slaughter, had been appointed by…Donald Trump.

A Legal Leg to Stand On: The New Triad of AI Governance

In business, it is best to use a three-legged stool.

  • A two-legged stool obviously tips over, and you fall to the ground.
  • A four-legged stool is too robust for these cost-conscious days, where the jettisoning of employees is policy at both the private and public level.

But a three-legged stool is just right, as project managers already know when they strive to balance time, cost, and quality.

Perhaps the three-legged stool was in the back of Yunique Demann’s mind when she wrote a piece for the Information Systems Audit and Control Association (ISACA) entitled “The New Triad of AI Governance: Privacy, Cybersecurity, and Legal.” If you only rely on privacy and cybersecurity, you will fall to the ground like someone precariously balanced on a two-legged stool.

“As AI regulations evolve globally, legal expertise has become a strategic necessity in AI governance. The role of legal professionals now extends beyond compliance into one that is involved in shaping AI strategy and legally addressing ethical considerations…”

Read more of Demann’s thoughts here.

(Stool image public domain)

Privacy by John Maus

(AI wildebeest and iguana images from Imagen 3)

Discovered a song about privacy (by John Maus) and had to create a reel that used the song. Note the mDL privacy-preserving features toward the end of the reel.

“Dead bolts and windowed bars

Lowered drapes and screened calls

Headphones on tightly”

https://www.instagram.com/share/_ejtehYyr

Privacy.

Keith’s “Why”

One of the best “why” stories I’ve seen in some time was written by Keith Puckett of Ubiety Technologies

He had purchased a feature-rich home security system and received an alarm while he was traveling. That’s all—an alarm, with no context.

“The security company then asked me, ‘Should we dispatch the police?’ At that moment, the reality hit: I was expected to make a decision that could impact my family’s safety, and I had no information to base that decision on. It was a gut-wrenching experience. The very reason I invested in security—peace of mind—had failed me.”

From Ubiety Technologies, “What is Your Why?”

https://ubiety.io/what-is-your-why

Puckett then started his company so others wouldn’t face the same emotions of fear and helplessness that he faced.

Why ask why?

Why is a “why” story so powerful? 

Because a story like this grabs a prospect’s attention a million times better than some boring technical feature list with optimum camera angles.

Make it personal. Many prospects have their own challenges that you can solve. 

Make sure you have the answers to their questions. That’s why Bredemarket asks questions before creating content…so your prospects don’t have to.

After all, “why ask why?” is more than an old beer commercial slogan.

And one more thing

For those like me who noted Ubiety Technologies’ Illinois location—you know, BIPAland—here is the company approach to privacy.

On Animal Health Privacy

(All images Imagen 3)

I’ve discussed identity and privacy regarding people.

I’ve discussed identity and privacy regarding non-person entities.

But I missed something in between.

Earlier this week I was discussing a particular veterinary software use case with an undisclosed person when I found myself asking how the data processing aspects of the use case complied with HIPAA, the U.S. Health Insurance Portability and Accountability Act.

Then I caught myself, realizing that HIPAA (previously discussed here) does not apply to dogs, cats, cows, or other animals. They are considered property, and we all know how U.S. laws have treated property in the past.

So you can violate an animal’s privacy all you want and not run afoul of HIPAA. 

But you could run afoul of some other law. As Barb Rand noted back in 2013, 35 states (at the time) had “statutes that address the confidentiality of veterinary patient records.”

And when animal records are commingled with human records—for example, for emotional support animals—protected health information rules do kick in.

Unless the animal is intelligent enough to manage their own prescriptions without human assistance.

NEC’s Other “Biometric” Information: Digital Pathology

(Image: AI-predicted cell detection results of Biomy’s DeepPathFinder™. From the January 10, 2025 NEC press release.)

When I interact with the worldwide company NEC, I am usually dealing with automated biometric identification systems (ABIS).

Of course, ABIS is only a small part of what NEC does. It’s also involved in healthcare.

Consider…artificial intelligence and deep learning-powered digital pathology (“a field involving the digitization and computational analysis of pathology slides”).

Per today’s press release:

“NEC Corporation (NEC; TSE: 6701) and Biomy, Inc. (Biomy) have signed a Memorandum of Understanding (MoU) for a joint marketing partnership to develop and expand artificial intelligence/deep learning (AI/DL)-based analytical platforms in the field of digital pathology. Through this partnership, the two companies aim to promote precision medicine for cancer patients and contribute to the advancement of the healthcare industry.”

So what is Biomy contributing?

“Biomy, which aims to realize personalized medicine through pathological AI technology, has developed DeepPathFinder™, a proprietary, cloud-based, AI/DL automated digital pathology analytical platform.”

And NEC?

“NEC has positioned healthcare and life sciences as a core pillar of its growth strategy. With a strong foundation in image analysis and other AI technologies, NEC has a long history of providing medical information systems such as electronic medical records to healthcare institutions.”

As I’ve said before, healthcare must deal with privacy concerns (protected health information, or PHI) similar to those NEC addresses in its other biometric product line (personally identifiable information, or PII). I personally can’t do nefarious things if I fraudulently acquire your digital pathology slide, but some bad actors could. Presumably the Biomy product is well protected.