Tag Archives: privacy

The Most Shocking News of the Week: A Free ISO Standard!

I have observed that we are living in a time of uncertainty, in which surprises happen every day.

This week has been no exception. As I type this, Donald Trump and Elon Musk are feuding, with accusations of pedophilia leveled against Trump, threats to yank the government contracts of Musk, and who knows what all. Just a typical week in Washington.

But that’s nothing compared to the shocking news I learned Friday morning.

Sit down and don’t bother to bring out your CHF wallet

Biometric Update just published an article that discusses a particular International Organization for Standardization (with the zeds) standard, ISO/IEC-TEC TS 27560:2023, Privacy technologies — Consent record information structure.

  • It’s not shocking that ISO has published a standard. It does this all the time.
  • It’s also not shocking that ISO published a standard on consent. Consent is required by many privacy regulations, and therefore a standard information structure for consent requests is beneficial throughout the European Union, California, Illinois, and elsewhere.

“This document builds upon ISO/IEC 29184 by addressing the concept of giving the PII principal a record for their own recordkeeping, which includes information about the PII processing agreement and interaction. We call this record the “consent receipt”.

“This document specifies a structure that is used by both principals in consent management: namely a specification for data to be held by the organization to allow record-keeping with good integrity (subject to the defined controls), and an artefact (the “consent receipt”) that is given to the individual whose PII is being processed.”

  • No, none of this is the shocking part. I’ll let Chris Burt reveal the surprise, but please sit down before you read this. Emphasis mine.

“The International Standards Organization has published a standard for obtaining and recording consent, as is necessary to legally use people’s biometric data in a number of jurisdictions, and is making it available for free.”

Yes, you read that correctly. FREE. As in ZERO CHF.

ISO doesn’t normally give standards away, but there’s an exception for this one.

As a result, I have “purchased” this ISO standard—the first one that Bredemarket has ever owned.

But I can’t share it with you. Get your own.

Razor and Blades as a Service: HP Instant Ink

You know the razor and blades business model, where you can buy the razor very cheaply, and then you spend a lot of money over the years buying the blades.

Of course, this business model also applies to other complementary products, such as game consoles and video games, and printers and ink.

Ink as a Service

And companies can extend the business model. Rather than buying individual razor blades, video games, and ink cartridges, you can obtain the complementary products “as a Service.”

For example, HP Instant Ink:

“HP Instant Ink is the hassle-free, money-saving ink subscription service that automatically delivers ink only when you’re running low. Plans start at $1.79 a month.”

Of course that price assumes you only print 10 pages a month, but whatever.

I won’t dwell on the specifics on the plan (charging by the page rather than the ink used, reducing your privacy by letting HP and whoever else know when you print 900 pages, etc.). 

Vendor benefits from as a Service

But I will note that HP instant Ink has the same vendor advantage as any other “as a Service” offering:

Increased customer lock-in.

I will speak from my own experience. 

  • When my company sold on-premise solutions to government agencies, they paid from their capital budget and the contract was for a fixed term. After 5 or 7 years or whatever when the contract term expired, the agency’s hardware would be antiquated and it would have to go out to bid again.
  • Later, when my company sold cloud solutions, there was more budgetary flexibility. Some agencies didn’t have to use capital funds; this was a service, after all. And if the vendor was really fortunate, there was no contract term limit either, so the agency could stay with the vendor forever. Obsolescence wasn’t an issue because Amazon or Microsoft took care of that behind the scenes.

HP Instant Ink isn’t a perfect parallel, since it doesn’t include obsolete printer replacement. (But it could.) But the Ink as a Service (IaaS) offering certainly helps lock you in to HP…and to using HP ink rather than third-party ink.

And it’s yet another move from people owning things to people licensing things.

But if it provides a benefit (HP Instant Ink claims “up to” 50% cost savings), then it may be worthwhile.

(Imagen 3)

What is Protected Health Information?

Many laws and regulations impact health information—not just the Health Information Portability and Accountability Act (HIPAA).

But what IS Protected Health Information?

Kirk Nahra and Daniel Solove shared this example in a webinar:

Is “I drink Diet Coke” health information?

  • Maybe it’s not health information at all.
  • Maybe it indicates healthy practices (no sugar).
  • Maybe it indicates unhealthy practices (artificial sweetener use).

The answer isn’t simple.

Comply with Privacy Requirements (4/7)

This is the fourth of seven vendor suggestions I made in my Biometric Update guest post.

“Comply with all privacy laws and regulations. This should be a given, but sometimes vendors are lax in this area. If your firm violates the law, and you are caught, you will literally pay the price.”

Ask companies doing business in the GDPR region, Illinois, Texas, and elsewhere how hefty those fines could be. Meta alone has received billions of dollars of fines in Ireland (EU) and over a billion dollars in Texas.

(Imagen 3)

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.

TSA Photo Requests: “The Current U.S. Government” Can Already Obtain Your Facial Image

There have been many recent stories about Transportation Security Administration (TSA) capture of the facial images of travelers, an outgrowth of the same post-9/11 concerns that resulted in REAL IDs in 2008…I mean 2025. (Maybe.)

One story from HuffPost clearly states its view on the matter. The title of the story? “Why You Can (And Should) Opt Out Of TSA Facial Recognition Right Now.”

I guess we know where HuffPost stands.

As to the “why” of its stance, here’s a succinct statement:

“Do you really want to be submitting a face scan to the current U.S. government?”

And perhaps there are good reasons to distrust the Trump Administration, or any administration. 

After all, the TSA says it only retains the picture for a limited time: “Photos are not stored or saved after a positive ID match has been made, except in a limited testing environment for evaluation of the effectiveness of the technology,”

But maybe…something happens. Someone accidentally forgot to delete the files. Oops.

And if something happens, the federal government has just captured an image of your face!

Guess what? The federal government can probably already get an image of your face, even if you don’t allow TSA to take your photo.

After all, you had to show some sort of identification when you arrived at that TSA checkpoint. Maybe you showed a passport, with a picture that the U.S. State Department received at one point. No, they don’t retain them either. But maybe…something happens.

But who does retain an image of your face?

Your state driver’s license agency. And as of 2019:

“Twenty-one states currently allow federal agencies such as the FBI to run searches of driver’s license and identification photo databases.”

So if a federal agency wants your facial image, it can probably obtain it even if you decline the TSA photo request.

Unless you strictly follow Amish practices. But in that case you probably wouldn’t be going through a TSA checkpoint anyway.

But if you are with a facial recognition company, and you want your prospects and their prospects to understand how your solution protects their privacy…

Bredemarket can help:

  • compelling content creation
  • winning proposal development
  • actionable analysis

Book a call: https://bredemarket.com/cpa/ 

(Security checkpoint picture generated by Imagen 3)

Is Milwaukee Selling PII for Free Facial Recognition Software Access?

(Part of the biometric product marketing expert series)

Perhaps facial recognition product marketers have heard of stories like this. Or perhaps they haven’t.

Tight budgets. Demands that government agencies save money. Is this the solution?

“Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology.

“Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes.”

Read the article at https://www.jsonline.com/story/news/crime/2025/04/25/milwaukee-police-considering-trading-mugshots-for-facial-recognition-tech/83084223007/

As expected, activists raised all sorts of other concerns about facial recognition in general. But there’s an outstanding question:

What will Biometrica do with the 2.5 million images?

  • Use them for algorithmic training? 
  • Allow other agencies to search them?
  • Something else?
  • And what happens to the images if another company acquires Biometrica and/or its data? (See 23andMe.)

Biometrica didn’t respond to a request for comment.

And other facial recognition vendors operate differently.

How does your company treat customer data?

And how do you tell your story?

Do you have the resources to market your product, or are your resources already stretched thin?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Wheelbarrows from Imagen 3)

You’re Not Lost in the Supermarket. The Supermarket Knows Exactly Who and Where You Are.

I’m all lost in the supermarket
I can no longer shop happily

Facial recognition laws and regulations vary from jurisdiction to jurisdiction, and as organizations apply facial recognition, they can’t just assume that facial recognition laws are the same as other privacy laws.

Caution urged as UK supermarkets check out facial recognition

This is the point that UK professor Fraser Sampson makes in a Biometric Update article. Among other things, Sampson (former UK Biometrics & Surveillance Camera Commissioner) notes the following:

This is not just any data processing, this is biometric processing. Major retailers have deep and wide experience handling customer data at macro level, but biometrics are elementally different. Using a biometric recognition system in the UK means they are processing ‘special category data’ and biometric data differs even from other types of special categories. This brings a number of significant risks, obligations and restrictions, some technological, some legal, some societal. The opportunities for missteps are many and the consequences profound. An early decision for the supermarket would be whether they want to be the controller, joint controller or processor; an early mistake would be to think it doesn’t matter.

Data controllers and data processors

For those who don’t inhabit the world of GDPR, the UK GDPR, and other privacy laws, here is Data Grail’s definition of a data controller:

A data controller is a service provider or organization determining the purposes and means of processing personal data. In simpler terms, a data controller decides why and how personal data collection, storage, and use occurs. They have the ultimate responsibility of ensuring data processing activities comply with applicable privacy laws and regulations. Data controllers bear the legal obligations associated with data protection, including providing transparency, obtaining consent, and safeguarding the personal data of data subjects.

Contrast that with a data processor:

Data processors are entities or organizations that process personal data on behalf of data controllers. They act under the authority and instruction of data controllers and handle personal data for the specified purposes defined by the data controller. Data processors are contractually bound to ensure data security and confidentiality. They don’t have the same decision-making power as data controllers and must adhere to the instructions provided by the data controller.

If you’re a supermarket in the United Kingdom, and you’re collecting facial biometric (and other) data, do you want to be a data controller or a data processor? And how will you manage the privacy aspects of your data collection?

Enter the facial recognition vendor

And if you’re a vendor of facial recognition software selling to UK supermarkets, how will you advise them?

And…you should have known this was coming…how will you provide content for your prospects and customers that educates them on the nuances of facial recognition privacy regulations?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Bredemarket has an opening for a facial recognition client.

(All images from Imagen 3)

Facial Recognition Marketing Leaders, Riding on the Metro

I just read a story about a young man who went to the Metro, was identified by a facial recognition system, and was snatched up by authorities.

Who wanted him to fight in Ukraine.

Now some of you are puzzled and wondering why Trump wants to send U.S. troops to fight in Ukraine. That…um…doesn’t sound like him.

I forgot to clarify something. This wasn’t the Washington DC Metro. This was the MOSCOW Metro.

“Timofey Vaskin, a lawyer with the nonprofit human rights project Shkola Prizyvnika, told independent Russian TV channel Dozhd that the illegal detention of those potentially liable for conscription had become a massive problem this year, with young males most at risk of being snatched while using the Moscow metro, which has an advanced facial recognition system in place and police officers on duty at every station.”

For the record, use of facial recognition for this purpose is legal in Russia. In the same way that use of facial recognition for national security purposes is legal in the U.S.A. Because when national security is at stake—or when government agencies say national security is at stake—most notions of INFORMED consent go out the window.

Know your use cases…or get someone who does

Facial recognition isn’t only used for national security, or for after-the-fact analysis of a crime such as the Boston Marathon bombings. It’s also used for less lethal purposes, such as familiar face detection on doorbell cameras…except in Illinois.

If you are marketing a facial recognition product, you need to understand all the different use cases for facial recognition, and understand which use cases your product marketing should address, and which it should not.

And if you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Imagen 3. Bredemarket has client openings.

The One PII/PHI Data Point No One is Discussing

In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.

  • Social Security Number. 
  • Passport number.
  • Driver’s license number.
  • Taxpayer identification number.
  • Patient identification number.
  • Financial account number.
  • Credit card number.
  • Personal address.
  • Personal telephone number.
  • Photographic image of a face.
  • X-rays.
  • Fingerprints.
  • Retina scan.
  • Voice signature.
  • Facial geometry.
  • Date of birth.
  • Place of birth.
  • Race.
  • Religion.
  • Geographical indicators.
  • Employment information.
  • Medical information.
  • Education information.
  • Financial information.

Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)

“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…

“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”

And no, I’m not talking about Jack Appleby’s name.

I’M TALKING ABOUT HIS HOODIE SIZE.

And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.

Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.

But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.

(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)