Revisiting Amazon Rekognition, May 2025

(Part of the biometric product marketing expert series)

A recent story about Meta face licensing changes caused me to get reflective.

“This openness to facial recognition could signal a turning point that could affect the biometric industry. 

“The so-called “big” biometric players such as IDEMIA, NEC, and Thales are teeny tiny compared to companies like Meta, Alphabet, and Amazon. If the big tech players ever consented to enter the law enforcement and surveillance market in a big way, they could put IDEMIA, NEC, and Thales out of business. 

“However, wholesale entry into law enforcement/surveillance could damage their consumer business, so the big tech companies have intentionally refused to get involved – or if they have gotten involved, they have kept their involvement a deep dark secret.”

Then I thought about the “Really Big Bunch” product that offered the greatest threat to the “Big 3” (IDEMIA, NEC, and Thales)—Amazon Rekognition, which directly competed in Washington County, Oregon until Amazon imposed a one-year moratorium on police use of facial recognition in June 2020. The moratorium was subsequently extended until further notice.

I last looked at Rekognition in June 2024, when Amazon teamed up with HID Global and may have teamed up with the FBI.

So what’s going on now?

Hard to say. I have been unable to find any newly announced Amazon Rekognition law enforcement customers.

That doesn’t mean that nothing is happening. Perhaps the government buyers are keeping their mouths shut.

Plus, there is this page, “Use cases that involve public safety.”

Nothing controversial on the page itself:

  • “Have appropriately trained humans review all decisions to take action that might impact a person’s civil liberties or equivalent human rights.”
  • “Train personnel on responsible use of facial recognition systems.”
  • “Provide public disclosures of your use of facial recognition systems.”
  • “In all cases, facial comparison matches should be viewed in the context of other compelling evidence, and shouldn’t be used as the sole determinant for taking action.” (In other words, INVESTIGATIVE LEAD only.)

Nothing controversial at all, and I am…um…99% certain (geddit?) that IDEMIA, NEC, and Thales would endorse all these points.

But why does Amazon even need such a page, if Rekognition is only used to find missing children?

Maybe this is a pre-June 2020 page that Amazon forgot to take down.

Or maybe not.

Couple this with the news about Meta, and there’s the possibility that the Really Big Bunch may enter the markets currently dominated by the Big Three.

Imagine if the DHS HART system, delayed for years, were resurrected…with Alphabet or Amazon or Meta technology.

We are still in the time of uncertainty…and may never go back.

(Large and small wildebeests via Imagen 3)

Proposals and “Weasel Words”

Have you ever used the phrase “weasel word”? Here’s how Merriam-Webster defines it:

“a word used in order to evade or retreat from a direct or forthright statement or position”

I don’t know how weasels became the subject of a negative phrase like this, but here we are.

I learned the phrase “weasel word” when I started working in proposals. I’ve been writing proposals for nearly 15 years, and I’ve run into many cases where I don’t comply with the written word of a mandatory requirement, and I end up having to…evade or retreat.

I’ve adopted my share of favorite weasel words over the years. I’m not going to give away any of my secrets in this public forum, but you’ve probably heard me rant about the government weasel wording regarding REAL ID “enforcement”:

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

As I have ranted repeatedly, the REAL ID enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027. There are enough weasel words to distract from the fact that full enforcement is not taking place on May 7, 2025.

“Flexibility,” “implement in phases”…I’m taking notes. The next time I respond to a DHS RFI, I may use some of these.

Because Bredemarket does respond to Requests for Information, Requests for Proposal, and similar documents. One of Bredemarket’s clients recently received an award, with possible lucrative add-on work in the future.

Does your identity/biometric or technology conpany want the government to give you money? I can help. Talk to me: https://bredemarket.com/cpa/

Bredemarket’s “CPA.” The P stands for Proposal.

(Weasel picture Keven Law • CC BY-SA 2.0; https://commons.wikimedia.org/wiki/File:Mustela_nivalis_-British_Wildlife_Centre-4.jpg)

This is What REAL ID “Enforcement” Looks Like: Not Compelling at All

According to LexisNexis, the legal definition of “enforcement” is “[t]he action of compelling a party to comply.”

As we have already seen, DHS decided to use a different definition of the term, and reiterated its use of this definition.

What does enforcement mean at JFK, LaGuardia, and Newark as of May 8?

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They are then escorted away from the security line and asked to leave the airport or they will be arrested and sent to Gitmo as terrorists and waterboarded.”

Whoops, I appear to have made a typo and misquoted North Jersey. Here is what is ACTUALLY happening:

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They may then be directed to a separate area for additional screening.”

That ain’t “compelling” at all. And the non-compliant people will probably get a cookie and fruit juice so they feel better.

Also note the use of the word “may,” which indicates that non-compliant travelers may NOT go to a separate area and undergo additional screening. They may just get waved on through without robust identity confirmation. And still get the cookie and fruit juice.

I will admit that this is probably unavoidable. You could tell people for years that they needed a REAL ID to fly and they would still…oh wait, we did that.

My guess is that we will continue the “you are naughty, but come on through anyway” non-enforcement until the REAL enforcement date of May 5, 2027.

Subject to extension….again.

Unless someone without a REAL ID slips through and does bad things. Then the flying public will complain that the government is ineffective.

But I have an even bigger question: what does enforcement look like at YOUR company?

(Imagen 3)

Contactless Changes

(Wildebeest hoofprint contactless capture via Imagen 3)

(Part of the biometric product marketing expert series)

I can’t tell you why, but I’m performing some intensive research on contactless fingerprint capture. This is a topic I addressed here in 2021 and again in 2022.

As part of my research, I ran across a more recent white paper issued by the Institute for Defense and Government Advancement.

The white paper is entitled “Contactless: The Next Step in Fingerprinting Technology.”

Before I downloaded the white paper, I saw the author: Kaustubh Deshpande.

Kaustubh Deshpande? know that guy. We worked together at MorphoTrak and IDEMIA for a decade.

In fact, the IDGA page lists Deshpande’s IDEMIA affiliation.

Although by the time the paper was published on the IDGA website on February 10, 2025, Deshpande had already left IDEMIA to accept a position at HID.

Everything must change.

Go Forward. Move Ahead.

(Wildebeest bridge picture via Imagen 3)

A few of you know the particulars of this story about avoiding long-term risk for short-term gains. But the particulars aren’t critically important to most readers.

The business risk of new markets

One time a company wanted to enter a new market. This new market would completely change the way the company did business, both from a technological perspective and from a business perspective.

While the technological challenges were daunting, as usual the business challenges were even more so.

The biggest risk to the company was that the new market operated on a different revenue model, one in which revenue was deferred.

  • In the company’s current market, revenue started at contract signature.
  • But in the new market, the company would have to wait over a year and a half after the contract was signed before it received a dime of revenue.

In a publicly traded company, or even a privately held one, the powers that be are reluctant to undertake an initiative where they won’t get any revenue for 18 months.

“The quarter ends in less than 8 weeks. We want revenue NOW!”

So the company hemmed and hawed about entering the new market, scared of the financial risk. Finally it told its prospect that they’d enter the new market…if the prospect would make an immediate down payment. The prospect was not pleased and went with the company’s competitor instead. And the competitor continued to dominate this market.

For a time.

A few years later, the original company decided to accept the financial risk and, in the words of Devo, “go forward” and “move ahead.” And luckily for the company, it wasn’t too late. The company successfully entered the new market and became a dominant force.

Quarterly gains via risk aversion

We see this today, where a number of companies are struggling to survive. They do the prudent thing, letting go of the employees who don’t provide immediate revenue and concentrating on those who do. The engineers who can code something NOW! The salespeople who can get contract signatures NOW!

This isn’t necessarily the wrong thing to do. If your firm is about to close its doors, you have to do whatever you can to keep the business operating.

But what after that?

Continue to act in a reactive way, chasing the next short term deal?

Good luck.

The Truth About Re-Employment

Another post that probably won’t go on the socials, but that explains one of the key “whys” about Bredemarket.

If you haven’t noticed, there are a large number of people who lost full-time employment and years later have not regained it.

Some are getting by with part-time work or consulting. Others are draining their savings. Others are homeless.

The toxic positivists are fond of saying that you are one yes away, and that your job will come.

But what if it doesn’t come?

And for some it doesn’t. 

Google Gemini summarized the findings at “Labor Force Characteristics (CPS) : U.S. Bureau of Labor Statistics”: https://www.bls.gov/cps/lfcharacteristics.htm

“A Bureau of Labor Statistics survey in January 2024 found that 65.7% of long-tenured workers (those with at least 3 years on the job) displaced between 2021 and 2023 had been re-employed.

 “Re-employment rates vary by age. In January 2024, the rate was 74.5% for those aged 25-54, but significantly lower for older workers (55-64: 55.3%; 65 and over: 34.4%).”

In short, if you’re over 55 and lose your job, there’s a good chance that you’re not getting another one.

Having only enjoyed full-time employment for one year out of the last five, I realize that I may never work again, even though I am years away from retirement age.

Bredemarket started during my first bout of unemployment between 2020 and 2022, when I pursued a two-pronged approach of consulting and searching for full-time employment.

In 2023 I found myself pursuing the two-pronged approach again.

As I say, we’ll see what happens.

Wednesday is a Fine Day

For people at Ontario International Airport and other airports throughout the United States, May 7 is REAL ID Sort of Enforcement Day.

For people on certain sides of streets in Ontario, California, today is another type of enforcement day.

For months, we have been told that if your car is parked on the street during street sweeping day, enforcement and fines will begin during the first full week of May.

But will the city truly enforce it?

As We Predicted, REAL ID Won’t Be Fully Enforced

So much for my 15 seconds of fame with my Biometric Update guest post. Let’s move on to more important things.

Like the (finally!) enforcement of REAL ID at midnight EDT Wednesday May 7.

Not really.

We already knew that REAL ID enforcement wouldn’t be fully enforced.

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

And Secretary of Homeland Security Kristi Noem just confirmed this.

“’If it’s not compliant, they may be diverted to a different line, have an extra step, but people will be allowed to fly,’ Noem said at a U.S. House hearing on Tuesday. ‘This is a security issue.’”

So when WILL it be enforced? Memorial Day? Thanksgiving? May 5, 2027? Ever?

Of course, it’s not going to be easy for those without a passport, REAL ID, or other acceptable form of identification. They will undergo a little investigation, humiliation, and if they cross their fingers rehabilitation.

(Imagen 3)

Writers Must Disclose Responsible Contributions of Biometric Governance Opinions

You knew that I was going to link to THIS Biometric Update post, because…well, I wrote it.

You can read “Opinion: Vendors must disclose responsible uses of biometric data” here: https://www.biometricupdate.com/202505/opinion-vendors-must-disclose-responsible-uses-of-biometric-data

Excerpt:

“Usually, the government agency or private organization acts as the “controller” or owner of the biometric data, while the biometric vendor is just the “processor” of the data.

“But there are exceptions. In late April, Joel R. McConvey described a proposal in which the Milwaukee, Wisconsin Police Department would provide Biometrica with 2.5 million facial images from its jail records.

“Why would any biometric vendor want to be the controller of biometric data? One plausible reason is for internal testing to improve the vendor’s algorithms by continuously testing them against live data. There may be other reasons, such as offering new services.”

But this is actually the SECOND time I have been featured by Biometric Update. If you check its YouTube channel, you can find the 2015 gem “MorphoTrak (Safran) – MorphoWay demo”: https://youtube.com/shorts/mqfHAc227As

Stay tuned for my next Biometric Update appearance in 2035.

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.