Wednesday is a Fine Day

For people at Ontario International Airport and other airports throughout the United States, May 7 is REAL ID Sort of Enforcement Day.

For people on certain sides of streets in Ontario, California, today is another type of enforcement day.

For months, we have been told that if your car is parked on the street during street sweeping day, enforcement and fines will begin during the first full week of May.

But will the city truly enforce it?

As We Predicted, REAL ID Won’t Be Fully Enforced

So much for my 15 seconds of fame with my Biometric Update guest post. Let’s move on to more important things.

Like the (finally!) enforcement of REAL ID at midnight EDT Wednesday May 7.

Not really.

We already knew that REAL ID enforcement wouldn’t be fully enforced.

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

And Secretary of Homeland Security Kristi Noem just confirmed this.

“’If it’s not compliant, they may be diverted to a different line, have an extra step, but people will be allowed to fly,’ Noem said at a U.S. House hearing on Tuesday. ‘This is a security issue.’”

So when WILL it be enforced? Memorial Day? Thanksgiving? May 5, 2027? Ever?

Of course, it’s not going to be easy for those without a passport, REAL ID, or other acceptable form of identification. They will undergo a little investigation, humiliation, and if they cross their fingers rehabilitation.

(Imagen 3)

Writers Must Disclose Responsible Contributions of Biometric Governance Opinions

You knew that I was going to link to THIS Biometric Update post, because…well, I wrote it.

You can read “Opinion: Vendors must disclose responsible uses of biometric data” here: https://www.biometricupdate.com/202505/opinion-vendors-must-disclose-responsible-uses-of-biometric-data

Excerpt:

“Usually, the government agency or private organization acts as the “controller” or owner of the biometric data, while the biometric vendor is just the “processor” of the data.

“But there are exceptions. In late April, Joel R. McConvey described a proposal in which the Milwaukee, Wisconsin Police Department would provide Biometrica with 2.5 million facial images from its jail records.

“Why would any biometric vendor want to be the controller of biometric data? One plausible reason is for internal testing to improve the vendor’s algorithms by continuously testing them against live data. There may be other reasons, such as offering new services.”

But this is actually the SECOND time I have been featured by Biometric Update. If you check its YouTube channel, you can find the 2015 gem “MorphoTrak (Safran) – MorphoWay demo”: https://youtube.com/shorts/mqfHAc227As

Stay tuned for my next Biometric Update appearance in 2035.

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.

Bar None

(Imagen 3)

Follow-up to my March post “When Remote Bar Exam Technology Failed, You Won’t Believe What Happened Next.”

“The State Bar of California announced Friday that its beleaguered leader, who has faced growing pressure to resign over the botched February roll out of a new bar exam, will step down in July. Leah T. Wilson, the agency’s executive director, informed the Board of Trustees she will not seek another term in the position she has held on and off since 2017. She also apologized for her role in the February bar exam chaos.”

No idea if Wilson was sued personally.

Read the updated story at https://www.mahoningmatters.com/news/nation-world/national/article305606501.html#storylink=cpy 

Identity Management Platform Frontegg.ai

From HelpNet Security:

“Frontegg launched Frontegg.ai, an identity management platform purpose-built for developers building AI agents….

“[D]evelopers are running into a major roadblock: a lack of identity standards tailored specifically for AI agents. Existing infrastructure was not designed with autonomous agents in mind. When building an AI agent, developers are forced to waste valuable time stitching together ad-hoc authentication flows, security frameworks, and integration mechanisms….

“In an AI‑first world, identity can’t be retrofitted from traditional web and mobile stacks. It needs to be purpose-built for AI agents. Frontegg.ai provides that layer for agent builders…”

(Imagen 3)

Verify the Supporting Documents Aren’t Forged

From the CBC in Canada:

“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”

Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.

More on this type of fraud: https://www-cbc-ca.cdn.ampproject.org/c/s/www.cbc.ca/amp/1.7516048

(Forged document from Imagen 3. Lincoln never held a law license in the then-United Kingdom.)

Forgot About Faulds

Nowadays, everybody wanna say that they got big TED talks

But nothin’ comes out when they press their fingers

Just a bunch of gibberish 

And CSIs act like they forgot about Faulds

And my N. P. E. Bredemarket Instagram metabot forgot too.

But at least he didn’t cite Gabe Guo.

And I don’t have a rap career.

Forgot About Faulds.

Too Many Trees in the Forrester?

As far as Forrester is concerned:

“[O]nly a quarter of firms employ a launch process even vaguely approaching best-in-class…”

But I take this with a grain of salt, because Forrester has a product it is marketing.

“We began by introducing attendees to our proprietary Product Marketing And Management (PMM) Model (client login required).”

I’m not a client, so I don’t have a login. But Forrester’s PMM Model appears to cover some important topics.

  • Proposals.
  • Market requirements.
  • Dashboards.
  • Defining your hungry people, although Forrester uses the legacy term target audience. (Hey, I try.)
  • Sales targets.
  • Competitive differentiation.

And that was just the beginning, because Forrester is certainly comprehensive.

Although it sounds like the full Forrester PMM Model process may be completely mystifying and overwhelming if you have no model at all. I know.

Better to start off moving from Level 1 to Level 2 in a maturity model rather than trying to jump to Level 5.

(Imagen 3)