Category Archives: Uncategorized

Why Would Europe Perform Its Own Biometric Testing?

I’ve seen two articles about a possible move by Europe to set up a Europe-wide biometric testing agency, bypassing the need for National Institute of Standards and Technology (NIST) biometric testing.

One reason is that a European-controlled testing methodology can incorporate European regulations, such as the General Data Protection Regulation (GDPR).

A second related reason for Europe to bypass NIST biometric testing is that U.S. government agencies, including NIST and the Federal Bureau of Investigation (FBI), naturally place prime importance on American interests.

Remember when the U.S. House of Representatives Select Committee on the Chinese Communist Party complained that the FBI Certified Products List contained Chinese biometric vendors (the Certified Communist Products List)?

  • Wait until they discover all the Chinese companies that participate in NIST testing.
  • And wait until someone in the legislative or executive branches decides that the FBI or NIST shouldn’t list products from other countries deemed unfriendly to the United States. Denmark? Germany? France?

For these reasons, Europe may be compelled to set up its own biometric testing organization.

And so may China.

TSA ConfirmID is NOT $18

Remember when people were told that REAL ID would be mandatory? Beginning on whatever date REAL ID became mandatory…it became mandatory. If you didn’t have REAL ID, or another acceptable form of identification (AFOID), you weren’t getting on that plane. (Among other things.)

Well, that was a lie.

As I noted in December, the Transportation Security Administration was officially allowing an alternative acceptable form of identification (AAFOID???). An item ran in the Federal Register with this text:

“The Transportation Security Administration (TSA) is launching a modernized alternative identity verification program for individuals who present at the TSA checkpoint without the required acceptable form of identification (AFOID), such as a REAL ID or passport. This modernized program provides an alternative that may allow these individuals to gain access to the sterile area of an airport if TSA is able to establish their identity.”

But there was going to be a fee.

“To address the government-incurred costs, individuals who choose to use TSA’s modernized alternative identity verification program will be required to pay an $18 fee.”

Well, that was a lie. (Yes, “Lyin’ Eyes” is still on my mind.)

Here’s a quote from TSA’s February 5 press release:

“Passengers without REAL IDs or other acceptable forms of identification have the option to use TSA ConfirmID by paying a $45 fee for a 10-day travel period.”

For those who are math-challenged, $45 is over twice as much as $18.

TSA’s hope of course is that if the law won’t force you to get a REAL ID, money will.

On DOJ/DoD/DHS ABIS Interoperability

The image at the top of this post was taken from the NIST website and is a from an interoperability slide in a 2016 FBI presentation. Although the reference to “IAFIS” suggests that the image was created long before 2016. No NGI, and no HART either.

Because—while this may make some uncomfortable—biometric interoperability between the Departments of Defense, Homeland Security, and Justice is critically important.

For years after 9/11, the (then) systems from the three Departments were NOT interoperable.

Which made it difficult to identify if a military person or citizenship applicant was a criminal.

Today, while the three current systems use three different data interchange standards (based upon work by NIST), they CAN talk to each other.

We just have to ensure that the interoperability is legal and proper.

De-Sora

I first mentioned OpenAI’s Sora last October in connection with the privacy concerns of its Cameo feature. Does Cameo create an innocuous likeness, or an evil deepfake?

As it turns out, neither. Sora is going to the tech graveyard.

From https://x.com/soraofficialapp/status/2036546752535470382

We’re saying goodbye to the Sora app. To everyone who created with Sora, shared it, and built community around it: thank you. What you made with Sora mattered, and we know this news is disappointing.

We’ll share more soon, including timelines for the app and API and details on preserving your work. – The Sora Team

The March 25, 2026 List of PAD 3 Conforming Solutions

Update to the March 3 version. Added Oz Forensics.

VendorModalityConfirming LabLink/Date
AwareFaceBixeLabNovember 2025
FaceTecFaceBixeLabOctober 2025
IncodeFaceiBetaFebruary 2026
Oz ForensicsFaceBixeLabMarch 2026
ParavisionFaceIngeniumSeptember 2025
YotiFaceiBetaJanuary 2026

Surviving Without Electricity or Internet

I wrote this over two years ago.

How long can you survive without pizza? Years (although your existence will be hellish). 

OK, how long can you survive without water? From 3 days to 7 days

OK, how long can you survive without oxygen? Only 10 minutes.

But let’s look at two other items: electricity, and the Internet.

These two items are similar to the pizza item above; lack of them won’t result in immediate death. Even a lack of electricity is survivable: although you could lose air conditioning on 100° F days, historical people survived without electricity, and 750 million people do so today. Including temporary losses of electricity, such as a whole-day blackout in a part of the Philippines.

As for the Internet…it’s complicated.


From https://www.yourtango.com/201168184/facebook-relationship-status-what-does-its-complicated-mean.

The number of people without Internet access is 2.5 billion. They are surviving…with challenges. But school connectivity can bring positive benefits.

An Economist Intelligence Unit (EIU) report underscores the importance of school connectivity in enhancing learning outcomes and boosting economies. The report found that in the least developed countries, a 10% increase in school connectivity can improve children’s effective years of schooling by 0.6% and increase GDP per capita by 1.1%.

I’ve previously looked at the business world. Specifically my business, which is heavily dependent on the Internet (as my current Internet Service Provider issues attest). While blogs are meaningless in a world without Internet, Bredemarket could still conduct business.

Even if the Internet were to disappear, I could still write text for case studies (maintaining my Inland Empire case study writing business) and white papers. I could send my client a Microsoft Word file (perhaps an old version of Word), and the firm could send the file to their printer. But how would I send the file? Put a CD in the mail?

Life without Internet would be much more difficult.

And a final question: how many of us would run into difficulty if generative AI were to go away?

You CAN Modernize…But Should You?

In the past, I have said:

“[T]he technology is easy. The business part is the difficult part.”

But Chris Burt of Biometric Update phrased it more succinctly:

“[P]olicy chases modernization”

As Burt notes, examples of policy chasing modernization include:

  • Digital sovereignty, a topic of discussion with everyone from ID4Africa to an organization called the World Ethical Data Foundation. (As an aside, a Bredemarket client and I were recently discussing the pros and cons of managing digital identities in the cloud vs. peer-to-peer synchronization.)
  • Cybersecurity and digital identity, a topic of discussion in government (the White House, NIST) and industry (Jordan Burris of Socure).
  • Other topics, including police facial recognition policy. (Hmm…I recall that both government and vendor biometric policies were the topic of a Biometric Update guest article last year.)

All of you recall Pandora’s Box. I’ve used the story multiple times, including when discussing my creation of Bredebot and its nearly-instantaneous hallucinations. Yes, I do have “policies” regarding this “modernization,” including full disclosure.

But are policies enough?

On Intent

I’ve been playing with the idea of intent (what I call “somewhat you why”) as a factor of identity verification and authentication. And although most people aren’t willing to go that far, intent analysis is becoming more important.

Biometric Update’s Chris Burt quoted RealSense Chief Marketing Officer Mike Nielsen on the company’s ID Pro. In this case, intent detection is used in a non-biometric fashion.

“We now have the ability to detect a person — not just a face — on the module.  Meaning, we can classify body parts (legs, arms, hands, feet) and estimate pose in real time, without any additional external software.  This includes which direction they are walking, how far away they are, and how quickly they are moving. This opens up an enormous opportunity for next-gen applications where you need to know the intent of a person beyond identifying their identity.  And you still get the ability to authenticate faces on the same platform.”

This is definitely NOT identity verification or authentication, but is certainly useful.

If accurate. If a system misreads intent, it can be disastrous.

Returning to Lattice Identity

The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

In essence, the lattice structure allows more elaborate access rights.

This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:

“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”

It then says

“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”

Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.

But it appears that we sometimes don’t care about the intent of AI agents.

“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”

This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).

As should we all.