This fact, and other irregularities in the visas and passports of the 9/11 hijackers, directly led to the mandate that the U.S. implement biometric exit…which has been delayed more often than REAL ID.
In theory, enforcement of visa expirations with biometric exit is simple.
If you can tell who has entered a country and who has left a country, then you can identify people who have NOT left the country, but whose visas have expired.
And you can tell entries and exits via biometrics, as long as a person’s biometrics are acquired through the passport and/or visa process.
So if biometric exit had existed in January 2001, then a (theoretically) quick check could show that al-Hazmi had NOT left the United States and was still here on an expired visa. He could have been kicked out of the country and barred from returning, and therefore wouldn’t be on a plane on September 11.
The only problem is that EVERYONE needs to be processed when leaving the country for the system to work. At a minimum, anyone who cannot prove U.S. citizenship would have to have their biometrics captured. Or just make it easy and capture everyone’s biometrics as they leave the United States.
“The coalition—led by the Electronic Frontier Foundation, the American Civil Liberties Union and the Canadian-U.S. cross-border group OpenMedia—contends that capturing images of lawful permanent residents exceeds DHS’s statutory mandate and creates a de-facto travel dossier vulnerable to data breaches.”
“THE DEPARTMENT OF Homeland Security is moving to consolidate its face recognition and other biometric technologies into a single system capable of comparing faces, fingerprints, iris scans, and other identifiers collected across its enforcement agencies, according to records reviewed by WIRED.”
But those very “records reviewed by WIRED” include this statement:
“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”
And even if this actually WAS a true procurement…HART was originally announced during the Obama administration in 2016. Ten years later, it still hasn’t happened.
Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.
I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.
As does Biometric Update.
Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:
“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”
But then Biometric Update ran a more recent story.
They said that?
Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.
And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.
OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.
Not just ineffective, DISASTROUSLY ineffective. Ouch.
For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).
DHS set performance goals for the submitted entries and publicized the (anonymous) results.
“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”
Google Gemini.
Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.
On anonymity
Why do testing entities sometimes allow participants to remain anonymous?
Because they want participants.
Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.
Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.
An interesting Request for Information (Notice ID 70RDA126RFI000003) for a multi-biometric matching system was posted on SAM.gov on Friday, and it’s turning some heads. But is YOUR organization reading an RFI that is turning YOUR heads?
Bear in mind that this is a Request for INFORMATION, not a Request for PROPOSAL. And this is made clear in the document:
“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”
Forget the technical requirements…look at the BUSINESS requirements
Now I could get into the…um…minutiae of the request for information about a biometric matching system, the requirements for everything from presentation attack detection to on-premise/hybrid/cloud deployments, and a host of other things.
But in this case, the business requirements outweigh the technical requirements…by a LONG shot.
“The Department of Homeland Security (DHS) is seeking an enterprise-wide, scalable, and secure biometric matching software solution to support mission-critical identity verification, vetting, and investigative operations across all DHS Components, including CBP, ICE, TSA, USCIS, USSS, and Headquarters. The contractor will provide a DHS-wide enterprise license for multi-modal biometric matching software, along with all associated services, integration support, maintenance, and technical assistance necessary for full operational deployment.”
And in the next section:
“DHS is looking to acquire an enterprise-wide biometric matching software solution, including all licenses, services, and technical support necessary to enable seamless integration with all DHS biometric systems.”
Matching for ALL DHS components, and integration with ALL DHS biometric systems. This could just be a teeny system for limited operations…or it could be a super system. Since they’re asking about scalability, potential respondents should probably assume the latter.
So we’re talking loads of money.
Of course it could be scaled way down when or if a final RFP comes along. And maybe the vast expanse of the RFI is merely designed to get system integrators to drool.
Incidentally, Bredemarket offers proposal services to assist identity/biometric vendors in RFI and RFP responses such as this one. Over the years my proposals have won over $50 million in business. Presumably the respondents to this RFI have full proposal staffs (or maybe not), but if YOUR organization requires RFI and RFP assistance, schedule a meeting with Bredemarket.
Bredemarket services, process, and pricing.
(2/17/2026: See Anthony Kimery’s assessment of the RFI here.)
I was working with these sectors back when I was at MorphoTrak.
“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7.”
When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.
Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.
But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.
Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:
“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”
“9 (9) The National Institute of Standards and 10 Technology (NIST) was directed in the CHIPS and 11 Science Act of 2022 to launch new work to develop 12 a framework of common definitions and voluntary 13 guidance for digital identity management systems, 14 including identity and attribute validation services 15 provided by Federal, State, and local governments, 16 and work is underway at NIST to create this guid 17 ance. However, State and local agencies lack re 18 sources to implement this new guidance, and if this 19 does not change, it will take decades to harden defi 20 ciencies in identity infrastructure.”
Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.
But let’s get to the meat of the bill:
“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION 4 GRANTS. 5 (a) IN GENERAL.—The Secretary of the Treasury 6 shall, not later than 1 year after the date of the enactment 7 of this section, establish a grant program to provide iden 8 tity fraud prevention innovation grants to States.”
The specifics:
The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
They can also use the grants to protect individuals from deepfake attacks.
Another purpose is to develop “interoperable solutions.”
A fourth is to replace vulnerable legacy systems.
The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.
But there are some limitations in how the funds are spent.
They can’t be used to require mDLs or eliminate physical driver’s licenses.
They can’t be used to “support the issuance of drivers licenses or identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)
The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.
And everything else
So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.
But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:
The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
The Federal Trade Commission (FTC).
The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.
What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?
Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.
(And yes, I know that the Capitol is not north of the Washington Monument…yet.)
If you’ve read a few hundred job descriptions, one phrase that you’ll often see is “cross-functional collaboration.” The theory is that the employee (for example, a senior product marketing manager) will seamlessly work with marketing, product, R&D, customer success, sales, finance, legal, and everyone else, all working together for the good of the company.
But the world usually doesn’t work like that. YOUR department is great. The other departments are the bozos.
Google Gemini.
There’s actually a benefit to this when you look at government agencies. If you believe that “the government that governs least” is preferable to Big Brother, then the fact that multiple agencies DON’T gang up against you is a good thing. You don’t want to be chased by the FBI and the CIA and the BBC and B.B. King and Doris Day. And Matt Busby.
But there are times when government agencies work together, usually when facing a common threat. Sometimes this is good…and sometimes it isn’t. Let’s look at two examples and see where they fall in the spectrum.
The Central Intelligence Agency and the Federal Bureau of Investigation in 1972
Normally bureaucrats are loyal to their agency, to the detriment of other agencies. This is especially true when the agencies are de facto competitors.
In theory, and certainly in the 1970s, the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) have completely separate spheres of operation. But on the highest level they perform the same function: catch bad people. And each agency certainly wants to take the credit when a bad person is caught. Conversely, if one of the agencies has a bad person, the other one usually works to expose it.
Usually.
A few of you are old enough to remember a third-rate burglary in Washington, DC in 1972. The burglary took place at a political party office in some hotel or another. We now know with the benefit of hindsight that the FBI-CIA rivalry worked. Bob Woodward learned a few days after the break-in that two of the alleged burglars were connected to E. Howard Hunt, a former CIA operative. Who told Woodward?
“Woodward, we now know, had been tipped off by Mark Felt, the deputy director of the FBI. The Bureau had itself become involved in the investigation of a mere burglary because once the police found wiretapping equipment, the investigation fell under its remit.”
Google Gemini.
This is how it should work. Although the mere fact that Hunt knew Bernard Barker and Eugenio Martinez was not a crime, the FBI was certainly bound to investigate the matter.
Until it wasn’t.
“Richard Nixon and senior White House personnel including Chief-of-Staff Bob Haldeman and domestic policy tsar John Ehrlichman devised a strategy to block the investigation. This began to unfold as early as June 23, a mere three days after the break-in. That day, Haldeman proposed to Nixon to “have [Vernon] Walters [deputy director of the CIA] call Pat Gray [director of the FBI] and just say ‘stay the h*ll out of this’ on grounds of ‘national interest.’”
This recorded conversation would become very important two years later, but back in 1972 very few people knew about it. And very few people knew that Gray “destroyed secret documents removed from Howard Hunt’s safe.”
Think about it. If Richard Nixon hadn’t recorded his own conversations, we may have never learned that the CIA partially neutralized an FBI investigation.
But other instances of cross-functional collaboration come to light in other ways.
Immigration and Customs Enforcement and the Transportation Security Administration before 2026
The FBI-CIA episode of 1972 was an aberration. Normally agencies don’t cooperate, even when massive amounts of effort are performed to make them work together.
One prime example was the creation of the Department of Homeland Security (DHS) in 2002-2003. Because it was believed that 9/11 happened because relevant agencies were scattered all over the government, Congress and the President performed a massive reorganization. This affected the Departments of Agriculture, Energy, Health and Human Services, Justice, Transportation, and Treasury.
For our discussion:
The Department of Justice lost the Immigration and Naturalization Service (INS), which was broken up into three separate agencies within DHS. One of these is Immigration and Customs Enforcement, or ICE. Perhaps you’ve heard of it.
The relatively new Transportation Security Administration (TSA) was moved from the Department of Transportation to DHS.
The theory, of course, is that once all these agencies were under the DHS umbrella, they would magically work together to stop the evil terrorists. However, each of the component agencies had vastly different missions. Here is the mission of the TSA:
“Protect the nation’s transportation systems to ensure freedom of movement for people and commerce.”
Well, “freedom of movement” is not the primary part of ICE’s mission:
“Protect America through criminal investigations and enforcing immigration laws to preserve national security and public safety.”
While these missions are not mutually exclusive, the difference in emphasis is apparent. And the agencies competed.
Some of you may remember air marshals. After 9/11, some airline flight passengers were actually air marshals, but the passengers (and any terrorists) didn’t know which flights had air marshals or who they were.
Google Gemini.
The Federal Air Marshal Service (FAMS) was part of the Transportation Security Administration.
“Homeland Security Secretary Tom Ridge announced [in September 2003] that the federal air marshals program will move from the Transportation Security Administration to the Bureau of Immigration and Customs Enforcement (ICE).”
The idea was to concentrate all enforcement operations in one agency, to protect FAMS from uncertain TSA funding, and to allow ICE agents to be cross-trained as air marshals. But this didn’t happen, so two years later FAMS moved from ICE back to TSA.
And both agencies went on their merry little ways.
Immigration and Customs Enforcement and the Transportation Security Administration in 2026
“When Transportation Security Administration (TSA) Acting Director Ha Nguyen McNeill was pressed [by the House Committee on Homeland Security] on reports that ICE is using domestic flight passenger information to support deportation operations, she did not deny cooperation. Instead, she defended it as legitimate intra-departmental coordination and framed it as part of DHS’s overall mission set.
“In response to lawmakers’ questions, McNeill said TSA assistance to ICE is ‘absolutely within our authorities’ when it involves sharing passenger information for immigration enforcement operations.”
McNeill effectively said that TSA doesn’t dump its data on ICE, but responds to individual ICE inquiries.
“Airport travel…becomes a choke point for detentions – no longer just transportation, but a compliance checkpoint for civil enforcement, re-engineering mobility into an enforcement tool.”
I discussed the whole “defund the police” movement years ago, and now in 2026 we are still depending upon the police to protect us.
According to KARE, here is what happened when the police investigated the death of Alex Pretti…or tried to do so.
“Despite having a signed warrant from a judge, the Minnesota Bureau of Criminal Apprehension (BCA) was denied access to the scene where a man was fatally shot by federal agents Saturday morning in south Minneapolis, according to the BCA.
“Minnesota BCA Superintendent Drew Evans said the department was initially turned away at the scene by the Department of Homeland Security (DHS), so the BCA obtained a warrant from an independent judge. Evans said the judge agreed that the BCA had probable cause to investigate the scene, but DHS officials wouldn’t allow the BCA access to the scene.”
And I might as well say this also…I don’t believe in abolishing ICE either.
Experienced biometric professionals can’t help but notice that the acronym OFIQ is similar to the acronym NFIQ (used in NFIQ 2), but the latter refers to the NIST FINGERPRINT image quality standard. NFIQ is also open source, with contributions from NIST and the German BSI, among others.
But NFIQ and OFIQ, while analyzing different biometric modalities, serve a similar purpose: to distinguish between good and bad biometric images.
But do these open source algorithms meaningfully measure quality?
The study of OFIQ
Biometric Update alerted readers to the November 2025 study “On the Utility of the Open Source Facial Image Quality Tool for Facial Biometric Recognition in DHS Operations” (PDF).
Note the words “in DHS Operations,” which are crucial.
The DHS doesn’t care about how ALL facial recognition algorithms perform.
The DHS only cares about the facial recognition algorithms that may potentially use.
DHS doesn’t care about algorithms it would never use, such as Chinese or Russian algorithms.
In fact, from the DHS perspective, it probably hopes that the Chinese Cloudwalk algorithm performs very badly. (In NIST tests, it doesn’t.)
So which algorithms did DHS evaluate? We don’t know precisely.
“A total of 16 commercial face recognition systems were used in this evaluation. They are labeled in diagrams as COTS1 through COTS16….Each algorithm in this study was voluntarily submitted to the MdTF as part of on-going biometric performance evaluations by its commercial entity.”
So what did DHS find when it used OFIQ to evaluate images submitted to these 16 algorithms?
“We found that the OFIQ unified quality score provides extremely limited utility in the DHS use cases we investigated. At operationally relevant biometric thresholds, biometric matching performance was high and probe samples that were assessed as having very low quality by OFIQ still successfully matched to references using a variety of face recognition algorithms.”
Or in human words:
Images that yielded a high quality OFIQ score accurately matched faces using the tested algorithms.
Images that yielded a low quality OFIQ score…STILL accurately matched faces using the tested algorithms.
Google Gemini.
So, at least in DHS’ case, it makes no sense to use the OFIQ algorithm.
No, you don’t have to be a citizen to get a REAL ID.
But your REAL ID is tied to your authorization to be in the United States, and expires on the same date as your authorization to be here.
Well, that’s how it’s supposed to work.
In California, the date calculations (based upon 2006 legacy code) were screwed up for 300,000 legal residents.
“The error overrode the correct expiration date, which should have matched the end of the cardholder’s authorized stay in the United States. Under federal rules, immigrants with legal status — including permanent residents, green card holders and visa holders — are eligible for REAL IDs, but the cards’ expiration dates must align with the length of their authorized stay.”
Except when they don’t.
And for those who believe that granting REAL IDs to non-citizens is an example of California breaking the law:
The DHS approved California’s REAL IDs in April 2019 under President Trump.
“If you’re not a U.S. citizen, you must apply in person at a state driver exam station and provide a U.S. Citizenship and Immigration document proving your lawful status in the U.S.”
Bredemarket 