department of homeland security

Three Ways in Which My Identity/Biometric Experience Exhibits My “Bias”

Yeah, I’m still focused on that statement:

“I think too much knowledge is actually bad in tech: you’re biased.”

Why does this quote affect me so deeply? Because with my 30-plus years of identity/biometric experience, I obviously have too much knowledge of the industry, which is obviously bad. After all, all a biometric company needs is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else. The company doesn’t need someone who knows that Printrak isn’t spelled with a C.

In this post I will share three of the “biases” I have developed in my 30-plus years in identity and biometrics, and how to correct these biases by stripping away that 20th century experience and applying novel thinking.

And if that last paragraph made you throw up in your mouth…read to the end of the post.

But first, let’s briefly explore these three biases that I shamefully hold due to my status as a biometric product marketing expert:

Independent algorithmic confirmation is valuable.
Process is valuable.
Artificial intelligence is merely a tool.

Biometric product marketing expert.

Bias 1: Independent Algorithmic Confirmation is Valuable

Biometric products need algorithms to encode and match the biometric samples, and ideally to detect presentation and injection attacks.

But how do prospects know that these algorithms work? How accurate are they? How fast are they? How secure are they?

My bias

My brain, embedded with over 30 years of bias, gravitates to the idea that vendors should submit their algorithms for independent testing and confirmation.

From a NIST facial recognition demographic bias text.

This could be an accuracy test such as the ones NIST and DHS administer, or confirmation of presentation attack detection capabilities (as BixeLab, iBeta, and other organizations perform), or confirmation of injection attack detection capabilities.

Novel thinking

But you’re smarter than that and refuse to support the testing-industrial complex. They have their explicit or implicit agendas and want to force the biometric vendors to do well on the tests. For example, the U.S. Federal Bureau of Investigation’s “Appendix F” fingerprint capture quality standard specifically EXCLUDES contactless solutions, forcing everyone down the same contact path.

But you and your novel thinking reject these unnecessary impediments. You’re not going to constrain yourself by the assertions of others. You are going to assert your own benefits. Develop and administer your own tests. Share with your prospects how wonderful you are without going through an intermediary. That will prove your superiority…right?

Bias 2: Process is Valuable

A biometric company has to perform a variety of tasks. Raise funding. Hire people. Develop, market, propose, sell, and implement products. Throw parties.

How will the company do all these things?

My bias

My brain, encumbered by my experience (including a decade at Motorola), persists in a belief that process is the answer. The process can be as simple as scribblings on a cocktail napkin, but you need some process if you want to cash out in a glorious exit—I mean, deliver superior products to your customers.

Perhaps you need a development processs that defines, among other things, how long a sprint should be. A capture and proposal process (Shipley or simpler) that defines, among other things, who has the authority to approve a $10 million proposal A go-to-market process that defines the deliverables for different tiers, and who is responsible, accountable, consulted, and informed. Or maybe just an onboarding process when starting a new project, dictating the questions you need to ask at the beginning.

Bredemarket’s seven questions. I ask, then I act.

Novel thinking

Sure all that process is fine…if you don’t want to do anything. Do you really want to force your people to wait two weeks for the latest product iteration? Impose a multinational bureauracy on your sales process? Go through an onerous checklist before marketing a product?

Just code it.

Just sell it.

Just write it.

Bias 3: Artificial Intelligence is Merely a Tool

The problem with experienced people is that they think that there is nothing new under the sun.

You talk about cloud computing, and they yawn, “Sounds like time sharing.” You talk about quantum computing, and they yawn, “Sounds like the Pentium.” You talk about blockchain, and they yawn, “Sounds like a notary public.”

My bias

As I sip my Pepperidge Farm, I can barely conceal my revulsion at those who think “we use AI” is a world-dominating marketing message. Artificial intelligence is not a way of life. It is a tool. A tool that in and of itself does not merit much of a mention.

How many automobile manufacturers proclaim “we use tires” as part of their marketing messaging? Tires are essential to an automobile’s performance, but since everyone has them, they’re not a differentiator and not worthy of mention.

In the same way, everyone has AI…so why talk about its mere presence? Talk about the benefits your implementation provides and how these benefits differentiate you from your competitors.

Novel thinking

Yep, the grandpas that declare “AI is only a tool” are missing the significance entirely. AI is not like a Pentium chip. It is a transformational technology that is already changing the way we create, sell, and market.

Therefore it is critically important to highlight your product’s AI use. AI isn’t a “so what” feature, but an indication of revolutionary transformative technology. You suppress mention of AI at your own peril.

How do I overcome my biases of experience?

OK, so I’ve identified the outmoded thinking that results from too much experience. But how do I overcome it?

I don’t.

Because if you haven’t already detected it, I believe that experience IS valuable, and that all three items above are essential and shouldn’t be jettisoned for the new, novel, and kewl.

Are you a identity/biometric marketing leader who needs to tell your prospects that your algorithms are validated by reputable independent bodies?

Or that you have a process (simple or not) that governs how your customers receive your products?

Or that your AI actually does unique things that your competitors don’t, providing true benefits to your customers?

Bredemarket can help with strategy, analysis, content, and/or proposals for your identity/biometric firm. Talk to me (for free).

By the way, here’s MY process (and my services and pricing).

Bredemareket: Services, Process, and Pricing.

Trying to Fly Without REAL ID: Today’s Phrase is “Orbital Blowout Fracture”

Don’t get violent at a Transportation Security Administration (TSA) checkpoint. If you do, you may not fly anywhere…or drive or walk anywhere either.

Here’s the story of a man named Idress Vinay Solomon who was preparing to board a Southwest Airlines flight from Dallas’ Love Field to Oakland on March 10. Somehow Mr. Solomon missed the memo that you need a REAL ID or equivalent to board a plane. Something that has been discussed for decades, since passage of the Real ID Act of 2005.

But as readers of the Bredemarket blog know, despite years of declarations that you must have a REAL ID to fly, you don’t need one. The TSA launched ConfirmID this year, an alternate identity confirmation service for those who don’t have approved identity documentation. You pay $45, and TSA confirms your identity via other methods.

Or tries to.

In Solomon’s case, ConfirmID didn’t work either.

Solomon was not happy.

“[T]he Oakland resident allegedly started reacting aggressively and attacked the officers present. During this incident, he punched a [Dallas Police Department] officer multiple times, resulting in the officer suffering an “orbital blowout fracture” in his left eye.”

For those of us who aren’t health professionals, the Cleveland Clinic explains what an orbital blowout fracture is.

“A blowout fracture is the most common type of orbital fracture. This fracture is a break along the floor or thin inner wall of your eye socket. Getting hit in the eye with something like a fist or a baseball most often causes blowout fractures.”

The Cleveland Clinic does not indicate whether iris identification is affected by blunt force trauma.

But let’s return to “Love” Field.

The police officer was hospitalized, and Solomon remains in custody. If convicted, he could face up to 20 years in federal prison, as confirmed by the Department of Justice.

“Violent conduct perpetrated against TSA and law enforcement officers will never be tolerated in the Northern District of Texas,” said U.S. Attorney Ryan Raybould. “We will prosecute such offenses to the fullest extent to seek justice for the victims here and to deter others from resorting to aggressive attacks against officers responsible for ensuring the public’s safety while traveling.”

Just get the REAL ID, folks.

TSA ConfirmID is NOT $18

Remember when people were told that REAL ID would be mandatory? Beginning on whatever date REAL ID became mandatory…it became mandatory. If you didn’t have REAL ID, or another acceptable form of identification (AFOID), you weren’t getting on that plane. (Among other things.)

Well, that was a lie.

As I noted in December, the Transportation Security Administration was officially allowing an alternative acceptable form of identification (AAFOID???). An item ran in the Federal Register with this text:

“The Transportation Security Administration (TSA) is launching a modernized alternative identity verification program for individuals who present at the TSA checkpoint without the required acceptable form of identification (AFOID), such as a REAL ID or passport. This modernized program provides an alternative that may allow these individuals to gain access to the sterile area of an airport if TSA is able to establish their identity.”

But there was going to be a fee.

“To address the government-incurred costs, individuals who choose to use TSA’s modernized alternative identity verification program will be required to pay an $18 fee.”

Well, that was a lie. (Yes, “Lyin’ Eyes” is still on my mind.)

Here’s a quote from TSA’s February 5 press release:

“Passengers without REAL IDs or other acceptable forms of identification have the option to use TSA ConfirmID by paying a $45 fee for a 10-day travel period.”

For those who are math-challenged, $45 is over twice as much as $18.

TSA’s hope of course is that if the law won’t force you to get a REAL ID, money will.

On DOJ/DoD/DHS ABIS Interoperability

The image at the top of this post was taken from the NIST website and is a from an interoperability slide in a 2016 FBI presentation. Although the reference to “IAFIS” suggests that the image was created long before 2016. No NGI, and no HART either.

Because—while this may make some uncomfortable—biometric interoperability between the Departments of Defense, Homeland Security, and Justice is critically important.

For years after 9/11, the (then) systems from the three Departments were NOT interoperable.

Which made it difficult to identify if a military person or citizenship applicant was a criminal.

Today, while the three current systems use three different data interchange standards (based upon work by NIST), they CAN talk to each other.

We just have to ensure that the interoperability is legal and proper.

Visa Overstays and Biometric Exit

Two facts about Nawaf al-Hazmi:

He’s dead. al-Hazmi died at the Pentagon on September 11, 2001 afterr hijacking a plane.
He had overstayed his visa. al-Hazmi’s visa expired in January 2001.

This fact, and other irregularities in the visas and passports of the 9/11 hijackers, directly led to the mandate that the U.S. implement biometric exit…which has been delayed more often than REAL ID.

In theory, enforcement of visa expirations with biometric exit is simple.

If you can tell who has entered a country and who has left a country, then you can identify people who have NOT left the country, but whose visas have expired.
And you can tell entries and exits via biometrics, as long as a person’s biometrics are acquired through the passport and/or visa process.

So if biometric exit had existed in January 2001, then a (theoretically) quick check could show that al-Hazmi had NOT left the United States and was still here on an expired visa. He could have been kicked out of the country and barred from returning, and therefore wouldn’t be on a plane on September 11.

The only problem is that EVERYONE needs to be processed when leaving the country for the system to work. At a minimum, anyone who cannot prove U.S. citizenship would have to have their biometrics captured. Or just make it easy and capture everyone’s biometrics as they leave the United States.

Some express the belief that current biometric exit practices exceed the mandate:

“The coalition—led by the Electronic Frontier Foundation, the American Civil Liberties Union and the Canadian-U.S. cross-border group OpenMedia—contends that capturing images of lawful permanent residents exceeds DHS’s statutory mandate and creates a de-facto travel dossier vulnerable to data breaches.”

Back in 2017, it was alleged that pilot programs even captured biometric exit data for U.S. citizens.

Concerns about overreach fall into two categories:

That the captured data would be used for things other than visa overstays.
That the captured data could be hacked, exposing the travelers’ personally identifiable information.

So the theory of tracking people as they enter and leave a country can get messy when put into practice.

I know.

Notice ID 70RDA126RFI000003: WIRED Overstates the Case

Remember my February 16 post “Notice ID 70RDA126RFI000003: Yes, It’s an RFI, But That May Be a HUGE Multi-Biometric Matching System”? Note that I used the words “RFI” and “May,” because it’s not a done deal.

When Biometric Update reported on this same RFI, it used similar qualifiers such as “If DHS proceeds to a formal solicitation.”

WIRED? Not so restrained.

“THE DEPARTMENT OF Homeland Security is moving to consolidate its face recognition and other biometric technologies into a single system capable of comparing faces, fingerprints, iris scans, and other identifiers collected across its enforcement agencies, according to records reviewed by WIRED.”

But those very “records reviewed by WIRED” include this statement:

“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”

And even if this actually WAS a true procurement…HART was originally announced during the Obama administration in 2016. Ten years later, it still hasn’t happened.

Identity Document Validation is a Toxic Dumpster Fire

I may have misjudged Biometric Update.

Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.

I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.

As does Biometric Update.

Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:

“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”

But then Biometric Update ran a more recent story.

They said that?

Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.

And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.

OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.

But the true title is eye-catching in context:

“DHS RIVR results suggest most ID document validation disastrously ineffective”

Not just ineffective, DISASTROUSLY ineffective. Ouch.

For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).

DHS set performance goals for the submitted entries and publicized the (anonymous) results.

“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”

Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.

On anonymity

Why do testing entities sometimes allow participants to remain anonymous?

Because they want participants.

Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.

Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.

Hopefully the results won’t be disastrous.

Notice ID 70RDA126RFI000003: Yes, It’s an RFI, But That May Be a HUGE Multi-Biometric Matching System

An interesting Request for Information (Notice ID 70RDA126RFI000003) for a multi-biometric matching system was posted on SAM.gov on Friday, and it’s turning some heads. But is YOUR organization reading an RFI that is turning YOUR heads?

Bear in mind that this is a Request for INFORMATION, not a Request for PROPOSAL. And this is made clear in the document:

“This RFI is for planning purposes only and shall not be construed as an obligation on the part of the Government. This is NOT a Request for Quotations or Proposals. No solicitation document exists, and a formal solicitation may or may not be issued by the Government as a result of the responses received to this RFI.”

Forget the technical requirements…look at the BUSINESS requirements

Now I could get into the…um…minutiae of the request for information about a biometric matching system, the requirements for everything from presentation attack detection to on-premise/hybrid/cloud deployments, and a host of other things.

But in this case, the business requirements outweigh the technical requirements…by a LONG shot.

“The Department of Homeland Security (DHS) is seeking an enterprise-wide, scalable, and secure biometric matching software solution to support mission-critical identity verification, vetting, and investigative operations across all DHS Components, including CBP, ICE, TSA, USCIS, USSS, and Headquarters. The contractor will provide a DHS-wide enterprise license for multi-modal biometric matching software, along with all associated services, integration support, maintenance, and technical assistance necessary for full operational deployment.”

And in the next section:

“DHS is looking to acquire an enterprise-wide biometric matching software solution, including all licenses, services, and technical support necessary to enable seamless integration with all DHS biometric systems.”

Matching for ALL DHS components, and integration with ALL DHS biometric systems. This could just be a teeny system for limited operations…or it could be a super system. Since they’re asking about scalability, potential respondents should probably assume the latter.

So we’re talking loads of money.

Of course it could be scaled way down when or if a final RFP comes along. And maybe the vast expanse of the RFI is merely designed to get system integrators to drool.

But where does this leave the IDENT/HART battles?

What about YOUR RFI (and RFP) responses?

Incidentally, Bredemarket offers proposal services to assist identity/biometric vendors in RFI and RFP responses such as this one. Over the years my proposals have won over $50 million in business. Presumably the respondents to this RFI have full proposal staffs (or maybe not), but if YOUR organization requires RFI and RFP assistance, schedule a meeting with Bredemarket.

Bredemarket services, process, and pricing.

(2/17/2026: See Anthony Kimery’s assessment of the RFI here.)

The United States’ 16 Critical Infrastructure Sectors

I was working with these sectors back when I was at MorphoTrak.

“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7.”

The sectors are:

See:

https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors

https://www.cisa.gov/resources-tools/resources/presidential-policy-directive-ppd-21-critical-infrastructure-security-and

Water is (literally) critical and needs to smarten up

Government Anti-Fraud Efforts: They’re Still Siloed

When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.

Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.

But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.

Stop Identity Fraud and Identity Theft Bill

As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”

Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:

“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”

Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:

“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”

Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.

But let’s get to the meat of the bill:

“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”

The specifics:

The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
They can also use the grants to protect individuals from deepfake attacks.
Another purpose is to develop “interoperable solutions.”
A fourth is to replace vulnerable legacy systems.
The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.

But there are some limitations in how the funds are spent.

They can’t be used to require mDLs or eliminate physical driver’s licenses.
They can’t be used to “support the issuance of drivers licenses or
identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)

The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.

And everything else

So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.

But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:

The Department of Justice, through the Federal Bureau of Investigation and the new Division for National Fraud Enforcement.
The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
The Federal Trade Commission (FTC).
The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
The U.S. Postal Inspection Service.
The Consumer Financial Protection Bureau.

These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.

And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.

What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?

Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.

(And yes, I know that the Capitol is not north of the Washington Monument…yet.)