“[R]equire the state to verify proof of citizenship when a person registers to vote.”
Require voters to “provide identifications at the polls.”
“Those who vote through mail-in ballots would have to give the last four digits of a government-issued ID such as a Social Security number.”
Let’s go through these…backwards.
Mail-in ballots
The third proposal about authenticating mail-in ballots is silly.
The mere fact that someone knows the last four digits of a Social Security Number does NOT prove that the person is the valid holder of the Social Security Number in question.
Which brings us to the second proposal about requiring a government ID for in-person voting.
I’ve already addressed why this is silly. The short version? Election precinct workers have neither the equipment nor the training to tell whether a government ID is real or fake.
That only leaves the first one, proving citizenship at voter registration. This one is technically feasible; the feds do it all the time. The California Secretary of State could merely adapt the federal I-9 process to the state level; I’m sure Janice Kephart and her company ZipID would love to help the state with that.
Especially since the requirement for election integrity dictates that all of California’s existing voters would need to re-register to prove their citizenship.
All 22+ million of them.
Because if you DO NOT require all California voters to re-register, the whole exercise is pointless.
I recently cited my 30 years of experience in selling to governments by using the acronym B2G (business to government). This confused the person I was talking to, who had heard of B2B (business to business) but not B2G.
By the same token, you have KYB (know your business) and KYG (know your government).
Two recent incidents in Southern California indicate that some of us are pretty bad at KYG.
El Pendón Estrellado
In case you haven’t been paying attention to the news, a lot of people in Southern California and elsewhere are talking about a portion of the Department of Homeland Security called Immigration and Customs Enforcement (ICE).
I won’t get into the details about why people are paying attention to ICE right now, but let’s just say that when ICE shows up, a crowd gathers.
And that’s what happened at Dodger Stadium this morning when some white vans showed up at the Dodger Stadium parking lot. The Dodgers stated that ICE agents came to Dodger Stadium and that the Dodgers denied them access.
Except that it apparently wasn’t ICE, but Customs and Border Protection, another part of the Department of Homeland Security.
“‘This had nothing to do with the Dodgers. CBP vehicles were in the stadium parking lot very briefly, unrelated to any operation or enforcement,’ Assistant Secretary Tricia McLaughlin said in a statement.”
But it isn’t just people in Chavez Ravine that assume that white van equals ICE. Take my county, San Bernardino County. Or as former county resident Frank Zappa put it, San Ber’dino.
[The] department is sending a message to the community following two incidents involving white department vehicles that it says were “targeted” after being mistaken for Immigration and Customs Enforcement units.
“All white vehicles are NOT ICE,” read Thursday’s post on the San Bernardino County Sheriff’s X account….
“We have had two incidents of our sheriff’s department personnel targeted while driving our unmarked units and in one case they were run off the road,” the post reads.
With so many agencies providing law enforcement and homeland security services, it’s understandable that some people could get confused about exactly which agency is at their door. ICE? CBP? The San Bernardino County Sheriff’s Department (SBCSD)?
So if you’re not careful, the white van that you block may not be trying to send people to El Salvador, but instead may be trying to deliver your Amazon shipment.
People can use forged government identities to scare you, rob you, or kill you. How can you protect yourself from fake law enforcement officers, or fake ICE agents? And how can police agencies and ICE protect THEMSELVES from these fakes?
I’ve already shared the story of the person driving around Delaware with flashing lights. Nothing terrible happened in that encounter, but similar impersonation encounters have been more critical.
The visitor, wearing an American flag-adorned baseball cap and a tactical vest with the words “Security Enforcement Agent,” announced the single word “Immigration,” implying that he was from Immigration and Customs Enforcement (ICE).
Several employees fled the scene, but the cashier did not and was immediately zip-tied.
So what happened next?
The so-called ICE agent took $1,000 and was gone 30 seconds later.
Vance Boelter is alleged to have shot Minnesota State Senator John Hoffman and his wife Yvette at their home, then shot and killed State Representative Melissa Hortman and her husband.
In both cases Boelter presented himself as a police officer.
“[C]all 911 from your cell phone. Tell the 911 dispatcher that you are concerned that someone…may not be a police officer.”
Of course a person in a car is generally safer than a person at the front door of a home or business, but in any case you can call 911 and ask for confirmation.
“Do not flee.”
This appears to be sound advice if the person is a real police officer. But if the employees hadn’t fled from the fake ICE officer in Philadelphia, perhaps they would have been robbed also.
“If the dispatcher cannot confirm that you are being [visited] by a police officer, stay on the line with the dispatcher, and ask for police assistance.”
Wise to get the real cops on the scene.
“Do not provide personal documents – driver’s license, insurance information or other documents – to someone who you suspect of being a police impersonator.”
No need to add identity fraud on top of everything else.
How do you know if it IS ICE?
Unfortunately, telling true ICE agents from fake ones is a little more difficult. Your local 911 dispatcher isn’t going to know if that’s a real ICE agent at your door.
5NBCDFW published some tips for those who receive an email, call, or visit from ICE. In regards to personal visits, the station offered this advice:
“ICE agents carry official badges and credentials. They may have identification cards with their name, photo and the department logo. You can ask them to show you their badge or ID.”
“If they refuse to show their identification, you are under no obligation to open the door.”
This of course is not foolproof, since anyone can print a fake business card (perhaps on their own printer, avoiding a commercial business such as the UPS Store), create a fake ID, or create a fake badge.
Challenges of identifying police officers or ICE agents
It’s a challenging identity problem. Especially since police officers may NOT be required to identify themselves. Uniformed officers are required to identify themselves in California (California Penal Code Section 830.10), but plainclothes officers obviously don’t wear badges, and California identification laws don’t apply in other states.
“Hey,” someone suggests. “Why not create a database of all the police officers and ICE agents so that can immediately prove their authenticity?” Unfortunately, that runs into a huge privacy problem, because what happens when (not if) that database is hacked? Or if the data is intentionally leaked?
(And before you say “not my problem, those people need to be in a database,” what if it WAS your problem? In my case, what if all marketing/writing sole proprietors were required to be in a database managed by the Department of Commerce? You’d be worried if it affected YOU.)
The only way that this will change universally is when the police officers, ICE, and other agencies have to deal with impersonators. For example, if fake ICE agents cause problems for the real ones, then ICE itself will insist on positive identification of real ICE agents.
I am clearly not the Form I-9 expert—see Janice Kephart and her company ZipID for the full understanding. But this introduces why we have the U.S. Form I-9, how it keeps employers and employees within the law, and what it can do to stop North Koreans from robbing companies blind.
Why
Someone can’t just waltz into a U.S. employer and start working. Legally, anyway.
While there are numerous requirements that you have to meet before starting a job, the one that concerns us here is that only certain people are legally authorized to work.
To check this is a two part process:
To check the identity of the person.
To check the employment authorization of the person.
Both are necessary. It does no good to determine that Sam Smith is authorized if Sam Smith is really Kim Jong Spy.
Now you don’t have to be a U.S. citizen to work here. I’ve worked with a number of green card holders from France and other countries. I’ve worked with a number of temporary visa holders in which the visa permits the person to work for pay.
But student visa holders usually can’t work.
And people who are just visiting the country usually can’t work.
And finally, people who slip across the border can’t work.
How
So how do we make sure that people who work here are identified and authorized?
“Use Form I-9, Employment Eligibility Verification, to verify the identity and employment authorization of individuals hired for employment in the United States. All U.S. employers must properly complete Form I-9 for every individual they hire for employment in the United States. This includes citizens and aliens. Both employees and employers (or authorized representatives of the employer) must complete the form.”
The employee starts the ball rolling by proving that they are who they say they are, and that they are authorized to work here. To do this, they provide information and documents, including at least some of the following:
Full name
Address
Date of birth
Social Security Number (not a Taxpayer Identification Number)
U. S. citizenship or immigration status (there are multiple options here, ranging from U.S. citizen to “alien authorized to work”)
Other numbers as necessary, such as a USCIS number
One or more of “List A,” “List B,” and/or “List C” documents
The most powerful of the acceptable documents are List A documents, which prove both identity and employment authorization. A U.S. Passport or a Permanent Resident Card are the most common documents here, but if you have a passport from the Federated States of Micronesia you may still be good to go.
Passport, Federated States of Micronesia. Blagomeni • CC BY-SA 3.0. Source.
If you don’t have a List A document, then you need one List B (identity) and one List C (authorization) document.
List B includes driver’s licenses (REAL ID or no, even Canadian), school ID cards, voter IDs, tribal documents, and others that establish identity in some way.
List C includes Social Security cards, birth certificates, and other authorization documents.
After the employee provides all this and completes Section 1 of Form I-9, the employer checks it and completes Section 2 of the form. The documentation must “reasonably” appear to be genuine.
What
But…if this whole system relies on the employer saying “looks good to me,” how does this keep Kim Jong Spy from illegally working at Palantir and stealing state secrets and American technology?
One, the information and the document checks are worth something. While an employer is unable to truly verify that a driver’s license or a passport is not fraudulent—especially if the remote employee never visits the employer in person—you can bet that USCIS checks all those numbers, and if 10 people use the same Social Security Number they will be flagged.
Two, employers that repeatedly flaunt U.S. employment law can get in trouble. As I detailed in a LinkedIn post, this could include five years of prison time.
So that’s a powerful disincentive for unintentionally or intentionally hiring Kim Jong Spy.
And if the Form I-9 seems like a lot of work, and you wish you could automate it…see ZipID. In addition to everything else, it can compare a live face with the submitted photo ID…because.
The catch? Only certain states bordering Canada offer them.
Originally developed for both U.S. and Canadian use as part of the Western Hemisphere Travel Initiative, as of May 2025 EDLs are only offered by the states of Michigan, Minnesota, New York, Vermont, and Washington. California considered issuing EDLs, but rejected the idea because of privacy concerns surrounding the underlying RFID technology.
The Parnas Perspective offered its take on Garcia’s story. From Parnas’ post:
“Authorities allegedly dismissed the ID as fake and used force to detain him, with bystanders shouting that he was a citizen.”
Also listen to the accompanying video (which states that Garcia was born in Florida), and see my prior post.
Non-citizen REAL IDs? Sure.
One important clarification: non-citizens CAN obtain a REAL ID…provided that they are lawfully in the country and hold certain documents.
Here are California’s non-citizen REAL ID requirements, which are federally acceptable:
“This includes all U.S. citizens, permanent residents who are not U.S. citizens (Green Card holders), and those with temporary legal status, such as recipients of Deferred Action for Childhood Arrivals (DACA) or Temporary Protected Status (TPS) and holders of a valid student or employment visa. For Californians with temporary legal status, their REAL ID DL/ID card will expire on the same date as their U.S. legal presence document, and they can receive a new card with a documented extension of their legal status.”
You know that I’ve railed against solely relying on knowledge-based authentication: for example, by relying on a person’s knowledge of a name and a birthdate to gain access to protected health information.
What when knowledge-based authentication receives HIGHER trust than other proofs of identity?
There is a story about Leonardo Garcia Venegas, who was working in Foley, Alabama. Apparently he was caught up in an immigration raid. So Garcia, who is a U.S. citizen, did the intelligent thing: he brought out his REAL ID, a document that can only be issued to someone after they prove they are a U.S. citizen.
Except…
“Garcia told Noticias Telemundo that authorities took his ID from his wallet and told him it was fake before handcuffing him.”
So how did he finally get released?
“Garcia said he was released from the vehicle where he was held after he gave the arresting officials his Social Security number, which showed he is a U.S. citizen.”
So apparently having a REAL ID counts for nothing, while being able to rattle off a Social Security Number counts as proof?
“Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.”
If you don’t already know this, whenever you read a Bredemarket-authored article, always click the links. This includes the articles I write for others…such as Biometric Update. If you clicked a particular link at the end of my guest post, you found out which third party behaved badly with Customs and Border Protection (CBP) data:
“Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor….While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.”…Perceptics was hacked in May, and The Register reported thousands of files…were available on the dark web.”
“ID.me will transfer your Biometric Information to our third party partners only when required by a subpoena, warrant, or other court ordered legal action.”
I was wandering around my local (Upland, California) Staples on a Saturday afternoon. If I had arrived on a weekday, I could have applied for TSA PreCheck.
Only weekday hours, at least at the Staples on Mountain in Upland.
(No, I didn’t apply for TSA PreCheck in 2017 when MorphoTrak became part of MorphoTrust (when IDEMIA was formed) and I became eligible for a corporate discount. I didn’t predict a pandemic. Oops.)
“This openness to facial recognition could signal a turning point that could affect the biometric industry.
“The so-called “big” biometric players such as IDEMIA, NEC, and Thales are teeny tiny compared to companies like Meta, Alphabet, and Amazon. If the big tech players ever consented to enter the law enforcement and surveillance market in a big way, they could put IDEMIA, NEC, and Thales out of business.
“However, wholesale entry into law enforcement/surveillance could damage their consumer business, so the big tech companies have intentionally refused to get involved – or if they have gotten involved, they have kept their involvement a deep dark secret.”
Then I thought about the “Really Big Bunch” product that offered the greatest threat to the “Big 3” (IDEMIA, NEC, and Thales)—Amazon Rekognition, which directly competed in Washington County, Oregon until Amazon imposed a one-year moratorium on police use of facial recognition in June 2020. The moratorium was subsequently extended until further notice.
“Have appropriately trained humans review all decisions to take action that might impact a person’s civil liberties or equivalent human rights.”
“Train personnel on responsible use of facial recognition systems.”
“Provide public disclosures of your use of facial recognition systems.”
“In all cases, facial comparison matches should be viewed in the context of other compelling evidence, and shouldn’t be used as the sole determinant for taking action.” (In other words, INVESTIGATIVELEAD only.)
Nothing controversial at all, and I am…um…99% certain (geddit?) that IDEMIA, NEC, and Thales would endorse all these points.
But why does Amazon even need such a page, if Rekognition is only used to find missing children?
Maybe this is a pre-June 2020 page that Amazon forgot to take down.
Or maybe not.
Couple this with the news about Meta, and there’s the possibility that the Really Big Bunch may enter the markets currently dominated by the Big Three.
Imagine if the DHS HART system, delayed for years, were resurrected…with Alphabet or Amazon or Meta technology.
Bredemarket 