Tag Archives: department of homeland security

Enhanced Driver’s License (EDL) vs. REAL ID

Unlike a REAL ID, which merely proves lawful presence in the United States, an Enhanced Driver’s License (EDL) also proves citizenship.

The catch? Only certain states bordering Canada offer them.

Originally developed for both U.S. and Canadian use as part of the Western Hemisphere Travel Initiative, as of May 2025 EDLs are only offered by the states of Michigan, Minnesota, New York, Vermont, and Washington. California considered issuing EDLs, but rejected the idea because of privacy concerns surrounding the underlying RFID technology.

No Canadian province offers EDLs any more. The last province, Manitoba, discontinued them in 2022.

Leonardo Garcia Venegas is a U.S. Citizen…but REAL ID Holders Don’t Have to Be

The Parnas Perspective offered its take on Garcia’s story. From Parnas’ post:

“Authorities allegedly dismissed the ID as fake and used force to detain him, with bystanders shouting that he was a citizen.”

Also listen to the accompanying video (which states that Garcia was born in Florida), and see my prior post.

Non-citizen REAL IDs? Sure.

One important clarification: non-citizens CAN obtain a REAL ID…provided that they are lawfully in the country and hold certain documents.

Here are California’s non-citizen REAL ID requirements, which are federally acceptable:

“This includes all U.S. citizens, permanent residents who are not U.S. citizens (Green Card holders), and those with temporary legal status, such as recipients of Deferred Action for Childhood Arrivals (DACA) or Temporary Protected Status (TPS) and holders of a valid student or employment visa. For Californians with temporary legal status, their REAL ID DL/ID card will expire on the same date as their U.S. legal presence document, and they can receive a new card with a documented extension of their legal status.”

(Imagen 4)

Leonardo Don’t Lose That Number

You know that I’ve railed against solely relying on knowledge-based authentication: for example, by relying on a person’s knowledge of a name and a birthdate to gain access to protected health information.

What when knowledge-based authentication receives HIGHER trust than other proofs of identity?

There is a story about Leonardo Garcia Venegas, who was working in Foley, Alabama. Apparently he was caught up in an immigration raid. So Garcia, who is a U.S. citizen, did the intelligent thing: he brought out his REAL ID, a document that can only be issued to someone after they prove they are a U.S. citizen.

Except…

“Garcia told Noticias Telemundo that authorities took his ID from his wallet and told him it was fake before handcuffing him.”

So how did he finally get released?

“Garcia said he was released from the vehicle where he was held after he gave the arresting officials his Social Security number, which showed he is a U.S. citizen.”

So apparently having a REAL ID counts for nothing, while being able to rattle off a Social Security Number counts as proof?

Frequent fliers and voters take note.

(Imagen 4)

Employ Security (6/7)

This is the sixth of seven vendor suggestions I made in my Biometric Update guest post.

“Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.”

If you don’t already know this, whenever you read a Bredemarket-authored article, always click the links. This includes the articles I write for others…such as Biometric Update. If you clicked a particular link at the end of my guest post, you found out which third party behaved badly with Customs and Border Protection (CBP) data:

“Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor….While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.”…Perceptics was hacked in May, and The Register reported thousands of files…were available on the dark web.”

As I concluded my guest post,

“Do not let this happen to your business.”

But here’s a positive example:

“ID.me will transfer your Biometric Information to our third party partners only when required by a subpoena, warrant, or other court ordered legal action.”

(Imagen 3)

TSA PreCheck at Staples Via CLEAR (and IDEMIA)

I was wandering around my local (Upland, California) Staples on a Saturday afternoon. If I had arrived on a weekday, I could have applied for TSA PreCheck.

Only weekday hours, at least at the Staples on Mountain in Upland.

(No, I didn’t apply for TSA PreCheck in 2017 when MorphoTrak became part of MorphoTrust  (when IDEMIA was formed) and I became eligible for a corporate discount. I didn’t predict a pandemic. Oops.)

Now that IDEMIA is not the only game in town for TSA PreCheck, the competitors are trying to grab market share. Thus the alliance between CLEAR (and IDEMIA) and Staples.

Start at the kiosk.

It appears that you start enrollment at the kiosk, and then complete the process with a “Staples Travel Specialist.”

Incidentally, this Staples is in the same shopping center as an IDEMIA IdentoGO location.

Revisiting Amazon Rekognition, May 2025

(Part of the biometric product marketing expert series)

A recent story about Meta face licensing changes caused me to get reflective.

“This openness to facial recognition could signal a turning point that could affect the biometric industry. 

“The so-called “big” biometric players such as IDEMIA, NEC, and Thales are teeny tiny compared to companies like Meta, Alphabet, and Amazon. If the big tech players ever consented to enter the law enforcement and surveillance market in a big way, they could put IDEMIA, NEC, and Thales out of business. 

“However, wholesale entry into law enforcement/surveillance could damage their consumer business, so the big tech companies have intentionally refused to get involved – or if they have gotten involved, they have kept their involvement a deep dark secret.”

Then I thought about the “Really Big Bunch” product that offered the greatest threat to the “Big 3” (IDEMIA, NEC, and Thales)—Amazon Rekognition, which directly competed in Washington County, Oregon until Amazon imposed a one-year moratorium on police use of facial recognition in June 2020. The moratorium was subsequently extended until further notice.

I last looked at Rekognition in June 2024, when Amazon teamed up with HID Global and may have teamed up with the FBI.

So what’s going on now?

Hard to say. I have been unable to find any newly announced Amazon Rekognition law enforcement customers.

That doesn’t mean that nothing is happening. Perhaps the government buyers are keeping their mouths shut.

Plus, there is this page, “Use cases that involve public safety.”

Nothing controversial on the page itself:

  • “Have appropriately trained humans review all decisions to take action that might impact a person’s civil liberties or equivalent human rights.”
  • “Train personnel on responsible use of facial recognition systems.”
  • “Provide public disclosures of your use of facial recognition systems.”
  • “In all cases, facial comparison matches should be viewed in the context of other compelling evidence, and shouldn’t be used as the sole determinant for taking action.” (In other words, INVESTIGATIVE LEAD only.)

Nothing controversial at all, and I am…um…99% certain (geddit?) that IDEMIA, NEC, and Thales would endorse all these points.

But why does Amazon even need such a page, if Rekognition is only used to find missing children?

Maybe this is a pre-June 2020 page that Amazon forgot to take down.

Or maybe not.

Couple this with the news about Meta, and there’s the possibility that the Really Big Bunch may enter the markets currently dominated by the Big Three.

Imagine if the DHS HART system, delayed for years, were resurrected…with Alphabet or Amazon or Meta technology.

We are still in the time of uncertainty…and may never go back.

(Large and small wildebeests via Imagen 3)

Proposals and “Weasel Words”

Have you ever used the phrase “weasel word”? Here’s how Merriam-Webster defines it:

“a word used in order to evade or retreat from a direct or forthright statement or position”

I don’t know how weasels became the subject of a negative phrase like this, but here we are.

I learned the phrase “weasel word” when I started working in proposals. I’ve been writing proposals for nearly 15 years, and I’ve run into many cases where I don’t comply with the written word of a mandatory requirement, and I end up having to…evade or retreat.

I’ve adopted my share of favorite weasel words over the years. I’m not going to give away any of my secrets in this public forum, but you’ve probably heard me rant about the government weasel wording regarding REAL ID “enforcement”:

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

As I have ranted repeatedly, the REAL ID enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027. There are enough weasel words to distract from the fact that full enforcement is not taking place on May 7, 2025.

“Flexibility,” “implement in phases”…I’m taking notes. The next time I respond to a DHS RFI, I may use some of these.

Because Bredemarket does respond to Requests for Information, Requests for Proposal, and similar documents. One of Bredemarket’s clients recently received an award, with possible lucrative add-on work in the future.

Does your identity/biometric or technology conpany want the government to give you money? I can help. Talk to me: https://bredemarket.com/cpa/

Bredemarket’s “CPA.” The P stands for Proposal.

(Weasel picture Keven Law • CC BY-SA 2.0; https://commons.wikimedia.org/wiki/File:Mustela_nivalis_-British_Wildlife_Centre-4.jpg)

This is What REAL ID “Enforcement” Looks Like: Not Compelling at All

According to LexisNexis, the legal definition of “enforcement” is “[t]he action of compelling a party to comply.”

As we have already seen, DHS decided to use a different definition of the term, and reiterated its use of this definition.

What does enforcement mean at JFK, LaGuardia, and Newark as of May 8?

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They are then escorted away from the security line and asked to leave the airport or they will be arrested and sent to Gitmo as terrorists and waterboarded.”

Whoops, I appear to have made a typo and misquoted North Jersey. Here is what is ACTUALLY happening:

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They may then be directed to a separate area for additional screening.”

That ain’t “compelling” at all. And the non-compliant people will probably get a cookie and fruit juice so they feel better.

Also note the use of the word “may,” which indicates that non-compliant travelers may NOT go to a separate area and undergo additional screening. They may just get waved on through without robust identity confirmation. And still get the cookie and fruit juice.

I will admit that this is probably unavoidable. You could tell people for years that they needed a REAL ID to fly and they would still…oh wait, we did that.

My guess is that we will continue the “you are naughty, but come on through anyway” non-enforcement until the REAL enforcement date of May 5, 2027.

Subject to extension….again.

Unless someone without a REAL ID slips through and does bad things. Then the flying public will complain that the government is ineffective.

But I have an even bigger question: what does enforcement look like at YOUR company?

(Imagen 3)

As We Predicted, REAL ID Won’t Be Fully Enforced

So much for my 15 seconds of fame with my Biometric Update guest post. Let’s move on to more important things.

Like the (finally!) enforcement of REAL ID at midnight EDT Wednesday May 7.

Not really.

We already knew that REAL ID enforcement wouldn’t be fully enforced.

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

And Secretary of Homeland Security Kristi Noem just confirmed this.

“’If it’s not compliant, they may be diverted to a different line, have an extra step, but people will be allowed to fly,’ Noem said at a U.S. House hearing on Tuesday. ‘This is a security issue.’”

So when WILL it be enforced? Memorial Day? Thanksgiving? May 5, 2027? Ever?

Of course, it’s not going to be easy for those without a passport, REAL ID, or other acceptable form of identification. They will undergo a little investigation, humiliation, and if they cross their fingers rehabilitation.

(Imagen 3)

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.