Tag Archives: department of homeland security

What is the Form I-9?

I am clearly not the Form I-9 expert—see Janice Kephart and her company ZipID for the full understanding. But this introduces why we have the U.S. Form I-9, how it keeps employers and employees within the law, and what it can do to stop North Koreans from robbing companies blind.

Why

Someone can’t just waltz into a U.S. employer and start working. Legally, anyway.

While there are numerous requirements that you have to meet before starting a job, the one that concerns us here is that only certain people are legally authorized to work.

To check this is a two part process:

  • To check the identity of the person.
  • To check the employment authorization of the person.

Both are necessary. It does no good to determine that Sam Smith is authorized if Sam Smith is really Kim Jong Spy.

Now you don’t have to be a U.S. citizen to work here. I’ve worked with a number of green card holders from France and other countries. I’ve worked with a number of temporary visa holders in which the visa permits the person to work for pay.

But student visa holders usually can’t work.

And people who are just visiting the country usually can’t work.

And finally, people who slip across the border can’t work.

How

So how do we make sure that people who work here are identified and authorized?

Via the completion of the U.S. Citizenship and Immigration Services Form I-9.

“Use Form I-9, Employment Eligibility Verification, to verify the identity and employment authorization of individuals hired for employment in the United States. All U.S. employers must properly complete Form I-9 for every individual they hire for employment in the United States. This includes citizens and aliens. Both employees and employers (or authorized representatives of the employer) must complete the form.”

The employee starts the ball rolling by proving that they are who they say they are, and that they are authorized to work here. To do this, they provide information and documents, including at least some of the following:

  • Full name
  • Address
  • Date of birth
  • Social Security Number (not a Taxpayer Identification Number)
  • U. S. citizenship or immigration status (there are multiple options here, ranging from U.S. citizen to “alien authorized to work”)
  • Other numbers as necessary, such as a USCIS number
  • One or more of “List A,” “List B,” and/or “List C” documents

The most powerful of the acceptable documents are List A documents, which prove both identity and employment authorization. A U.S. Passport or a Permanent Resident Card are the most common documents here, but if you have a passport from the Federated States of Micronesia you may still be good to go.

Passport, Federated States of Micronesia.
Blagomeni • CC BY-SA 3.0. Source.

If you don’t have a List A document, then you need one List B (identity) and one List C (authorization) document.

  • List B includes driver’s licenses (REAL ID or no, even Canadian), school ID cards, voter IDs, tribal documents, and others that establish identity in some way.
  • List C includes Social Security cards, birth certificates, and other authorization documents.

After the employee provides all this and completes Section 1 of Form I-9, the employer checks it and completes Section 2 of the form. The documentation must “reasonably” appear to be genuine. 

What

But…if this whole system relies on the employer saying “looks good to me,” how does this keep Kim Jong Spy from illegally working at Palantir and stealing state secrets and American technology?

One, the information and the document checks are worth something. While an employer is unable to truly verify that a driver’s license or a passport is not fraudulent—especially if the remote employee never visits the employer in person—you can bet that USCIS checks all those numbers, and if 10 people use the same Social Security Number they will be flagged.

Two, employers that repeatedly flaunt U.S. employment law can get in trouble. As I detailed in a LinkedIn post, this could include five years of prison time.

So that’s a powerful disincentive for unintentionally or intentionally hiring Kim Jong Spy.

And if the Form I-9 seems like a lot of work, and you wish you could automate it…see ZipID. In addition to everything else, it can compare a live face with the submitted photo ID…because.

Enhanced Driver’s License (EDL) vs. REAL ID

Unlike a REAL ID, which merely proves lawful presence in the United States, an Enhanced Driver’s License (EDL) also proves citizenship.

The catch? Only certain states bordering Canada offer them.

Originally developed for both U.S. and Canadian use as part of the Western Hemisphere Travel Initiative, as of May 2025 EDLs are only offered by the states of Michigan, Minnesota, New York, Vermont, and Washington. California considered issuing EDLs, but rejected the idea because of privacy concerns surrounding the underlying RFID technology.

No Canadian province offers EDLs any more. The last province, Manitoba, discontinued them in 2022.

Leonardo Garcia Venegas is a U.S. Citizen…but REAL ID Holders Don’t Have to Be

The Parnas Perspective offered its take on Garcia’s story. From Parnas’ post:

“Authorities allegedly dismissed the ID as fake and used force to detain him, with bystanders shouting that he was a citizen.”

Also listen to the accompanying video (which states that Garcia was born in Florida), and see my prior post.

Non-citizen REAL IDs? Sure.

One important clarification: non-citizens CAN obtain a REAL ID…provided that they are lawfully in the country and hold certain documents.

Here are California’s non-citizen REAL ID requirements, which are federally acceptable:

“This includes all U.S. citizens, permanent residents who are not U.S. citizens (Green Card holders), and those with temporary legal status, such as recipients of Deferred Action for Childhood Arrivals (DACA) or Temporary Protected Status (TPS) and holders of a valid student or employment visa. For Californians with temporary legal status, their REAL ID DL/ID card will expire on the same date as their U.S. legal presence document, and they can receive a new card with a documented extension of their legal status.”

(Imagen 4)

Leonardo Don’t Lose That Number

You know that I’ve railed against solely relying on knowledge-based authentication: for example, by relying on a person’s knowledge of a name and a birthdate to gain access to protected health information.

What when knowledge-based authentication receives HIGHER trust than other proofs of identity?

There is a story about Leonardo Garcia Venegas, who was working in Foley, Alabama. Apparently he was caught up in an immigration raid. So Garcia, who is a U.S. citizen, did the intelligent thing: he brought out his REAL ID, a document that can only be issued to someone after they prove they are a U.S. citizen.

Except…

“Garcia told Noticias Telemundo that authorities took his ID from his wallet and told him it was fake before handcuffing him.”

So how did he finally get released?

“Garcia said he was released from the vehicle where he was held after he gave the arresting officials his Social Security number, which showed he is a U.S. citizen.”

So apparently having a REAL ID counts for nothing, while being able to rattle off a Social Security Number counts as proof?

Frequent fliers and voters take note.

(Imagen 4)

Employ Security (6/7)

This is the sixth of seven vendor suggestions I made in my Biometric Update guest post.

“Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.”

If you don’t already know this, whenever you read a Bredemarket-authored article, always click the links. This includes the articles I write for others…such as Biometric Update. If you clicked a particular link at the end of my guest post, you found out which third party behaved badly with Customs and Border Protection (CBP) data:

“Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor….While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.”…Perceptics was hacked in May, and The Register reported thousands of files…were available on the dark web.”

As I concluded my guest post,

“Do not let this happen to your business.”

But here’s a positive example:

“ID.me will transfer your Biometric Information to our third party partners only when required by a subpoena, warrant, or other court ordered legal action.”

(Imagen 3)

TSA PreCheck at Staples Via CLEAR (and IDEMIA)

I was wandering around my local (Upland, California) Staples on a Saturday afternoon. If I had arrived on a weekday, I could have applied for TSA PreCheck.

Only weekday hours, at least at the Staples on Mountain in Upland.

(No, I didn’t apply for TSA PreCheck in 2017 when MorphoTrak became part of MorphoTrust  (when IDEMIA was formed) and I became eligible for a corporate discount. I didn’t predict a pandemic. Oops.)

Now that IDEMIA is not the only game in town for TSA PreCheck, the competitors are trying to grab market share. Thus the alliance between CLEAR (and IDEMIA) and Staples.

Start at the kiosk.

It appears that you start enrollment at the kiosk, and then complete the process with a “Staples Travel Specialist.”

Incidentally, this Staples is in the same shopping center as an IDEMIA IdentoGO location.

Revisiting Amazon Rekognition, May 2025

(Part of the biometric product marketing expert series)

A recent story about Meta face licensing changes caused me to get reflective.

“This openness to facial recognition could signal a turning point that could affect the biometric industry. 

“The so-called “big” biometric players such as IDEMIA, NEC, and Thales are teeny tiny compared to companies like Meta, Alphabet, and Amazon. If the big tech players ever consented to enter the law enforcement and surveillance market in a big way, they could put IDEMIA, NEC, and Thales out of business. 

“However, wholesale entry into law enforcement/surveillance could damage their consumer business, so the big tech companies have intentionally refused to get involved – or if they have gotten involved, they have kept their involvement a deep dark secret.”

Then I thought about the “Really Big Bunch” product that offered the greatest threat to the “Big 3” (IDEMIA, NEC, and Thales)—Amazon Rekognition, which directly competed in Washington County, Oregon until Amazon imposed a one-year moratorium on police use of facial recognition in June 2020. The moratorium was subsequently extended until further notice.

I last looked at Rekognition in June 2024, when Amazon teamed up with HID Global and may have teamed up with the FBI.

So what’s going on now?

Hard to say. I have been unable to find any newly announced Amazon Rekognition law enforcement customers.

That doesn’t mean that nothing is happening. Perhaps the government buyers are keeping their mouths shut.

Plus, there is this page, “Use cases that involve public safety.”

Nothing controversial on the page itself:

  • “Have appropriately trained humans review all decisions to take action that might impact a person’s civil liberties or equivalent human rights.”
  • “Train personnel on responsible use of facial recognition systems.”
  • “Provide public disclosures of your use of facial recognition systems.”
  • “In all cases, facial comparison matches should be viewed in the context of other compelling evidence, and shouldn’t be used as the sole determinant for taking action.” (In other words, INVESTIGATIVE LEAD only.)

Nothing controversial at all, and I am…um…99% certain (geddit?) that IDEMIA, NEC, and Thales would endorse all these points.

But why does Amazon even need such a page, if Rekognition is only used to find missing children?

Maybe this is a pre-June 2020 page that Amazon forgot to take down.

Or maybe not.

Couple this with the news about Meta, and there’s the possibility that the Really Big Bunch may enter the markets currently dominated by the Big Three.

Imagine if the DHS HART system, delayed for years, were resurrected…with Alphabet or Amazon or Meta technology.

We are still in the time of uncertainty…and may never go back.

(Large and small wildebeests via Imagen 3)

Proposals and “Weasel Words”

Have you ever used the phrase “weasel word”? Here’s how Merriam-Webster defines it:

“a word used in order to evade or retreat from a direct or forthright statement or position”

I don’t know how weasels became the subject of a negative phrase like this, but here we are.

I learned the phrase “weasel word” when I started working in proposals. I’ve been writing proposals for nearly 15 years, and I’ve run into many cases where I don’t comply with the written word of a mandatory requirement, and I end up having to…evade or retreat.

I’ve adopted my share of favorite weasel words over the years. I’m not going to give away any of my secrets in this public forum, but you’ve probably heard me rant about the government weasel wording regarding REAL ID “enforcement”:

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

As I have ranted repeatedly, the REAL ID enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027. There are enough weasel words to distract from the fact that full enforcement is not taking place on May 7, 2025.

“Flexibility,” “implement in phases”…I’m taking notes. The next time I respond to a DHS RFI, I may use some of these.

Because Bredemarket does respond to Requests for Information, Requests for Proposal, and similar documents. One of Bredemarket’s clients recently received an award, with possible lucrative add-on work in the future.

Does your identity/biometric or technology conpany want the government to give you money? I can help. Talk to me: https://bredemarket.com/cpa/

Bredemarket’s “CPA.” The P stands for Proposal.

(Weasel picture Keven Law • CC BY-SA 2.0; https://commons.wikimedia.org/wiki/File:Mustela_nivalis_-British_Wildlife_Centre-4.jpg)

This is What REAL ID “Enforcement” Looks Like: Not Compelling at All

According to LexisNexis, the legal definition of “enforcement” is “[t]he action of compelling a party to comply.”

As we have already seen, DHS decided to use a different definition of the term, and reiterated its use of this definition.

What does enforcement mean at JFK, LaGuardia, and Newark as of May 8?

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They are then escorted away from the security line and asked to leave the airport or they will be arrested and sent to Gitmo as terrorists and waterboarded.”

Whoops, I appear to have made a typo and misquoted North Jersey. Here is what is ACTUALLY happening:

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They may then be directed to a separate area for additional screening.”

That ain’t “compelling” at all. And the non-compliant people will probably get a cookie and fruit juice so they feel better.

Also note the use of the word “may,” which indicates that non-compliant travelers may NOT go to a separate area and undergo additional screening. They may just get waved on through without robust identity confirmation. And still get the cookie and fruit juice.

I will admit that this is probably unavoidable. You could tell people for years that they needed a REAL ID to fly and they would still…oh wait, we did that.

My guess is that we will continue the “you are naughty, but come on through anyway” non-enforcement until the REAL enforcement date of May 5, 2027.

Subject to extension….again.

Unless someone without a REAL ID slips through and does bad things. Then the flying public will complain that the government is ineffective.

But I have an even bigger question: what does enforcement look like at YOUR company?

(Imagen 3)

As We Predicted, REAL ID Won’t Be Fully Enforced

So much for my 15 seconds of fame with my Biometric Update guest post. Let’s move on to more important things.

Like the (finally!) enforcement of REAL ID at midnight EDT Wednesday May 7.

Not really.

We already knew that REAL ID enforcement wouldn’t be fully enforced.

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

And Secretary of Homeland Security Kristi Noem just confirmed this.

“’If it’s not compliant, they may be diverted to a different line, have an extra step, but people will be allowed to fly,’ Noem said at a U.S. House hearing on Tuesday. ‘This is a security issue.’”

So when WILL it be enforced? Memorial Day? Thanksgiving? May 5, 2027? Ever?

Of course, it’s not going to be easy for those without a passport, REAL ID, or other acceptable form of identification. They will undergo a little investigation, humiliation, and if they cross their fingers rehabilitation.

(Imagen 3)