When talking about the validity periods for U.S. driver’s licenses (which vary from state to state) in a February 2024 post, Veriff points out one oft-overlooked part of the REAL ID Act:
“If a document bears the typical Real ID star symbol (or some accepted adaptation of it), meaning it is a Real ID-compliant document, it cannot be valid for longer than 8 years (Section 202(d)(10) of the Real ID Act).”
At the time of Veriff’s post, the REAL ID deadline was due for enforcement on May 7, 2025 after numerous delays. Several months later, in September 2024, the Transportation Security Administration started planning to be flexible about that deadline…
I’ve worked with rapid DNA since I was in Proposals at MorphoTrak, when our corporate parent Safran had an agreement with IntegenX (now part of Thermo Fisher Scientific). Rapid DNA, when suitable for use, can process a DNA sample in 90 minutes or less, providing a quick way to process DNA in both criminal and non-criminal cases.
But as I explain below, sometimes rapid DNA isn’t so rapid. In those cases, investigators have to turn to boring biometric technologies such as fingerprints instead. Fingerprints are a much older identification modality, but they still work.
Bredemarket recently purchased access to a Journal of Forensic Sciences article entitled “Advances in postmortem fingerprinting: Applications in disaster victim identification” (https://doi.org/10.1111/1556-4029.15513) by Bryan T. Johnson MSFS of the Federal Bureau of Investigation Laboratory in Quantico. The abstract (which is NOT behind the paywall) states the following, in part:
In disaster victim identification (DVI), fingerprints, DNA, and dental examinations are the three primary methods of identification….As DNA technology continues to evolve, RAPID DNA may now identify a profile within 90 min if the remains are not degraded or comingled. When there are true unknowns, however, there is usually no DNA, dental, or medical records to retrieve for a comparison without a tentative identity.
In the body of the paper itself (which IS behind the paywall), Johnson cites one example in which use of rapid DNA would have DELAYED the process.
DVI depends upon comparison of a DNA sample from a victim with a previous DNA sample taken from the victim. If this is not available, then the victim’s DNA is compared against the DNA of a family member.
Identifying foreign nationals aboard the MV Conception
When the MV Conception boat caught fire and sank in September 2019, 34 people lost their lives and had to be positively identified.
While most of the MV Conception victims were California residents, some victims were from Singapore and India. It would take weeks to collect and transport the DNA samples from the victims’ family members back to the United States for comparison against the DNA samples from the victims. Weeks of uncertainty during which family members had no confirmation that their relatives were among the deceased.
However, because the foreign victims were visitors to the United States, they had fingerprints on file with the Department of Homeland Security. Interagency agreements allowed the investigating agencies to access the DHS fingerprints and compare them against the fingerprints of the foreign victims, providing tentative identifications within three days. (Fingerprint identification is a 100+ year old method, but it works!) These tentative identifications were subsequently confirmed when the familial DNA samples arrived.
What does this mean?
The message here is NOT that “fingerprints rule, DNA drools.” In some cases the investigators could not retrieve fingerprints from the bodies and HAD to use rapid DNA.
The message here is that when identifying people, you should use ANY biometric (or non-biometric) modality that is available: fingerprints, DNA, dental records, driver’s licenses, Radio Shack Battery Club card, or anything else that provides an investigative lead or a positive identification.
Things change. Pangiam, a company that didn’t even exist a few years ago, and that started off by acquiring a one-off project from a local government agency, is now itself a friendly acquisition target (pending stockholder and regulatory approvals).
From MWAA to Pangiam
Back when I worked for IDEMIA and helped to market its border control solutions, one of our competitors for airport business was an airport itself—specifically, the Metropolitan Washington Airports Authority. Rather than buying a biometric exit solution from someone else, the MWAA developed its own, called veriScan.
2021 image from the former airportveriscan website.
ALEXANDRIA, Va., March 19, 2021 /PRNewswire/ — Pangiam, a technology-based security and travel services provider, announced today that it has acquired veriScan, an integrated biometric facial recognition system for airports and airlines, from the Metropolitan Washington Airports Authority (“Airports Authority”). Terms of the transaction were not disclosed.
So what will Pangiam work on next? Where will it expand? What will it acquire?
Nothing.
Enter BigBear.ai
Pangiam itself is now an acquisition target.
COLUMBIA, MD.— November 6, 2023 — BigBear.ai (NYSE: BBAI), a leading provider of AI-enabled business intelligence solutions, today announced a definitive merger agreement to acquire Pangiam Intermediate Holdings, LLC (Pangiam), a leader in Vision AI for the global trade, travel, and digital identity industries, for approximately $70 million in an all-stock transaction. The combined company will create one of the industry’s most comprehensive Vision AI portfolios, combining Pangiam’s facial recognition and advanced biometrics with BigBear.ai’s computer vision capabilities, positioning the company as a foundational leader in one of the fastest growing categories for the application of AI. The proposed acquisition is expected to close in the first quarter of 2024, subject to customary closing conditions, including approval by the holders of a majority of BigBear.ai’s outstanding common shares and receipt of regulatory approval.
Yet another example of how biometrics is now just a minor part of general artificial intelligence efforts. Identify a face or a grenade, it’s all the same.
Anyway, let’s check back in a few months. Because of the technology involved, this proposed acquisition will DEFINITELY merit government review.
At least in the United States, the mobile driver’s license world is fragmented.
Because driver’s license issuance in the U.S. is a state and not a federal responsibility, each state has to develop its own mobile driver’s license implementation. Subject to federal and international standards, of course.
To date there have been two parties helping the states with this:
mDL vendors such as Envoc and IDEMIA, who work with the states to create mDLs.
Operating system vendors such as Apple and Google, who work with the states to incorporate mDLs in smartphone wallets.
But because the Android ecosystem is more fragmented than the iOS ecosystem, we now have a third party that is involved in mDLs. In addition to mDL vendors and operating system vendors, we also have really large smartphone providers.
Samsung Electronics America today announced it is bringing mobile driver’s licenses and state IDs to Samsung Wallet. Arizona and Iowa will be the first states to offer a mobile version of its driver’s license to their residents. The update expands the Samsung Wallet experience by adding a convenient and secure way to use state-issued IDs and driver’s licenses
In this particular case Samsung is working with IDEMIA (the mDL provider for Arizona and Iowa), but Samsung announced that it is working with other states and with the Transportation Security Administration (TSA).
On a personal note, I’m still working on validating my driver’s license for California’s pilot mDL program. It probably didn’t help that I renewed my physical driver’s license right in the middle of the mDL validation process.
MCLEAN, Va., May 2, 2023 /PRNewswire/ — The West Virginia University Research Corporation (WVURC) and Pangiam, a leading trade a travel technology company, announced a new partnership to conduct research and develop new, cutting-edge artificial intelligence, machine learning and computer vision technologies for commercial and government applications.
Pangiam and WVURC will work together to launch Pangiam Bridge, a cutting-edge artificial intelligence driven solution for customs authorities worldwide. Pangiam Bridge will allow customs officials to automate portions of the customs inspection process for baggage and cargo. Jim McLaughlin, Pangiam Chief Technology Officer, said, “we are excited to grow Pangiam’s artificial intelligence work in partnership with West Virginia University and continued development of Pangiam Bridge for customs authorities.”
Pangiam Bridge is obviously not ready for prime time yet; it’s not even mentioned on Pangiam’s Products and Services page, nor is it mentioned anywhere else on Pangiam’s website. The only mention of Pangiam Bridge is in this press release, which isn’t surprising considering that this is a research effort. But if the research holds out, then many of the manual processes used by customs agents may be significantly reduced or eliminated entirely.
Project DARTMOUTH is the collaboration between Pangiam and Google Cloud, named after the 1956 Dartmouth Summer Research Project on Artificial Intelligence. Project DARTMOUTH utilizes AI and pattern analysis technologies to digest and analyze vast amounts of data in real-time and identify potential prohibited items in carry-on baggage, checked baggage, airline cargo and shipments.
Does your firm fight crooks who try to fraudulently use synthetic identities? If so, how do you communicate your solution?
This post explains what synthetic identities are (with examples), tells four ways to detect synthetic identities, and closes by providing an answer to the communication question.
While this post is primarily intended for identity firms who can use Bredemarket’s marketing and writing services, anyone else who is interested in synthetic identities can read along.
What are synthetic identities?
To explain what synthetic identities are, let me start by telling you about Jason Brown.
Jason Brown wasn’t Jason Brown
You may not have heard of him unless you lived in Atlanta, Georgia in 2019 and lived near the apartment he rented.
Jason Brown’s renting of an apartment isn’t all that unusual.
If you were to visit Brown’s apartment in February 2019, you would find credit cards and financial information for Adam M. Lopez and Carlos Rivera.
Now that’s a little unusual, especially since Lopez and Rivera never existed.
For that matter, Jason Brown never existed either.
A Georgia man was sentenced Sept. 1 (2022) to more than seven years in federal prison for participating in a nationwide fraud ring that used stolen social security numbers, including those belonging to children, to create synthetic identities used to open lines of credit, create shell companies, and steal nearly $2 million from financial institutions….
Cato joined conspiracies to defraud banks and illegally possess credit cards. Cato and his co-conspirators created “synthetic identities” by combining false personal information such as fake names and dates of birth with the information of real people, such as their social security numbers. Cato and others then used the synthetic identities and fake ID documents to open bank and credit card accounts at financial institutions. Cato and his co-conspirators used the unlawfully obtained credit cards to fund their lifestyles.
Talking about synthetic identity at Victoria Gardens
Here’s a video that I created on Saturday that describes, at a very high level, how synthetic identities can be used fraudulently. People who live near Rancho Cucamonga, California will recognize the Victoria Gardens shopping center, proof that synthetic identity theft can occur far away from Georgia.
Note that synthetic identity theft different from stealing someone else’s existing identity. In this case, a new identity is created.
So how do you catch these fraudsters?
Catching the identity synthesizers
If you’re renting out an apartment, and Jason Brown shows you his driver’s license and provides his Social Security Number, how can you detect if Brown is a crook? There are four methods to verify that Jason Brown exists, and that he’s the person renting your apartment.
Method One: Private Databases
One way to check Jason Brown’s story is to perform credit checks and other data investigations using financial databases.
Did Jason Brown just spring into existence within the past year, with no earlier credit record? That seems suspicious.
Does Jason Brown’s credit record appear TOO clean? That seems suspicious.
Does Jason Brown share information such as a common social security number with other people? Are any of those other identities also fraudulent? That is DEFINITELY suspicious.
This is one way that many firms detect synthetic identities, and for some firms it is the ONLY way they detect synthetic identities. And these firms have to tell their story to their prospects.
If your firm offers a tool to verify identities via private databases, how do you let your prospects know the benefits of your tool, and why your solution is better than all other solutions?
Method Two: Check That Driver’s License (or other government document)
What about that driver’s license that Brown presented? There are a wide variety of software tools that can check the authenticity of driver’s licenses, passports, and other government-issued documents. Some of these tools existed back in 2019 when “Brown” was renting his apartment, and a number of them exist today.
Maybe your firm has created such a tool, or uses a tool from a third party.
If your firm offers this capability, how can your prospects learn about its benefits, and why your solution excels?
Method Three: Check Government Databases
Checking the authenticity of a government-issued document may not be enough, since the document itself may be legitimate, but the implied credentials may no longer be legitimate. For example, if my California driver’s license expires in 2025, but I move to Minnesota in 2023 and get a new license, my California driver’s license is no longer valid, even though I have it in my possession.
Why not check the database of the Department of Motor Vehicles (or the equivalent in your state) to see if there is still an active driver’s license for that person?
The American Association of Motor Vehicle Administrators (AAMVA) maintains a Driver’s License Data Verification (DLDV) Service in which participating jurisdictions allow other entities to verify the license data for individuals. Your firm may be able to access the DLDV data for selected jurisdictions, providing an extra identity verification tool.
If your firm offers this capability, how can your prospects learn where it is available, what its benefits are, and why it is an important part of your solution?
Method Four: Conduct the “Who You Are” Test
There is one more way to confirm that a person is real, and that is to check the person. Literally.
If someone on a smartphone or videoconference says that they are Jason Brown, how do you know that it’s the real Jason Brown and not Jim Smith, or a previous recording or simulation of Jason Brown?
This is where tools such as facial recognition and liveness detection come to play.
You can ensure that the live face matches any face on record.
You can also confirm that the face is truly a live face.
In addition to these two tests, you can compare the face against the face on the presented driver’s license or passport to offer additional confirmation of true identity.
Now some companies offer facial recognition, others offer liveness detection, others match the live face to a face on a government ID, and many companies offer two or three of these capabilities.
One more time: if your firm offers these capabilities—either your own or someone else’s—what are the benefits of your algorithms? (For example, are they more accurate than competing algorithms? And under what conditions?) And why is your solution better than the others?
This is for the firms who fight synthetic identities
While most of this post is of general interest to anyone dealing with synthetic identities, this part of this post is specifically addressed to identity and biometric firms who provide synthetic identity-fighting solutions.
When you communicate about your solutions, your communicator needs to have certain types of experience.
Industry experience. Perhaps you sell your identity solution to financial institutions, or educational institutions , or a host of other industries (gambling/gaming, healthcare, hospitality, retailers, or sport/concert venues, or others). You need someone with this industry experience.
Solution experience. Perhaps your communications require someone with 29 years of experience in identity, biometrics, and technology marketing, including experience with all five factors of authentication (and verification).
Communication experience. Perhaps you need to effectively communicate with your prospects in a customer focused, benefits-oriented way. (Content that is all about you and your features won’t win business.)
If you haven’t read a Bredemarket blog post before, or even if you have, you may not realize that this post is jam-packed with additional information well beyond the post itself. This post alone links to the following Bredemarket posts and other content. You may want to follow one or more of the 13 links below if you need additional information on a particular topic:
Here’s my latest brochure for the Bredemarket 400 Short Writing Service, my standard package to create your 400 to 600 word blog posts and LinkedIn articles. Be sure to check the Bredemarket 400 Short Writing Service page for updates.
And here’s the fourth and final part of my repurposing exercise. See parts one, two, and three if you missed them.
This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology. As I concluded my request, I stated the following.
Of course, even the best efforts of the Department of Homeland Security (DHS) will not satisfy some members of the public. I anticipate that many of the respondents to this ICR will question the need to use biometrics to identify individuals, or even the need to identify individuals at all, believing that the societal costs outweigh the benefits.
But before undertaking such drastic action, the consequences of following these alternative paths must be considered.
Taking an example outside of the non-criminal travel interests of DHS, some people prefer to use human eyewitness identification rather than computerized facial recognition.
However, eyewitness identification itself has clear issues of bias. The Innocence Project has documented many cases in which eyewitness (mis)identification has resulted in wrongful criminal convictions which were later overturned by biometric evidence.
Mistaken eyewitness identifications contributed to approximately 69% of the more than 375 wrongful convictions in the United States overturned by post-conviction DNA evidence.
Inaccurate eyewitness identifications can confound investigations from the earliest stages. Critical time is lost while police are distracted from the real perpetrator, focusing instead on building the case against an innocent person.
Despite solid and growing proof of the inaccuracy of traditional eyewitness ID procedures – and the availability of simple measures to reform them – traditional eyewitness identifications remain among the most commonly used and compelling evidence brought against criminal defendants.”
For more information on eyewitness misidentification, see my November 24, 2020 post on Archie Williams (pictured above) and Uriah Courtney.
Do we really want to dump computerized artificial intelligence and facial recognition, only to end up with manual identification processes that are proven to be even worse?
This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology. See my first and second posts on the topic.
DHS asked respondents to address five questions, including this one:
(2) will this information be processed and used in a timely manner;
Here is part of my response.
I am answering this question from the perspective of a person crossing the border or boarding a plane.
During the summer of 2017, CBP conducted biometric exit facial recognition technical demonstrations with various airlines and airports throughout the country. Here, CBP Officer Michael Shamma answers a London-bound American Airlines passenger’s questions at Chicago O’Hare International Airport. Photo by Brian Bell. From https://www.cbp.gov/frontline/cbp-biometric-testing
From this perspective, you can ask whether the use of biometric technologies makes the entire process faster, or slower.
Before biometric technologies became available, a person would cross a border or board a plane either by conducting no security check at all, or by having a human conduct a manual security check using the document(s) provided by an individual.
Unless a person was diverted to a secondary inspection process, automatic identification of the person (excluding questions such as “What is your purpose for entering the United States?”) could be accomplished in a few seconds.
However, manual security checks are much less accurate than technological solutions, as will be illustrated in a future post.
With biometric technologies, it is necessary to measure both the time to acquire the biometric data (in this case a facial image) and the time to compare the acquired data against the known data for the person (from a passport, passenger manifest, or database).
The time to acquire biometric data continues to improve. In some cases, the biometric data can be acquired “on the move” as the person is walking toward a gate or other entry area, thus requiring no additional time from the person’s perspective.
The time to compare biometric data can vary. If the source of the known data (such as the passport) is with the person, then comparison can be instantaneous from the person’s perspective. If the source of the known data is a database in a remote location, then the speed of comparison depends upon many factors, including network connections and server computation times. Naturally, DHS designs its systems to minimize this time, ensuring minimal or no delay from the person’s perspective. Of course, a network or system failure can adversely affect this.
In short, biometric evaluation is as fast if not faster than manual processes (provided no network or system failure occurs), and is more accurate than human processes.
Automated Passport Control kiosks located at international airports across the nation streamline the passenger’s entry into the United States. Photo Credit: James Tourtellotte. From https://www.cbp.gov/travel/us-citizens/apc
This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology. See yesterday’s post for additional thoughts on bias, security, and privacy.
Because of many factors, including the 9/11 tragedy that spurred the organization of the Department of Homeland Security (DHS) itself, DHS has been charged to identify individuals as a part of its oversight of customs and border protection, transportation security, and investigations. There are many ways to identify individuals, including:
What you know, such as a password.
What you have, such as a passport or token.
What you are, such as your individual face, fingers, voice, or DNA.
Where you are.
Is it possible to identify an individual without use of computerized facial recognition or other biometric or AI technologies? In other words, can the “what you are” test be eliminated from DHS operations?
Some may claim that the “what you have” test is sufficient. Present a driver’s license or a passport and you’re identified.
However, secure documents are themselves secured by the use of biometrics, primarily facial recognition.
Before a passport is issued, many countries including the U.S. conduct some type of biometric test to ensure that a single person does not obtain two or more passports.
Similar tests are conducted before driver’s licenses and other secure documents are issued.
In addition, people attempt to forge secure documents by creating fake driver’s licenses and fake passports. Thus, all secure documents need to be evaluated, in part by confirming that the biometrics on the document match the biometrics of the person presenting the document.
In short, there is no way to remove biometric identification from the DHS identification operation. And if you did, who knows how each individual officer would judge whether a person is who they claim to be?
This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology.
The original DHS request included the following sentence in the introductory section:
AI in general and facial recognition in particular are not without public controversy, including concerns about bias, security, and privacy.
Even though this was outside of the topics specifically requiring a response, I had to respond anyway. Here’s (in part) what I said.
The topics of bias, security, and privacy deserve attention. Public misunderstandings on these topics have the capability of scuttling all of DHS’ efforts in customs and border protection, transportation security, and investigations.
Regarding bias, it is imperative upon government agencies, biometric vendors, and other interested parties (including myself as a biometric consultant) to educate and inform the public about issues relating to bias. In the interests of brevity, I will confine myself to two critical points.
There is a difference between identification of individuals and classification of groups of individuals.
The summary at the top of the Gender Shades website http://gendershades.org/ clearly frames the question asked by the study: “How well do IBM, Microsoft, and Face++ AI services guess the gender of a face?” As the study title and its summary clearly state, the study only attempted to classify the genders of faces.
This is a different problem than the problem addressed in customs and border protection, transportation security, and investigations applications: namely, the identification of an individual. If someone purporting to be me attempts to board a plane, DHS does not care whether I am male, female, gender fluid, or anything else related to gender. DHS only cares about my individual identity.
It is imperative that any discussion of bias as related to DHS purposes confine itself to the DHS use case of identification of individuals.
Different algorithms exhibit different levels of bias (and different types of bias) when identifying individuals.
While Gender Shades did not directly address this issue, it turns out that it is possible to identify differences in individual identification between different genders, races, and ages.
The National Institute of Standards and Technology (NIST) has conducted ongoing studies of the accuracy and performance of face recognition algorithms. In one of these tests, the FRVT 1:1 Verification Test (at the https://pages.nist.gov/frvt/html/frvt11.html URL), each tested algorithm is examined for its performance among different genders, races (with nationality used as a proxy for race), and ages.
While neither IBM nor Microsoft (two of the three algorithm providers studied in Gender Shades) have not submitted algorithms to the FRVT 1:1 Verification Test, over 360 1:1 algorithms have been tested by NIST.
In a 2019 report issued by NIST on demographic effects (at the https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf URL), NIST concluded that the tested algorithms “show a wide range in accuracy across developers, with the most accurate algorithms producing many fewer errors.”
It is possible to look at the data for each individual algorithm to see detailed information on the algorithm’s performance. Click on each 1:1 algorithm to see its “report card,” including demographic results.
However, even NIST tests are just that – tests. Performance of a research algorithm on a NIST test with NIST data does not guarantee the same performance of an operational algorithm in a DHS system with DHS data.
As DHS implements biometric systems for its purposes of customs and border protection, transportation security, and investigations, DHS not only needs to internally measure the overall accuracy of these systems using DHS algorithms and data, but also needs to internally measure accuracy when these demographic factors are taken into account. While even highly accurate results may not be perceived as such by the public (the anecdotal tale of a single inaccurate result may outweigh stellar statistical accuracy in the public’s mind), such accuracy measurements are essential for the DHS to ensure that it is fulfilling its mission.
Regarding security and privacy, which are intertwined in many ways, there are legitimate questions regarding how the use of biometric technologies can detract or enhance the security and privacy of individual information. (I will confine myself to technology issues, and will not comment on the societal questions regarding knowledge of an individual’s whereabouts.)
Data, including facial recognition vectors or templates, is stored in systems that may themselves be compromised. This is the same issue that is faced by other types of data that may be compromised, including passwords. In this regard, the security of facial recognition data is no different than the security of other data.
In some of the DHS use cases, it is not only necessary to store facial recognition vectors or templates, but it is also necessary to store the original facial images. These are not needed by the facial recognition algorithms themselves, but by the humans who review the results of facial algorithm comparisons. As long as we continue to place facial images on driver’s licenses, passports, visas, and other secure identity documents, the need to store these facial images will continue and cannot be avoided.
However, one must ensure that the storage of any personally identifiable information (including Social Security Numbers and other non-biometric data) is secure, and that the PII is only available on a need-to-know basis.
In some cases, the use of facial recognition technologies can actually enhance privacy. For example, take the moves by various U.S. states to replace their existing physical driver’s licenses with smartphone-based mobile driver’s licenses (mDLs). These mDL applications can be designed to only provide necessary information to those viewing the mDL.
When a purchase uses a physical driver’s license to buy age-restricted items such as alcohol, the store clerk viewing the license is able to see a vast amount of PII, including the purchaser’s birthdate, full name, residence address, and even height and weight. A dishonest store clerk can easily misuse this data.
When a purchaser uses a mobile driver’s license to buy age-restricted items, most of this information is not exposed to the store clerk viewing the license. Even the purchaser’s birthdate is not exposed; all that the store clerk sees is whether or not the purchaser is old enough to buy the restricted item (for example, over the age of 21).
Therefore, use of these technologies can actually enhance privacy.
I’ll be repurposing other portions of my response as new blog posts over the next several days.
Bredemarket 
