Tag Archives: department of homeland security

Android mobile driver’s licenses? It’s complicated.

At least in the United States, the mobile driver’s license world is fragmented.

Because driver’s license issuance in the U.S. is a state and not a federal responsibility, each state has to develop its own mobile driver’s license implementation. Subject to federal and international standards, of course.

To date there have been two parties helping the states with this:

  • mDL vendors such as Envoc and IDEMIA, who work with the states to create mDLs.
  • Operating system vendors such as Apple and Google, who work with the states to incorporate mDLs in smartphone wallets.

But because the Android ecosystem is more fragmented than the iOS ecosystem, we now have a third party that is involved in mDLs. In addition to mDL vendors and operating system vendors, we also have really large smartphone providers.

From https://news.samsung.com/us/samsung-idemia-bring-mobile-drivers-licenses-samsung-wallet-arizona-iowa-first-states-rollout/

Enter Samsung:

Samsung Electronics America today announced it is bringing mobile driver’s licenses and state IDs to Samsung Wallet. Arizona and Iowa will be the first states to offer a mobile version of its driver’s license to their residents. The update expands the Samsung Wallet experience by adding a convenient and secure way to use state-issued IDs and driver’s licenses

From https://news.samsung.com/us/samsung-idemia-bring-mobile-drivers-licenses-samsung-wallet-arizona-iowa-first-states-rollout/

(For those who have seen prior references to Samsung in the Bredemarket blog, rest assured that this information is public and Samsung won’t get harmed if you feed it to ChatGPT or Bard or whoever.)

In this particular case Samsung is working with IDEMIA (the mDL provider for Arizona and Iowa), but Samsung announced that it is working with other states and with the Transportation Security Administration (TSA).

While there are underlying standards (most notably ISO/IEC 18013-5, previously discussed here) that govern the implementation of mobile driver’s licenses, there is still a dizzying array of options.

From https://www.yourtango.com/201168184/facebook-relationship-status-what-does-its-complicated-mean

On a personal note, I’m still working on validating my driver’s license for California’s pilot mDL program. It probably didn’t help that I renewed my physical driver’s license right in the middle of the mDL validation process.

Customs Becoming Artificial, Thanks to Pangiam

I missed this story when it came out in May.

MCLEAN, Va., May 2, 2023 /PRNewswire/ — The West Virginia University Research Corporation (WVURC) and Pangiam, a leading trade a travel technology company, announced a new partnership to conduct research and develop new, cutting-edge artificial intelligence, machine learning and computer vision technologies for commercial and government applications.

Pangiam and WVURC will work together to launch Pangiam Bridge, a cutting-edge artificial intelligence driven solution for customs authorities worldwide. Pangiam Bridge will allow customs officials to automate portions of the customs inspection process for baggage and cargo. Jim McLaughlin, Pangiam Chief Technology Officer, said, “we are excited to grow Pangiam’s artificial intelligence work in partnership with West Virginia University and continued development of Pangiam Bridge for customs authorities.”

From https://www.prnewswire.com/news-releases/pangiam-and-west-virginia-university-research-corporation-partner-to-develop-artificial-intelligence-and-computer-vision-technology-301813334.html

Pangiam Bridge is obviously not ready for prime time yet; it’s not even mentioned on Pangiam’s Products and Services page, nor is it mentioned anywhere else on Pangiam’s website. The only mention of Pangiam Bridge is in this press release, which isn’t surprising considering that this is a research effort. But if the research holds out, then many of the manual processes used by customs agents may be significantly reduced or eliminated entirely.

U.S. CBP Office of Field Operations agent checking the authenticity of a travel document at an international airport using a stereo microscope. By James R. Tourtellotte, CBP, U.S. Dept. of Homeland Security – Original link: http://www.cbp.gov/xp/cgov/newsroom/photo_gallery/afc/inspectors_airports/air_05.xml (file Air_5fphoto_5f05.jpg) Now available at: link, Public Domain, https://commons.wikimedia.org/w/index.php?curid=2867071

And this isn’t Pangiam’s only artificial intelligence research effort.

Project DARTMOUTH is the collaboration between Pangiam and Google Cloud, named after the 1956 Dartmouth Summer Research Project on Artificial Intelligence. Project DARTMOUTH utilizes AI and pattern analysis technologies to digest and analyze vast amounts of data in real-time and identify potential prohibited items in carry-on baggage, checked baggage, airline cargo and shipments.

From https://pangiam.com/projectdartmouth/

(Bredemarket email, meeting, contact, subscribe)

Communicating How Your Firm Fights Synthetic Identities

(Updated question count 10/23/2023)

Does your firm fight crooks who try to fraudulently use synthetic identities? If so, how do you communicate your solution?

This post explains what synthetic identities are (with examples), tells four ways to detect synthetic identities, and closes by providing an answer to the communication question.

While this post is primarily intended for identity firms who can use Bredemarket’s marketing and writing services, anyone else who is interested in synthetic identities can read along.

What are synthetic identities?

To explain what synthetic identities are, let me start by telling you about Jason Brown.

Jason Brown wasn’t Jason Brown

You may not have heard of him unless you lived in Atlanta, Georgia in 2019 and lived near the apartment he rented.

Jason Brown’s renting of an apartment isn’t all that unusual.

If you were to visit Brown’s apartment in February 2019, you would find credit cards and financial information for Adam M. Lopez and Carlos Rivera.

Now that’s a little unusual, especially since Lopez and Rivera never existed.

For that matter, Jason Brown never existed either.

Brown was synthetically created from a stolen social security number and a fake California driver’s license. The creator was a man named Corey Cato, who was engaged in massive synthetic identity fraud. If you want to talk about a case that emphasizes the importance of determining financial identity, this is it.

From https://www.ice.gov/news/releases/hsi-investigates-synthetic-identities-scheme-defrauded-banks-nearly-2m

A Georgia man was sentenced Sept. 1 (2022) to more than seven years in federal prison for participating in a nationwide fraud ring that used stolen social security numbers, including those belonging to children, to create synthetic identities used to open lines of credit, create shell companies, and steal nearly $2 million from financial institutions….

Cato joined conspiracies to defraud banks and illegally possess credit cards. Cato and his co-conspirators created “synthetic identities” by combining false personal information such as fake names and dates of birth with the information of real people, such as their social security numbers. Cato and others then used the synthetic identities and fake ID documents to open bank and credit card accounts at financial institutions. Cato and his co-conspirators used the unlawfully obtained credit cards to fund their lifestyles.

From https://www.ice.gov/news/releases/hsi-investigates-synthetic-identities-scheme-defrauded-banks-nearly-2m

Talking about synthetic identity at Victoria Gardens

Here’s a video that I created on Saturday that describes, at a very high level, how synthetic identities can be used fraudulently. People who live near Rancho Cucamonga, California will recognize the Victoria Gardens shopping center, proof that synthetic identity theft can occur far away from Georgia.

From https://www.youtube.com/watch?v=oDrSBlDJVCk

Note that synthetic identity theft different from stealing someone else’s existing identity. In this case, a new identity is created.

So how do you catch these fraudsters?

Catching the identity synthesizers

If you’re renting out an apartment, and Jason Brown shows you his driver’s license and provides his Social Security Number, how can you detect if Brown is a crook? There are four methods to verify that Jason Brown exists, and that he’s the person renting your apartment.

Method One: Private Databases

One way to check Jason Brown’s story is to perform credit checks and other data investigations using financial databases.

  • Did Jason Brown just spring into existence within the past year, with no earlier credit record? That seems suspicious.
  • Does Jason Brown’s credit record appear TOO clean? That seems suspicious.
  • Does Jason Brown share information such as a common social security number with other people? Are any of those other identities also fraudulent? That is DEFINITELY suspicious.

This is one way that many firms detect synthetic identities, and for some firms it is the ONLY way they detect synthetic identities. And these firms have to tell their story to their prospects.

If your firm offers a tool to verify identities via private databases, how do you let your prospects know the benefits of your tool, and why your solution is better than all other solutions?

Method Two: Check That Driver’s License (or other government document)

What about that driver’s license that Brown presented? There are a wide variety of software tools that can check the authenticity of driver’s licenses, passports, and other government-issued documents. Some of these tools existed back in 2019 when “Brown” was renting his apartment, and a number of them exist today.

Maybe your firm has created such a tool, or uses a tool from a third party.

If your firm offers this capability, how can your prospects learn about its benefits, and why your solution excels?

Method Three: Check Government Databases

Checking the authenticity of a government-issued document may not be enough, since the document itself may be legitimate, but the implied credentials may no longer be legitimate. For example, if my California driver’s license expires in 2025, but I move to Minnesota in 2023 and get a new license, my California driver’s license is no longer valid, even though I have it in my possession.

Why not check the database of the Department of Motor Vehicles (or the equivalent in your state) to see if there is still an active driver’s license for that person?

The American Association of Motor Vehicle Administrators (AAMVA) maintains a Driver’s License Data Verification (DLDV) Service in which participating jurisdictions allow other entities to verify the license data for individuals. Your firm may be able to access the DLDV data for selected jurisdictions, providing an extra identity verification tool.

If your firm offers this capability, how can your prospects learn where it is available, what its benefits are, and why it is an important part of your solution?

Method Four: Conduct the “Who You Are” Test

There is one more way to confirm that a person is real, and that is to check the person. Literally.

If someone on a smartphone or videoconference says that they are Jason Brown, how do you know that it’s the real Jason Brown and not Jim Smith, or a previous recording or simulation of Jason Brown?

This is where tools such as facial recognition and liveness detection come to play.

  • You can ensure that the live face matches any face on record.
  • You can also confirm that the face is truly a live face.

In addition to these two tests, you can compare the face against the face on the presented driver’s license or passport to offer additional confirmation of true identity.

Now some companies offer facial recognition, others offer liveness detection, others match the live face to a face on a government ID, and many companies offer two or three of these capabilities.

One more time: if your firm offers these capabilities—either your own or someone else’s—what are the benefits of your algorithms? (For example, are they more accurate than competing algorithms? And under what conditions?) And why is your solution better than the others?

This is for the firms who fight synthetic identities

While most of this post is of general interest to anyone dealing with synthetic identities, this part of this post is specifically addressed to identity and biometric firms who provide synthetic identity-fighting solutions.

When you communicate about your solutions, your communicator needs to have certain types of experience.

  • Industry experience. Perhaps you sell your identity solution to financial institutions, or educational institutions , or a host of other industries (gambling/gaming, healthcare, hospitality, retailers, or sport/concert venues, or others). You need someone with this industry experience.
  • Solution experience. Perhaps your communications require someone with 29 years of experience in identity, biometrics, and technology marketing, including experience with all five factors of authentication (and verification).
  • Communication experience. Perhaps you need to effectively communicate with your prospects in a customer focused, benefits-oriented way. (Content that is all about you and your features won’t win business.)

Perhaps you can use Bredemarket, the identity content marketing expert. I work with you (and I have worked with others) to ensure that your content meets your awareness, consideration, and/or conversion goals.

How can I work with you to communicate your firm’s anti-synthetic identity message? For example, I can apply my identity/biometric blog expert knowledge to create an identity blog post for your firm. Blog posts provide an immediate business impact to your firm, and are easy to reshare and repurpose. For B2B needs, LinkedIn articles provide similar benefits.

If Bredemarket can help your firm convey your message about synthetic identity, let’s talk.

And thirteen more things

If you haven’t read a Bredemarket blog post before, or even if you have, you may not realize that this post is jam-packed with additional information well beyond the post itself. This post alone links to the following Bredemarket posts and other content. You may want to follow one or more of the 13 links below if you need additional information on a particular topic:

  1. Synthetic Identity video (YouTube), August 12, 2023. https://www.youtube.com/watch?v=oDrSBlDJVCk
  2. Using “Multispectral” and “Liveness” in the Same Sentence (Bredemarket blog), June 6, 2023. https://bredemarket.com/2023/06/06/using-multispectral-and-liveness-in-the-same-sentence/
  3. Who is THE #1 NIST facial recognition vendor? (Bredemarket blog), February 23, 2022. https://bredemarket.com/2022/02/23/number1frvt/
  4. Financial Identity (Bredemarket website). https://bredemarket.com/financial-identity/
  5. Educational Identity (Bredemarket website). https://bredemarket.com/educational-identity/
  6. The five authentication factors (Bredemarket blog), March 2, 2021. https://bredemarket.com/2021/03/02/the-five-authentication-factors/
  7. Customer Focus (Bredemarket website). https://bredemarket.com/customer-focus/
  8. Benefits (Bredemarket website). https://bredemarket.com/benefits/
  9. Seven Questions Your Content Creator Should Ask You: the e-book version (Bredemarket blog and e-book), October 22, 2023. https://bredemarket.com/2023/10/22/seven-questions-your-content-creator-should-ask-you-the-e-book-version/
  10. Four Mini-Case Studies for One Inland Empire Business—My Own (Bredemarket blog and e-book), April 16, 2023. https://bredemarket.com/2023/04/16/four-mini-case-studies-for-one-inland-empire-business-my-own/
  11. Identity blog post writing (Bredemarket website). https://bredemarket.com/identity-blog-post-writing/
  12. Blog About Your Identity Firm’s Benefits Now. Why Wait? (Bredemarket blog), August 11, 2023. https://bredemarket.com/2023/08/11/blog-about-your-identity-firms-benefits-now-why-wait/
  13. Why Your Company Should Write LinkedIn Articles (Bredemarket LinkedIn article), July 31, 2023. https://www.linkedin.com/pulse/why-your-company-should-write-linkedin-articles-bredemarket/

That’s twelve more things than the Cupertino guys do, although my office isn’t as cool as theirs.

By Arne Müseler / http://www.arne-mueseler.com, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=78985341

Well, why not one more?

Here’s my latest brochure for the Bredemarket 400 Short Writing Service, my standard package to create your 400 to 600 word blog posts and LinkedIn articles. Be sure to check the Bredemarket 400 Short Writing Service page for updates.

Bredemarket 400 Short Writing Service (June 2022)Download

If that doesn’t fit your needs, I have other offerings.

Plus, I’m real. I’m not a bot.

The dangers of removing facial recognition and artificial intelligence from DHS solutions (DHS ICR part four)

And here’s the fourth and final part of my repurposing exercise. See parts one, two, and three if you missed them.

This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology. As I concluded my request, I stated the following.

Of course, even the best efforts of the Department of Homeland Security (DHS) will not satisfy some members of the public. I anticipate that many of the respondents to this ICR will question the need to use biometrics to identify individuals, or even the need to identify individuals at all, believing that the societal costs outweigh the benefits.

By Banksy – One Nation Under CCTV, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=3890275

But before undertaking such drastic action, the consequences of following these alternative paths must be considered.

Taking an example outside of the non-criminal travel interests of DHS, some people prefer to use human eyewitness identification rather than computerized facial recognition.

By Zhe Wang, Paul C. Quinn, James W. Tanaka, Xiaoyang Yu, Yu-Hao P. Sun, Jiangang Liu, Olivier Pascalis, Liezhong Ge and Kang Lee – https://www.frontiersin.org/articles/10.3389/fpsyg.2015.00559/full, CC BY 4.0, https://commons.wikimedia.org/w/index.php?curid=96233011

However, eyewitness identification itself has clear issues of bias. The Innocence Project has documented many cases in which eyewitness (mis)identification has resulted in wrongful criminal convictions which were later overturned by biometric evidence.

Archie Williams moments after his exoneration on March 21, 2019. Photo by Innocence Project New Orleans. From https://innocenceproject.org/fingerprint-database-match-establishes-archie-williams-innocence/

Mistaken eyewitness identifications contributed to approximately 69% of the more than 375 wrongful convictions in the United States overturned by post-conviction DNA evidence.

Inaccurate eyewitness identifications can confound investigations from the earliest stages. Critical time is lost while police are distracted from the real perpetrator, focusing instead on building the case against an innocent person.

Despite solid and growing proof of the inaccuracy of traditional eyewitness ID procedures – and the availability of simple measures to reform them – traditional eyewitness identifications remain among the most commonly used and compelling evidence brought against criminal defendants.”

Innocence Project, Eyewitness Identification Reform, https://innocenceproject.org/eyewitness-identification-reform/

For more information on eyewitness misidentification, see my November 24, 2020 post on Archie Williams (pictured above) and Uriah Courtney.

Do we really want to dump computerized artificial intelligence and facial recognition, only to end up with manual identification processes that are proven to be even worse?

Biometrics enhances accuracy without adversely impacting timeliness (DHS ICR part three)

This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology. See my first and second posts on the topic.

DHS asked respondents to address five questions, including this one:

(2) will this information be processed and used in a timely manner;

Here is part of my response.

I am answering this question from the perspective of a person crossing the border or boarding a plane.

During the summer of 2017, CBP conducted biometric exit facial recognition technical demonstrations with various airlines and airports throughout the country. Here, CBP Officer Michael Shamma answers a London-bound American Airlines passenger’s questions at Chicago O’Hare International Airport. Photo by Brian Bell. From https://www.cbp.gov/frontline/cbp-biometric-testing

From this perspective, you can ask whether the use of biometric technologies makes the entire process faster, or slower.

Before biometric technologies became available, a person would cross a border or board a plane either by conducting no security check at all, or by having a human conduct a manual security check using the document(s) provided by an individual.

  • Unless a person was diverted to a secondary inspection process, automatic identification of the person (excluding questions such as “What is your purpose for entering the United States?”) could be accomplished in a few seconds.
  • However, manual security checks are much less accurate than technological solutions, as will be illustrated in a future post.

With biometric technologies, it is necessary to measure both the time to acquire the biometric data (in this case a facial image) and the time to compare the acquired data against the known data for the person (from a passport, passenger manifest, or database).

  • The time to acquire biometric data continues to improve. In some cases, the biometric data can be acquired “on the move” as the person is walking toward a gate or other entry area, thus requiring no additional time from the person’s perspective.
  • The time to compare biometric data can vary. If the source of the known data (such as the passport) is with the person, then comparison can be instantaneous from the person’s perspective. If the source of the known data is a database in a remote location, then the speed of comparison depends upon many factors, including network connections and server computation times. Naturally, DHS designs its systems to minimize this time, ensuring minimal or no delay from the person’s perspective. Of course, a network or system failure can adversely affect this.

In short, biometric evaluation is as fast if not faster than manual processes (provided no network or system failure occurs), and is more accurate than human processes.

Automated Passport Control kiosks
located at international airports across
the nation streamline the passenger’s
entry into the United States. Photo Credit: 
James Tourtellotte. From https://www.cbp.gov/travel/us-citizens/apc

A world without biometric collection is a world with increased bias and less security and privacy (DHS ICR part two)

This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology. See yesterday’s post for additional thoughts on bias, security, and privacy.

By Cleanup by Andrew_pmk (talk · contribs); straightened and cropped by Holek (talk · contribs) – http://www.9-11commission.gov/press/911report_cover_HIGHRES.jpg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=2376314

Because of many factors, including the 9/11 tragedy that spurred the organization of the Department of Homeland Security (DHS) itself, DHS has been charged to identify individuals as a part of its oversight of customs and border protection, transportation security, and investigations. There are many ways to identify individuals, including:

  • What you know, such as a password.
  • What you have, such as a passport or token.
  • What you are, such as your individual face, fingers, voice, or DNA.
  • Where you are.

Is it possible to identify an individual without use of computerized facial recognition or other biometric or AI technologies? In other words, can the “what you are” test be eliminated from DHS operations?

Some may claim that the “what you have” test is sufficient. Present a driver’s license or a passport and you’re identified.

  • However, secure documents are themselves secured by the use of biometrics, primarily facial recognition.
  • Before a passport is issued, many countries including the U.S. conduct some type of biometric test to ensure that a single person does not obtain two or more passports.
  • Similar tests are conducted before driver’s licenses and other secure documents are issued.

In addition, people attempt to forge secure documents by creating fake driver’s licenses and fake passports. Thus, all secure documents need to be evaluated, in part by confirming that the biometrics on the document match the biometrics of the person presenting the document.

In short, there is no way to remove biometric identification from the DHS identification operation. And if you did, who knows how each individual officer would judge whether a person is who they claim to be?

Thoughts on bias, security, and privacy (DHS ICR part one)

This post is adapted from Bredemarket’s November 10, 2021 submitted comments on DHS-2021-0015-0005, Information Collection Request, Public Perceptions of Emerging Technology.

From https://www.regulations.gov/comment/DHS-2021-0015-0006

The original DHS request included the following sentence in the introductory section:

AI in general and facial recognition in particular are not without public controversy, including concerns about bias, security, and privacy.

Even though this was outside of the topics specifically requiring a response, I had to respond anyway. Here’s (in part) what I said.

The topics of bias, security, and privacy deserve attention. Public misunderstandings on these topics have the capability of scuttling all of DHS’ efforts in customs and border protection, transportation security, and investigations.

Regarding bias, it is imperative upon government agencies, biometric vendors, and other interested parties (including myself as a biometric consultant) to educate and inform the public about issues relating to bias. In the interests of brevity, I will confine myself to two critical points.

  • There is a difference between identification of individuals and classification of groups of individuals.
    • The summary at the top of the Gender Shades website http://gendershades.org/ clearly frames the question asked by the study: “How well do IBM, Microsoft, and Face++ AI services guess the gender of a face?” As the study title and its summary clearly state, the study only attempted to classify the genders of faces.
    • This is a different problem than the problem addressed in customs and border protection, transportation security, and investigations applications: namely, the identification of an individual. If someone purporting to be me attempts to board a plane, DHS does not care whether I am male, female, gender fluid, or anything else related to gender. DHS only cares about my individual identity.
    • It is imperative that any discussion of bias as related to DHS purposes confine itself to the DHS use case of identification of individuals.
  • Different algorithms exhibit different levels of bias (and different types of bias) when identifying individuals.
    • While Gender Shades did not directly address this issue, it turns out that it is possible to identify differences in individual identification between different genders, races, and ages.
    • The National Institute of Standards and Technology (NIST) has conducted ongoing studies of the accuracy and performance of face recognition algorithms. In one of these tests, the FRVT 1:1 Verification Test (at the https://pages.nist.gov/frvt/html/frvt11.html URL), each tested algorithm is examined for its performance among different genders, races (with nationality used as a proxy for race), and ages.
    • While neither IBM nor Microsoft (two of the three algorithm providers studied in Gender Shades) have not submitted algorithms to the FRVT 1:1 Verification Test, over 360 1:1 algorithms have been tested by NIST.
    • It is possible to look at the data for each individual algorithm to see detailed information on the algorithm’s performance. Click on each 1:1 algorithm to see its “report card,” including demographic results.

However, even NIST tests are just that – tests. Performance of a research algorithm on a NIST test with NIST data does not guarantee the same performance of an operational algorithm in a DHS system with DHS data.

As DHS implements biometric systems for its purposes of customs and border protection, transportation security, and investigations, DHS not only needs to internally measure the overall accuracy of these systems using DHS algorithms and data, but also needs to internally measure accuracy when these demographic factors are taken into account. While even highly accurate results may not be perceived as such by the public (the anecdotal tale of a single inaccurate result may outweigh stellar statistical accuracy in the public’s mind), such accuracy measurements are essential for the DHS to ensure that it is fulfilling its mission.

Regarding security and privacy, which are intertwined in many ways, there are legitimate questions regarding how the use of biometric technologies can detract or enhance the security and privacy of individual information. (I will confine myself to technology issues, and will not comment on the societal questions regarding knowledge of an individual’s whereabouts.)

  • Data, including facial recognition vectors or templates, is stored in systems that may themselves be compromised. This is the same issue that is faced by other types of data that may be compromised, including passwords. In this regard, the security of facial recognition data is no different than the security of other data.
  • In some of the DHS use cases, it is not only necessary to store facial recognition vectors or templates, but it is also necessary to store the original facial images. These are not needed by the facial recognition algorithms themselves, but by the humans who review the results of facial algorithm comparisons. As long as we continue to place facial images on driver’s licenses, passports, visas, and other secure identity documents, the need to store these facial images will continue and cannot be avoided.
  • However, one must ensure that the storage of any personally identifiable information (including Social Security Numbers and other non-biometric data) is secure, and that the PII is only available on a need-to-know basis.
  • In some cases, the use of facial recognition technologies can actually enhance privacy. For example, take the moves by various U.S. states to replace their existing physical driver’s licenses with smartphone-based mobile driver’s licenses (mDLs). These mDL applications can be designed to only provide necessary information to those viewing the mDL.
    • When a purchase uses a physical driver’s license to buy age-restricted items such as alcohol, the store clerk viewing the license is able to see a vast amount of PII, including the purchaser’s birthdate, full name, residence address, and even height and weight. A dishonest store clerk can easily misuse this data.
    • When a purchaser uses a mobile driver’s license to buy age-restricted items, most of this information is not exposed to the store clerk viewing the license. Even the purchaser’s birthdate is not exposed; all that the store clerk sees is whether or not the purchaser is old enough to buy the restricted item (for example, over the age of 21).
    • Therefore, use of these technologies can actually enhance privacy.

I’ll be repurposing other portions of my response as new blog posts over the next several days.

In this post, “NGI” stands for Non-Governmental Identity

I admit to my biases.

As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.

Because the government is always here to help.

From World War II. By Packer, poster artist, Artist (NARA record: 8467744) – U.S. National Archives and Records Administration, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16929857

What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.

  • Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
  • Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.

However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.

Use of DNA for humanitarian efforts

Take an example that I recently tweeted about.

I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.

One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.

By Nofx221984 – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7429871

Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.

Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.

As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUsUniversity of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).

As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.

And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.

Reluctance to set national standards for mobile driver’s licenses

Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.

Some people are not especially wowed with this use case.

The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.

We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…

You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.

Is a Non-Governmental Identity (NGI) feasible and reliable?

Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).

…others are animated by a vision of “self-sovereign
identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….

DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.

For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.

Who issues Verifiable Credentials?

As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:

From https://www.evernym.com/blog/gentle-introduction-verifiable-credentials/. Fair use.

There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.

In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)

Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.

Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)

But NGIs are not a cure-all

Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.

Here’s what McKinsey has said:

…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.

Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.

In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several years AFTER 9/11.

And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:

At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.

1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)

Which identiy(ies) will prevail?

Back to governmental recognition of NGI.

Don’t count on it.

Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.

So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.

But frankly, I’m still not sure that I want Facebook to know how much I weigh.

(Although, now that I think about it, Apple already knows.)

By Apple Inc. – http://www.apple.com, Fair use, https://en.wikipedia.org/w/index.php?curid=43953320

Telos enters the touchless fingerprint market

Years before COVID became a thing, the U.S. government had a desire to encourage touchless fingerprint technologies. This began many years ago with a concerted effort to capture a complete set of fingerprints in less than 15 seconds. By 2016, this had evolved to a set of Cooperative Research and Development Agreements (CRADA) entered into by the National Institute of Standards and Technology and several private companies.

Slide 10 from the NIST presentation posted at https://www.nist.gov/system/files/documents/2016/12/14/iai_2016-nist_contactless_fingerprints-distro-20160811.pdf

For purposes of this post, I’m going to concentrate on just one of the listed mobile fingerprint capture technology solutions. The mobile fingerprint capture technologies from these companies were intended to support the capture of fingerprints from a standard smartphone without any additional capture equipment. (Compare this to the portal/kiosk category, which employed specialized capture equipment.)

One of NIST’s CRADA partners for mobile fingerprint capture was a company called Diamond Fortress Technologies.

Via our CRADA  relationship (Cooperative Research and Development Agreement), Diamond Fortress is currently working with NIST to develop standards dealing with best practices, certification methodology, data formatting and interoperability with legacy contact-based and inked print databases for optical acquisition systems. This will support future certification for purchase on the Government Certified Products lists.

Fast forward a few years, and Diamond Fortress Technologies’ offering is back in the news again.

Telos Corporation has acquired the ONYX touchless fingerprint biometric software and other assets of Diamond Fortress Technologies (DFT), and appears to be targeting new verticals with the technology.

Now that happened to catch my eye for one particular reason.

You see, my former employer IDEMIA used to have a monopoly on the TSA PreCheck program. If you wanted to enroll in TSA PreCheck, you HAD to go to IDEMIA. This provided a nice revenue stream for IDEMIA…well, perhaps not so nice when all of the airports lost traffic due to COVID.

Anyway, the Congress decided that one provider wasn’t optimal for government purposes, so in early 2020 other vendors were approved as TSA PreCheck providers.

WASHINGTON – Transportation Security Administration (TSA) today announced that TSA PreCheck™ enrollment services will now be provided by Alclear, LLC; Telos Identity Management Solutions, LLC; and Idemia Identity & Security USA, LLC, expanding the opportunities that enable travelers to apply for TSA PreCheck.

Just to clarify, the company then known as Alclear is better known to the general public as CLEAR.

And the third company is Telos.

Which is now apparently moving into the touchless fingerprint space.

From https://diamondfortress.com/onyx/. Fair use.

Now THAT is going to have an impact on enrollment.

The ITIF, digital identity, and federalism

I just read an editorial by Daniel Castro, the vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation. The opinion piece, published in Government Technology, is entitled “Absent Federal IDs, Digital Driver’s Licenses a Good Start.”

You knew I was going to comment on this one.

Why Daniel Castro supports a national digital ID

Let me allow Castro to state his case.

After Castro identifies the various ways in which people prove identity online, and the drawbacks of these methods, here’s what Castro says about the problem that needs to be addressed:

…poor identity verification is one of the reasons that identity theft is such a growing problem as more services move online. The Federal Trade Commission received 1.4 million reports of identity theft last year, double the number in 2019, with one security research firm estimating $56 billion in losses.

Castro then goes on to state his ideal solution:

The best solution to this problem would be for the federal government to develop an interoperable framework for securely issuing and validating electronic IDs and then direct a federal agency to start issuing these electronic IDs upon request. 

Castro then notes that the federal government has NOT done this:

But in the absence of federal action, a number of states have already begun this work on their own by creating digital driver’s licenses that provide a secure digital alternative to a physical identity document.

Feel free to read the rest of the story.

“Page two.” By Shealah Craighead – The original was formerly from here and is now archived at georgewbush-whitehouse.archives.gov., Public Domain, https://commons.wikimedia.org/w/index.php?curid=943922

But for me I’m going to stop right there.

Why Americans oppose mandatory national physical and digital IDs

Castro’s proposal, while ideal from a technological standpoint, doesn’t fully account for the realities of American politics.

Many Americans (regardless of political leanings) are strongly opposed to ANY mandatory national ID system. For example, many Americans don’t want our Social Security Numbers to become mandatory national IDs (even though they are de facto national IDs today). And while the federal government does issue passports, it isn’t mandatory that people GET them.

And many Americans don’t want state driver’s licenses to become mandatory national IDs. I went into this whole issue in great detail in my prior post “How 6 CFR 37 (REAL IDs) exhibits…federalism,” which made the following points:

  1. States are NOT mandated to issue REAL IDs. (And, no citizen is mandated to GET a REAL ID.)
  2. The federal government CAN mandate which IDs are accepted for federal purposes.
  3. Because the federal government can mandate the IDs to use when entering a federal facility or flying at a commercial airport, ALL of the states were eventually “persuaded” to issue REAL IDs. (Of course, it has take nearly two decades, so far, for that persuasion to work, and it won’t work until 2023, or later.)

So, considering all of the background regarding the difficulties in mandating a national PHYSICAL ID, imagine how things would erupt if the federal government mandated a national DIGITAL ID.

It wouldn’t…um…fly.

Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

And this is why some states are moving ahead on their own with mobile driver’s licenses.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

However, there’s a teeny tiny catch: while the states can choose to mandate that their mDLs be accepted at the STATE level, states cannot mandate that their digital identities be used for FEDERAL purposes.

Here we go again.

Of course, federal government agencies are starting to look at the issues with a mobile version of a “REAL ID,” including the standard(s) to which any mobile ID used for federal purposes must adhere.

Improving Digital Identity Act of 2020, or 2021, or 2025…

While the government agencies are doing this work, another government agency (the U.S. Congress) is also working on this. Castro mentions Rep. Bill Foster’s H.R. 8215, introduced in the last Congress. I’m not sure why he bothered to introduce it in September 2020, when Congress wasn’t going to do anything with it. As you may have heard, we had an election at that time.

Of course, he just reintroduced it last month, so now there’s more of a chance that it will be considered. Or maybe not.

Regardless, the “Improving Digital Identity Act” proposes the creation of a task force at the federal level with federal, state participants, and local participants. It also mandates that NIST create a digital identity “framework,” with an interim version available 240 days after the Act is passed. Among other things, the ACT also mandates that NIST Special Publication 800-63 become “binding operational directives” for federal agencies.

(Does that mean that it will be illegal to mandate password changes every 90 days? Woo hoo!)

Should this Act actually pass at some point, its directives will need to be harmonized with what the Department of Homeland Security is already doing, and of course with what the states are already doing.

Oh, and remember my reference to the DHS’ work in this area? Among those who have submitted verbal and/or written comments, several (primarily from privacy organizations) have stated that the government should NOT be promoting ANY digital ID at all. The sentiments in this written comment, submitted anonymously, are all too common.

There are a lot of security and privacy concerns with accepting digital ID’s. First and foremost, drivers licenses contain a lot of sensitive information. If digital ID’s are accepted, then it could potentially leak that info to hackers if it is not secured properly. Plus, there is the added concern that using digital ID’s will lead to extra surveillance where unnecesary. Finally, digital ID will not allow individuals who are poorer to be abele to submit an ID because they might not have access to the same facilities. I am strongly against this rule and I do NOT think that digital ID should be an option.

I expect other privacy organizations to submit comments that may be better-written, but they echo the same sentiment.