The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF, a legacy acronym) is part of the Department of Justice (moved from Treasury when Homeland Security was created). One of its duties is to administer the regulations from the National Firearms Act (NFA) of 1934.
In the course of its duties, ATF fingerprints certain gun owners.
As Bayometric notes in a detailed article, there are two ways to generate the fingerprint cards required by ATF: traditional ink fingerprinting to create an FD-258 card, and live scan fingerprinting to create one or more FD-258 cards. Although the latter is more expensive (even a non-ruggedized live scan station is much more expensive than an ink pad), live scans measure quality immediately and are less suspectible to operator error.
But why even worry about FD-258 cards? ATF supports an eForms service which allows you to submit prints electronically like everyone else does.
Then again, if you’re suspicious of Big Brother, you may opt for non-electronic inked fingerprints.
When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.
Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.
But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.
Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:
“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”
“9 (9) The National Institute of Standards and 10 Technology (NIST) was directed in the CHIPS and 11 Science Act of 2022 to launch new work to develop 12 a framework of common definitions and voluntary 13 guidance for digital identity management systems, 14 including identity and attribute validation services 15 provided by Federal, State, and local governments, 16 and work is underway at NIST to create this guid 17 ance. However, State and local agencies lack re 18 sources to implement this new guidance, and if this 19 does not change, it will take decades to harden defi 20 ciencies in identity infrastructure.”
Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.
But let’s get to the meat of the bill:
“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION 4 GRANTS. 5 (a) IN GENERAL.—The Secretary of the Treasury 6 shall, not later than 1 year after the date of the enactment 7 of this section, establish a grant program to provide iden 8 tity fraud prevention innovation grants to States.”
The specifics:
The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
They can also use the grants to protect individuals from deepfake attacks.
Another purpose is to develop “interoperable solutions.”
A fourth is to replace vulnerable legacy systems.
The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.
But there are some limitations in how the funds are spent.
They can’t be used to require mDLs or eliminate physical driver’s licenses.
They can’t be used to “support the issuance of drivers licenses or identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)
The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.
And everything else
So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.
But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:
The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
The Federal Trade Commission (FTC).
The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.
What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?
Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.
(And yes, I know that the Capitol is not north of the Washington Monument…yet.)
If you’ve read a few hundred job descriptions, one phrase that you’ll often see is “cross-functional collaboration.” The theory is that the employee (for example, a senior product marketing manager) will seamlessly work with marketing, product, R&D, customer success, sales, finance, legal, and everyone else, all working together for the good of the company.
But the world usually doesn’t work like that. YOUR department is great. The other departments are the bozos.
Google Gemini.
There’s actually a benefit to this when you look at government agencies. If you believe that “the government that governs least” is preferable to Big Brother, then the fact that multiple agencies DON’T gang up against you is a good thing. You don’t want to be chased by the FBI and the CIA and the BBC and B.B. King and Doris Day. And Matt Busby.
But there are times when government agencies work together, usually when facing a common threat. Sometimes this is good…and sometimes it isn’t. Let’s look at two examples and see where they fall in the spectrum.
The Central Intelligence Agency and the Federal Bureau of Investigation in 1972
Normally bureaucrats are loyal to their agency, to the detriment of other agencies. This is especially true when the agencies are de facto competitors.
In theory, and certainly in the 1970s, the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) have completely separate spheres of operation. But on the highest level they perform the same function: catch bad people. And each agency certainly wants to take the credit when a bad person is caught. Conversely, if one of the agencies has a bad person, the other one usually works to expose it.
Usually.
A few of you are old enough to remember a third-rate burglary in Washington, DC in 1972. The burglary took place at a political party office in some hotel or another. We now know with the benefit of hindsight that the FBI-CIA rivalry worked. Bob Woodward learned a few days after the break-in that two of the alleged burglars were connected to E. Howard Hunt, a former CIA operative. Who told Woodward?
“Woodward, we now know, had been tipped off by Mark Felt, the deputy director of the FBI. The Bureau had itself become involved in the investigation of a mere burglary because once the police found wiretapping equipment, the investigation fell under its remit.”
Google Gemini.
This is how it should work. Although the mere fact that Hunt knew Bernard Barker and Eugenio Martinez was not a crime, the FBI was certainly bound to investigate the matter.
Until it wasn’t.
“Richard Nixon and senior White House personnel including Chief-of-Staff Bob Haldeman and domestic policy tsar John Ehrlichman devised a strategy to block the investigation. This began to unfold as early as June 23, a mere three days after the break-in. That day, Haldeman proposed to Nixon to “have [Vernon] Walters [deputy director of the CIA] call Pat Gray [director of the FBI] and just say ‘stay the h*ll out of this’ on grounds of ‘national interest.’”
This recorded conversation would become very important two years later, but back in 1972 very few people knew about it. And very few people knew that Gray “destroyed secret documents removed from Howard Hunt’s safe.”
Think about it. If Richard Nixon hadn’t recorded his own conversations, we may have never learned that the CIA partially neutralized an FBI investigation.
But other instances of cross-functional collaboration come to light in other ways.
Immigration and Customs Enforcement and the Transportation Security Administration before 2026
The FBI-CIA episode of 1972 was an aberration. Normally agencies don’t cooperate, even when massive amounts of effort are performed to make them work together.
One prime example was the creation of the Department of Homeland Security (DHS) in 2002-2003. Because it was believed that 9/11 happened because relevant agencies were scattered all over the government, Congress and the President performed a massive reorganization. This affected the Departments of Agriculture, Energy, Health and Human Services, Justice, Transportation, and Treasury.
For our discussion:
The Department of Justice lost the Immigration and Naturalization Service (INS), which was broken up into three separate agencies within DHS. One of these is Immigration and Customs Enforcement, or ICE. Perhaps you’ve heard of it.
The relatively new Transportation Security Administration (TSA) was moved from the Department of Transportation to DHS.
The theory, of course, is that once all these agencies were under the DHS umbrella, they would magically work together to stop the evil terrorists. However, each of the component agencies had vastly different missions. Here is the mission of the TSA:
“Protect the nation’s transportation systems to ensure freedom of movement for people and commerce.”
Well, “freedom of movement” is not the primary part of ICE’s mission:
“Protect America through criminal investigations and enforcing immigration laws to preserve national security and public safety.”
While these missions are not mutually exclusive, the difference in emphasis is apparent. And the agencies competed.
Some of you may remember air marshals. After 9/11, some airline flight passengers were actually air marshals, but the passengers (and any terrorists) didn’t know which flights had air marshals or who they were.
Google Gemini.
The Federal Air Marshal Service (FAMS) was part of the Transportation Security Administration.
“Homeland Security Secretary Tom Ridge announced [in September 2003] that the federal air marshals program will move from the Transportation Security Administration to the Bureau of Immigration and Customs Enforcement (ICE).”
The idea was to concentrate all enforcement operations in one agency, to protect FAMS from uncertain TSA funding, and to allow ICE agents to be cross-trained as air marshals. But this didn’t happen, so two years later FAMS moved from ICE back to TSA.
And both agencies went on their merry little ways.
Immigration and Customs Enforcement and the Transportation Security Administration in 2026
“When Transportation Security Administration (TSA) Acting Director Ha Nguyen McNeill was pressed [by the House Committee on Homeland Security] on reports that ICE is using domestic flight passenger information to support deportation operations, she did not deny cooperation. Instead, she defended it as legitimate intra-departmental coordination and framed it as part of DHS’s overall mission set.
“In response to lawmakers’ questions, McNeill said TSA assistance to ICE is ‘absolutely within our authorities’ when it involves sharing passenger information for immigration enforcement operations.”
McNeill effectively said that TSA doesn’t dump its data on ICE, but responds to individual ICE inquiries.
“Airport travel…becomes a choke point for detentions – no longer just transportation, but a compliance checkpoint for civil enforcement, re-engineering mobility into an enforcement tool.”
Do U.S. government agencies simply run roughshod over your privacy rights?
Not exactly.
Government agencies are required to issue Privacy Impact Assessments (PIAs) for their projects.
The Federal Bureau of Investigation alone has issued over 60 PIAs.
For example, here is the PIA for CODIS, the Combined National Deoxyribonucleic Acid (DNA) Index System (CODIS).
And if anything needs a PIA, it’s CODIS, since it potentially contains your personally identifiable information…and the personally identifiable information of your relatives.
The PIAs themselves are detailed. The CODIS PIA includes 8 sections with 19 pages of questions and responses. For example, here is the response in section 8 regarding privacy:
The type, quantity, and sources of information collected by FBI CODIS are necessary to identify crime scene offenders, missing persons, or unidentified human remains, or to link multiple crime scenes. Such information is only further disseminated for these purposes. Moreover, NDIS does not store State Identification Number/Universal Control Number or otherwise collect, handle, disseminate, or store contributors’ names. Therefore, CODIS DNA profiles and pedigrees can only be matched to a named individual by the submitting Criminal Justice Agency forensic laboratory, independent of NDIS.
The privacy risks associated with the collection and maintenance of FBI CODIS information are inaccurate information, unauthorized access, and unauthorized disclosures.
The privacy risks associated with the access and use of FBI CODIS information are unauthorized access, unauthorized (or overly broad) disclosures, and loss of data.
The privacy risks associated with the dissemination of FBI CODIS information are the risks of unauthorized disclosures and loss of data.
The risks of unauthorized access, unauthorized disclosures, loss of data and inaccurate information are mitigated by the quality assurance standards promulgated by the FBI pursuant to the Federal DNA Identification Act. These risks are further mitigated by the system, physical access, network-infrastructure, auditing and quality assurance controls, as described more specifically in Sections 6.1 and 6.2, which are in compliance with FIPS Publication 199, as applicable.
The risk of inaccurate information is also specifically mitigated through the identity verification process performed by participating Criminal Justice Agency forensic laboratories to confirm a potential match. The identity must be confirmed prior to the disclosure of any personally identifiable information to the law enforcement entity who submitted the DNA sample.
Lastly, notice is provided as described in Section 5.1.
“About 27.6 million people around the globe are ensnared by modern slavery, which refers to people being forced to work and losing their freedom due to imprisonment, threats of violence, debt bondage, or retention of their identity papers, according to the United Nations’ International Labor Organization.”
“As proven at trial, between 2006 and May 2018, [Nicole] Daedone and [Rachel] Cherwitz obtained the labor and services of multiple young women who had turned to OneTaste for healing and spirituality by coercing them to perform labor, including sexual labor, for the defendants’ benefit.”
“n 2017, Ms. Daedone sold OneTaste for $12 million, prosecutors said. The former OneTaste.us website now directs visitors to The Eros Platform, a community that still promotes it affiliation with Daedone, Cherwitz and and their Orgasmic Meditation practice. The Eros Coaching Collective still advertises a three-session OM training package for $525.”
H/T Donal Greene for this story of non-person entities that were really people.
“The nate app purported to take care of the remainder of the checkout process through AI: selecting the appropriate size, entering billing and shipping information, and confirming the purchase….In truth, nate relied heavily on teams of human workers—primarily located overseas—to manually process transactions in secret, mimicking what users believed was being done by automation.”
The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.
Who runs the SOC suite
But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.
I’m talking about the AICPA, or the Association of International Certified Professional Accountants.
Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?
Why CPAs run the SOC suite
Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.
“CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
“It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
“CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.
So that’s why the accountants are running your SOC 2 audit.
And don’t try to cheat when you pay them for the audit.
And one more thing
A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.
Bredemarket 