(Updated 4/16/2022 with additional benefits information.)
Everything is virtual
Many of our lives changed significantly in March 2020, when we left our offices and cubicles and decamped to makeshift desks in our homes. Since that time, those of us who are still working from home (WFH) have interacted with others via telephone, Cisco WebEx, Google Meet, Microsoft Teams, Slack, Zoom, and other virtual collaboration tools.
As part of our Sustainability Strategy and commitment to reach net zero greenhouse gas emissions by 2045, SDG&E is launching a Virtual Power Plant (VPP) Pilot Project in 2022, an initiative to strengthen community resilience and electric reliability in the unincorporated community of Shelter Valley in East San Diego County.
SDG&E realizes that you can’t just talk about the features of virtual power plants. SDG&E’s customers don’t care about features. Its customers only care about what’s in it for them. So SDG&E collected some benefits of virtual power plants.
(4/16/2022: For additional information on benefits, click here.)
The first benefit: community resilience and electric reliability
The first benefit that SDG&E identified for VPPs can be found in the text above, where it noted that virtual power plants can “strengthen community resilience and electric reliability.”
Now I’ll grant that Californa isn’t Texas, but there are more and more times where California’s electric power goes out, due either to very high temperatures, very high winds, or very high fire danger.
So SDG&E consumers (and consumers from other electric utilities) are more interested in electric reliability. If VPPs can provide that reliability, great!
So how does a VPP strengthen community resilience and electric reliability?
A key element of a VPP is its distributed energy resources, or DERs. With home-based solar power, batteries, smart thermostats, and other energy technologies, the days of a single centralized power source are over.
The second benefit: lower investment and operating costs
But rather than siloing these DERs, a VPP arranges to have them work as a single unit, just like a conventional power plant, but with a difference.
In other words, a VPP can mimic or potentially replace a conventional power plant and help address distribution network bottlenecks, but with lower investment and operating costs.
Note that SDG&E doesn’t take this a step further and say that this will result in a reduction in building of conventional power plants.
Since VPPs look like residential/commercial communities (because they are), most of us think that VPPs are prettier than many conventional power plants such as this one. By Cgord (talk) – (Cgord (talk)) created this work entirely by himself. Transferred from Wikipedia., GFDL, https://commons.wikimedia.org/w/index.php?curid=19912142
And SDG&E definitely doesn’t say that this will result in lower rates for energy consumers. But maybe some energy utility will make this commitment.
A musical postlude
A major component of a VPP is the solar energy that is generated by solar cells on people’s homes. Of course, solar energy is nothing new, as those of us who recall a certain song know all too well.
(UPDATE: I have indicated portions of this post that include speculation from myself and others.)
When I wrote “About THAT Reuters article” (specifically, the February 4 articlespeculating about a possible sale of IDEMIA by Advent International to Thales Group), I noted that I have no expertise in predicting corporate acquisitions.
However, I’ve experienced three of them, including Motorola’s acquisition of Printrak in 2000, Safran’s acquisition of Motorola’s Biometric Business Unit in 2008-2009, and Advent International’s acquisition of Safran’s Morpho unit in 2016-2017 (and Advent’s merger of Oberthur and Morpho to form OT-Morpho, later IDEMIA).
None of these was a simple matter of the acquiring company and the acquired company approving the acquisition. It was more complicated than that.
Under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, and the rules promulgated under the Hart-Scott-Rodino Act, Printrak, Acquisition Sub and Motorola cannot complete the Merger until they notify and furnish information regarding the acquisition of Printrak by Acquisition Sub to the Federal Trade Commission and the Antitrust Division of the U.S. Department of Justice and satisfy specified waiting period requirements. Printrak and Motorola (as the sole stockholder of Acquisition Sub) filed notification and report forms under the Hart-Scott-Rodino Act with the FTC and the Antitrust Division on September 26, 2000 and received early termination of the waiting period from the Federal Trade Commission effective October 11, 2000.
In addition, Printrak and Motorola are required to furnish certain information and materials to the antitrust authorities of Argentina, Brazil, the Federal Republic of Germany, and Romania. Filings were made in Argentina on September 22, 2000, in Brazil on September 19, 2000 and in the Federal Republic of Germany on September 27, 2000. German antitrust authorities have one month after the parties file their application to review the transaction. During that one month period, they can either approve the transaction or initiate an examination of the transaction which could take an additional three months, during which time the parties cannot close the transaction. During this three month period, the antitrust authorities will either approve the transaction or prohibit it. Approval may be granted before the initial one month review or before the additional three month review period. If approved, the antitrust authorities can not later challenge the transaction under their merger law but could challenge the transaction under other provisions of their antitrust laws. Printrak and Motorola intend to make a post-closing filing in Romania as soon as practicable after the closing.
Why did the Motorola acquisition of Printrak require all of those approvals? Because Printrak did business in these countries (and many others), and the governments of those particular countries wanted to exert control over who does business in their country. For example, Printrak was the automated fingerprint identification system (AFIS) supplier in Romania, and the government of Romania had a need to know what would happen if Motorola were to become the supplier of its AFIS. Would all of the fingerprints be replaced by batwings? Would the new owner require the Romanian employees to apply Six Sigma in their everyday lives? Would Romania have to use Iridium to communicate AFIS data?
Well, everyone in the U.S. and the other countries granted approval, and the Motorola acquisition of Printrak was eventually completed, although it took roughly three months to get all the approvals. I remember that we were at a trade show (IACP, I think) with Printrak signage, and received mid-show approval to string up Motorola banners after receiving final approval.
And that was the relatively EASY acquisition of the three that I experienced. The next one was harder.
CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons, in order to determine the effect of such transactions on the national security of the United States.
Because Motorola not only sold fingerprint identification technology, an export controlled technology, but also managed law enforcement data for a number of states and (on a limited basis) for the U.S. Federal Bureau of Investigation and other federal government agencies.
Never mind the fact that France has been a long-standing ally of the United States. Heck, Israel is an ally of the U.S., and we didn’t like it when Israel spied on us.
CFIUS had to make sure that foreign control of Motorola’s biometric assets wouldn’t cause issues. Would French intelligence personnel steal all of the personal identifiable information (PII) from the AFIS databases in Minnesota, North Carolina, and other states?
Safran acquires other things
Eventually CFIUS decided that there was no critical threat and allowed the Safran acquisition of Motorola’s Biometric Business Unit to go through.
After all, it wasn’t like Motorola managed the main FBI criminal database, or state driver’s license databases, or anything like that.
You see, the main FBI criminal database, then known as IAFIS, was already managed by Safran.
And the state driver’s license databases were managed by neither Safran nor Motorola. A separate company, L-1 Identity Solutions, managed the majority of those databases.
So Safran’s acquisition of Motorola’s biometric assets was approved by all necessary government entities, and everyone was happy.
But Safran wasn’t done with its acquisitions, and a few years later acquired L-1 Identity Systems also. So now U.S. driver’s license production would be under French control.
This time around, CFIUS insisted on mitigating the effects of “Foreign Ownership, Control or Influence” (FOCI). Specifically, L-1 Identity Solutions (renamed “MorphoTrust”) was placed under a proxy structure, in which MorphoTrust’s Board of Directors was entirely composed of U.S. citizens. In addition, a number of MorphoTrust employees who were not U.S. citizens were shifted away from MorphoTrust to other Safran companies (most notably MorphoTrak, the company that contained the former Motorola Biometric Business Unit and other stuff).
By the way, I wrote about this before, but it’s in a Bredemarket Premium article so most of you can’t read it. Consider this information a freebie.
Even though they were owned by the same company, and used some of the same hardware components, MorphoTrust and MorphoTrak were managed separately. MorphoTrust had to log its contacts with foreigners, including U.S. employees of the foreign-owned MorphoTrak. Any transactions between MorphoTrust and MorphoTrak had to be carefully monitored to ensure that “foreign” components didn’t sneak their way into MorphoTrust products. And (most notably) because we couldn’t really talk to each other, MorphoTrust and MorphoTrak actually competed against each other on several occasions, including instances in which both subsidiaries proposed fingerprint livescan stations to the same customers.
But we were one big happy fractured family, and CFIUS was satisfied.
Well, until the next acquisition took place.
Advent International (and Oberthur) acquires part of Safran
Remember how I said that I couldn’t really predict acquisitions? After Safran acquired Motorola’s Biometric Business Unit, I thought I was home free. Printrak was the odd man out in Motorola, since our part of Motorola (later becoming Motorola Solutions) specialized in the sale of lots and lots of police radios, while we in Printrak specialized in the sale of a few AFIS systems. Once we joined Safran, we became part of a huge division (Sagem Sécurité, later known as Morpho) that ONLY performed identity functions.
So now an American investment firm would buy a French company.
You can bet that this required a round of approvals on both sides of the Atlantic.
France and the European Union certainly had an interest. As I noted in a recent post about Alaska’s HB389 bill, Advent International was not the sole owner; Advent had to bring the French government-owned entity Bpifrance on as a minority owner. And the European Union had to grant antitrust approval.
But on the U.S. side, CFIUS got involved again because MorphoTrust was part of the acquisition. Never mind the fact that MorphoTrust was now majority American-owned; MorphoTrust’s corporate parent was headquartered in France, and Bpifrance owned part of MorphoTrust.
So what happened?
MorphoTrust was removed from FOCI control, sort of, and merged with MorphoTrak and some parts of Oberthur to form IDEMIA Identity & Security USA LLC.
And my job became really complicated, because I, a former MorphoTrak employee, reported to someone who was a former MorphoTrust employee. And even though the U.S. part of IDEMIA (excluding IDEMIA NSS) was no longer FOCI-mitigated, some leftovers from the old MorphoTrust days were still around.
Initially there were still two separate computer networks, and I had to have access to both of them, which meant that I had to obtain a second computer from the Billerica, Massachusetts office to access the old MorphoTrust network. (Before obtaining that second computer, I had to undergo a security screening.)
Eventually the two separate networks went away…after I left IDEMIA. Actually, I’m not entirely certain that they COMPLETELY went away, but at least the email addresses were all standardized throughout the United States after I left. (Yes, I had two email addresses also.)
Two new complications when some future entity acquires IDEMIA
So what happens in the future? Reuters has speculated what may happen, and I am speculating also.
As I noted previously, Advent International acquires businesses, revamps them, and sells them (hopefully) at a profit.
So even if the Reuters article turns out to be factuallyincorrect, Advent is going to sell IDEMIA someday.
Based upon past acquisitions, I believe it is pretty likely that the French government is going to have some say in the sale. Reuters speculated that nothing will happen until after next month’s Presidential election in France. (See my LinkedIn post in Bredemarket Identity Firm Services about the French election.) The French President, whoever he or she may be when Advent finally tries to sell IDEMIA in 2022, 2023, or 2033, is going to exert control over who the final buyer will be. Perhaps the President may insist that IDEMIA be sold to a French company, or at least a European Union company.
And based upon past acquisitions, I believe it is pretty likely that the U.S. government is going to have some say in the sale. The U.S. President, whoever he or she may be when Advent tries to sell IDEMIA (again, whenever that may occur), is going to exert control over who the final buyer will be, because of the significant business that IDEMIA NSS and the rest of IDEMIA does with U.S. federal, state, and local government entities. Oh, and there’s also the matter of fingerprint identification export control.
But those are not the two complications that I’m talking about. There are two NEW complications.
Possible Complication Number One: IDEMIA has locations all over the world, including a location in Moscow.
As I write this post, a number of Western businesses are ceasing their business operations in Russia because of the war in Ukraine. This has caused issues with the Russian government.
As of Monday (March 14), at least 375 companies had announced some sort of pullback from Russia, according to a list maintained by the School of Management at Yale University. The list includes companies that have cut ties with Russia completely, as well as those that have suspended operations there while attempting to preserve the option to return.
According to multiple media reports, dozens of Western companies have been contacted by prosecutors in Russia with warnings that their assets, including production facilities, offices, and intellectual property, such as trademarks, may be seized by the government if they withdraw from the country.
Unless IDEMIA is acquired by a Russian company (which is extremely unlikely, given French and U.S. interests), anyone who acquires IDEMIA (or any company with Russian offices) has to consider how Russia will react. Will the Russian portion of the business be a total loss? Will Russian entities acquire IDEMIA intellectual property? (This would be ironic, considering some past allegations that have been made but not IMHO proven.)
But Russia isn’t the only potential complication of a sale of IDEMIA.
Possible Complication Number Two: IDEMIA also has locations in Beijing, Hong Kong, and Shenzen. And it’s possible that the Chinese government is going to have some interest in who IDEMIA’s future owner will be.
It is possible that China’s State Administration for Market Regulation (SAMR) might review any acquisition.
In early September of 2021, China’s competition authority, the State Administration for Market Regulation (“SAMR”) issued a report (“SAMR 2020 Report”) summarizing its Anti-Monopoly Law enforcement activities during the period covering the 13th Five-Year Plan (2016-2020).
While relations between the West and China are certainly better than current relations between the West and Russia, there is always an underlying tension in those relations. For example, if a Taiwanese company were to acquire IDEMIA, this could be considered a declaration of war.
And in the specific case of IDEMIA, the biometric algorithms from IDEMIA directly compete with biometric algorithms from China. The February 2022 printed version of the NIST FRVT 1:1 report indicates that dozens of tested facial recognition algorithms are of Chinese origin, including algorithms from Cloudwalk, Dahua, Fujitsu, Hikvision, Megvii, Sensetime, Tencent, Xforward, and a host of other companies and universities.
What if (again, I’m speculating) China decides to oppose an acquisition of IDEMIA unless it receives assurances that IDEMIA will not threaten the domestic Chinese biometric providers?
Conclusion
So whoever buys IDEMIA from Advent may have to pay attention to government regulators in the U.S., France, the European Union, and possibly Argentina, Brazil, China, Germany, Romania, and Russia.
People in the biometric and banking industries like to use the word “frictionless.” It refers to the ability to make tasks such as building access and online purchases as easy as possible. When you make a purchase as hard as possible, it’s referred to as “friction.”
Provided that the transaction is secure, a frictionless transaction is preferable to a friction one. If you introduce too much friction into an operation, then the person trying to access a building or the person trying to complete an online transaction will give up. In the finance world, the online transaction is “abandoned,” sometimes after the potential buyer has already selected what they want to purchase. The end result is referred to in the industry as an abandoned shopping cart.
(And no, I don’t know the German for “abandoned,” but whatever it is, you can pair it with “Einkaufswagen” and come up with a really long description.)
At one point in my corporate career, I was looking at (virtual) abandoned shopping carts, and trying to figure out how digital identity mechanisms could reduce the number of abandoned shopping carts for online transactions. Any reduction would naturally translate to increased sales and increased profits for the online vendor.
Well, at this point in my post-corporate career, I was able to look at abandoned shopping carts from another perspective.
I abandoned a shopping cart this morning.
Not because of a horrendous CAPTCHA.
I abandoned it because the vendor wasn’t there.
Check
When I started Bredemarket in 2020, one of the things that I did was open a business banking account. The process was a little complex because of raging COVID, since I had to submit all of my relevant documents online. (I also looked at THAT issue during my corporate years.)
As I finished setting up the account, my bank provided me with an offer for business checks. The offer was relatively expensive and didn’t include that many checks, but I didn’t care about that because I didn’t need that many checks anyway. In fact, after thinking about it, I decided that I didn’t need ANY checks. My business was just starting, and I couldn’t really afford to throw away money on extravagances such as bank checks.
And I got by for a while, until February 2022. I was considering a particular purchase from a small nonprofit, and I noticed that this small nonprofit didn’t take credit cards, or Zelle, or PayPal, or Venmo. (Or Bitcoin.) This nonprofit accepted payment in…checks.
So I decided that after a year, it’s time that Bredemarket had its own checks like all the cool companies have. I didn’t need that many, but obviously I was going to need one or two or a few.
So I logged in to my bank’s website to order some checks.
Now why would I log into the bank’s website to buy something that I knew was expensive? Again, the frictionless experience. It was worth some money to me to just go directly to my bank and order the expensive item, rather than having to hunt around for some other service and order the less expensive item. After all, my bank had all my information right there, so ordering checks through the bank should be a breeze, right?
Not exactly.
After logging in to my bank account nd searching through several places on the website, I finally found out that I could order checks. Not online on the bank’s own website, but via an 800 number belonging to the bank’s third party check printing partner.
So I called the 800 number…and was disconnected.
So I called the 800 number again.
(For those playing along at home, take a moment and count the number of instances of friction that I have encountered so far in making this purchase that I thought was going to be really really frictionless. There will be more instances as we go along.)
Now telephone customer service centers are wonderful things. (I should know, I just finished a job for a client that included a discussion of a telephone customer service center, and the CSC was a wonderful thing.) While I know of people who despite phone trees, they have the advantage of getting you help as soon as possible. And once you’re routed to the proper department, even if you’re not immediately helped, the phone trees often tell you either how many people are ahead of you in line, or approximately how long it will take before someone helps you. (The REALLY good phone trees take your number and call you back, so you don’t have to sit on hole.)
My bank doesn’t have a good phone tree.
I think I answered one or two simple questions at most, and then learned that all of their representatives were busy. I didn’t learn how many people were ahead of me in line. I didn’t learn how long it would take to answer my call. Instead, I was fed promotional stuff about some streamling TV special of some sort. I didn’t pay attention to the details, because I was thinking to myself:
John, why are you sitting on hold to buy expensive bank checks?
So I abandoned my shopping cart before I even had a chance to put anything into it.
Checkmate
I then went to the website of one of the major warehouse stores (the one that ISN’T based in Arkansas) where I had a personal membership, easily found the link in the business services section where I could order checks online, went to the warehouse store’s check vendor, and (in a fairly frictionless fashion) ordered checks for Bredemarket. The most typing that I did was to input my bank account routing information and account number, and input my warehouse membership number to get the warehouse discount. (My business address is saved in my browser. It’s not a huge security risk to do this.)
I immediately received two emails.
One was from the check vendor, with information about my order, including the items ordered, the anticipated delivery date, and a link to track the status of my order. (It’s in production.)
The other was from my bank, informing me that an online purchase had just been made from my bank account.
Unfortunately for the bank, it probably doesn’t have the advanced analytics to link that purchase from a check printing company to my unanswered phone call to the bank’s own check printing company a few minutes prior.
Because if the bank was able to put two and two together, it would realize that the money I paid to that check printing company could have gone to the bank’s check printing company instead.
But how to measure?
There’s one interesting wrinkle in the measurement of this abandoned shopping cart.
I never got to the point of receiving a price quote from the bank’s check printer, but from my hazy recollections from 2020, I think that the price that I paid for checks today was roughly half what the bank’s check printer would have charged me. (And I got more checks, but since I probably won’t use them all, that isn’t really a factor.)
So the warehouse’s check printer made a sale of $x, while the bank’s check printer lost a sale of roughly twice that amount, or $2x.
And I have an additional $x in my pocket which I wouldn’t have had if the bank’s check printer had answered its phone before I had second thoughts.
I intentionally chose an obscure title for this post.
I could have entitled the post “Ricardo Montalban.” Just because.
In a more relevant way, I could have entitled the post “Former IDEMIA employee weighs in on Advent’s possible sale of the company.” That would have got some clicks, to be sure.
But it would have misled the reader, because the reader would have gotten the idea that I have some expertise in corporate acquisitions, and an abillity to predict them.
And as past history has shown, I do not have any such expertise.
In 2000, I was completely and totally surprised when I learned that Printrak wanted to sell itself to Motorola. I didn’t have a clue that any such thing was going to happen.
In 2008, I was reading online late one evening and was completely and totally surprised when I learned that Motorola wanted to sell off half of Printrak to the French company Safran, the Sagem Morpho folks. Yes, Motorola was in trouble, but I didn’t have any idea that we would be sold off.
Years later, I was kinda sorta surprised when Safran decided that it wanted to get rid of its entire identity and security business, and was completely and totally surprised when the buyer was an American investment firm that owned Oberthur Technologies.
So my record on really understanding these acquisitions is pretty low.
With that caveat, I’ll go ahead and use a really eye-catching SUBtitle. Better late than never.
Former IDEMIA employee weighs in on Advent’s possible sale of the company
Impressive, isn’t it?
But before proceeding, I should let you know about THAT Reuters article that I referenced in the real post title.
Advent (actually, Advent International) is the American investment firm that I mentioned earlier. As an investment firm, its purpose in life is to buy businesses, improve them, and sell them for a profit.
So Advent began thinking about ways to make Oberthur more attractive.
At the same time, Safran was trying to decide what to do with its identity and security business. The purchase of Printrak was just a blip in Safran’s plans, as it acquired L-1 Identity Solutions (renamed MorphoTrust) and other businesses. But Safran is not an identity and security company. It’s a “de plane” company.
Anyway, in the end Advent announced in 2016 that it had entered into an agreement to negotiate the purchase of Safran’s identity and security business. The purchase was completed on May 31, 2017, and Advent combined Oberthur (OT) and the portion of Safran (Morpho) into OT-Morpho, which was quickly renamed IDEMIA.
I was an employee of IDEMIA at the time, and I don’t think I’m spilling any company secrets if I reveal that Advent wanted IDEMIA to do really really well, so that it could make a profit on the two acquisitions. I wasn’t at the highest executive level that was setting the high-level strategy, but I was often working on initiatives to help realize Advent’s profitability goal.
The possibility of an IDEMIA IPO or sale receded somewhat in early 2020. Among other things, COVID adversely affected two of IDEMIA’s core businesses in the United States, TSA PreCheck (nobody was flying) and driver’s licenses (the DMV offices were all closed).
Advent International is looking to sell its French biometrics and fingerprint identification firm IDEMIA in a deal worth up to $4.6 billion as it seeks to capitalise on growing demand for cybersecurity assets in Europe, two sources told Reuters.
The U.S. buyout fund is reviewing a series of options to sell IDEMIA, including a possible break-up of the company which was formed in 2016 by combining Safran’s identity and security business with Oberthur Technologies, the sources said.
As you, the wise reader, know, Reuters goofed here.
IDEMIA was NOT formed in 2016. The formation of IDEMIA was ANNOUNCED in 2016, but the deal wasn’t actually COMPLETED until 2017. Hey, at least Biometric Update got it right.
Anyway, if you read either Reuters or Biometric Update, you’ll learn that nothing is going to happen immediately (France is holding an election in April, and the composition of the new government could impact any sale), and that the possible split-up may separate the part of the business that sells to governments from the part that sells to commercial firms.
Of course, the big question about any sale of IDEMIA would be the identity of the buyer. Would Advent try (again) to issue an IPO, or would Advent look for one or more existing companies to purchase IDEMIA?
Both Reuters and Biometric Updare speculate that Thales could be a potential buyer. While Safran was slimming down to concentrate on its aircraft business, Thales has been beefing to to diversify its business, most notably in its purchase of Gemalto. (As people in my industry know, that purchase provided Thales with the technology of the old Cogent Systems.)
However, there are two possible issues with a Thales purchase of all or part of IDEMIA.
Antitrust issues. Automated fingerprint identification systems isn’t the only product that Thales and IDEMIA have in common. For example, both companies provide driver’s licenses in the United States. As any Thales purchase of IDEMIA is considered by the United States, France, and dozens of other countries, the deal could be opposed on antitrust grounds. This can be mitigated by limiting what Thales can buy, but it could complicate matters.
Thales is French. Some of the driver’s license and biometric technology that IDEMIA sells was developed in the United States, and is used by many government agencies, including the Federal Bureau of Investigation and the Department of Homeland Security. At present, while IDEMIA is headquartered in France, it is primarily owned by Americans, so there’s a teeny bit of comfort in that. But what if a French firm were to own IDEMIA? The horror! (Many years ago, when Cogent Systems first sold itself, it intentionally chose a U.S. buyer, 3M, for this very reason.) Never mind that the U.S. government has been using French (and Japanese) technology for years, and that some very specific arrangements have been set up to mitigate the risks of foreign ownership. Some Senator or another is guaranteed to raise a big stink if U.S. government institutions are dependent upon a French company.
So perhaps Thales could buy all or part of IDEMIA, or perhaps it may pass. But if Thales passes, are there any U.S.-owned companies that may have an interest in IDEMIA’s technology?
Because of my biometric bias, the first thing that I would consider would be American companies that are active in the biometric market. However, many of the U.S. companies are small, and don’t have a few billion dollars lying around to buy IDEMIA. So don’t look for Aware, Clearview AI, Paravision, Rank One Computing, or the like to be a buyer.
There are of course much bigger U.S. firms in high tech that have dipped their fingers into the biometrics market. Amazon, Apple, Facebook, Google, and Microsoft all come to mind. However, those same customers that are of prime concern to U.S. Senators are also or prime concern to the employees of some of those firms, who don’t want their employers to do business with the “evil” Department of Homeland Security or even the “evil” local police departments that should all be defunded. (Amazon quit selling Rekognition to police agencies, for example.) Even Apple, which is developing its own digital driver’s license technology, is probably reluctant to own IDEMIA.
But there’s one tech company that intrigues me as possibly having an interest in IDEMIA.
Oracle.
It’s big enough to make the purchase, certainly likes to make acquisitions, and has no hesitation about working with government agencies.
ANY government agency.
After all, the name “Oracle” came from a database project that Ellison worked on before founding the company with the same name.
His client was the Central Intelligence Agency.
If you’ve paid attention to this article, then you already know that since I have speculated that Oracle could purchase IDEMIA, that puts the chances of Oracle actually purchasing IDEMIA at zero.
And for all we know, Reuters’ two sources might be unreliable, or something else might happen (another COVID variant?) that could cause Advent to hold on to IDEMIA for a few more years.
I live in the United States in a fairly industrialized society with a heavy focus on individual rights, and a (general) preference toward a focus on the brain and body rather than the soul.
This view shapes how I approach a number of topics, including biometrics and digital identity. For example, if my biometrics are encoded on a physical card or in some type of digital representation, I merely think of this as a way to individually identify myself from other individuals.
Yes, taonga. As you can see, the Maori people have their own language. (And their own views on the individual, society, and identity.) While there is no direct translation of “taonga” to English, the word has been described to mean a treasured possession.
I don’t know about you, but when I look at the ridges on the tips of my fingers, “treasured possession” is not the first thought that comes to mind.
And that’s the problem.
Maori data experts say there has been a lack of undertsanding about te ao Māori (Māori world view) and data sovereignty principles by the Government in the process of making two new data laws.
The Gisborne Herald quotes Dr. Warren Williams regarding how the two data laws (The Digital Identity Services Trust Framework and The Consumer Data Right) could affect the Maori.
Data is a taonga (treasured possession) for me. It is something to be cherished, protected and cared for. And with that comes responsibility….
Māori want to be able to protect our data. We want to have real ownership of our data. We want to understand where it has been stored.
Where there is physical storage of data, can we access that? Or those who hold our data, are they looking after it in a way that is respectful?
Sovereignty is not just ownership but also how it’s cared for, how it’s looked after, how it’s shared. If I say I give you permission to share data about myself to a certain group, sometimes the holder of that data can refuse because it’s private.
This data perspective is literally foreign to many government bureaucrats and policy advocates in North America, the European Union, and other more industrialized societies. Can you imagine someone in Brussels, Belgium or Springfield, Illinois talking about being “respectful” while “caring” for data?
So now let’s move to another Maori word, “tikanga,” which leads us to discuss a profound difference between Western individual perspectives and Maori collective perspectives. This was discussed in that great cultural publication Computerworld, in its description of the “Tikanga in Technology” project.
The project’s focus is on how tikanga Māori (customary protocols) and Mātauranga Māori (indigenous knowledge) inform “the construction of digital identities and relational responsibilities to data. … The world is undergoing disruptive change as rapid advances in data linkage and powerful digital technologies converge. For Indigenous peoples, these innovations are a double-edged sword, creating vast potential for improved well-being as well as major risks of group exploitation and harm. The current narrow focus on individual data rights and protection is failing us. We need a profoundly different approach—one that recognises collective identities and allows data to be understood through a wider set of ontological realities.”
Even in our society, identification is not a completely individualistic activity. One common example is how an individual’s DNA can be used to identify a relative who may have engaged in criminal activity, or who may have been a victim of an untimely death (criminal or otherwise). We as a society are struggling with the ramifications of this, and trying to balance the need to satisfy a public good with the need for privacy, including how I can inadvertently (or purposely) reveal something that may violate the privacy of another person.
Another example is when the needs of a biometric modality such as facial recognition are affected by religious or societal needs that cause people to shield that particular biometric. Religious mandates in certain groups to veil one’s face have recently been joined by medical mandates in certain groups to mask one’s face, causing uproars and changes in the biometric world.
Sometimes, the biometric rules adjust, such as Apple’s allowance to use a different identification method (such as something you know) when a face is obscured.
The Maori are taking this concern with the collective (vs. the individual) a step further, with their concern about “group exploitation and harm.”
So how do these views of the collective impact people such as myself, who toss out phrases such as “identification of individuals” from decades of habit?
Over the last few years, I have approached digital identity(ies) from a particular perspective, concentrating on the different types of digital identities that we have (none of us has a single identity, when you think about it), and the usefulness of these identities for various purposes, including purposes in which the identity of the person must be well established.
Well, let’s add one more organization to the list of those concerned about digital identity: the United Nations.
Although actually “the United Nations” is in reality a whole bunch of separate organizations that kinda sorta work together under the UN umbrella. But each of these organizations can get some oomph (an international relations diplomatic turn) from trumpeting a UN affiliation.
Based at the United Nations, the Better Than Cash Alliance is a partnership of governments, companies, and international organizations that accelerates the transition from cash to responsible digital payments to help achieve the Sustainable Development Goals
Note right off the bat that the Better Than Cash Alliance is not focused on digital identity per se, but digital payments. (Chris Burt of Biometric Update notes this focus.) Of course, digital payments and digital identity are necessarily intertwined, as we will see in a minute.
Enter the Sustainable Development Goals
But more importantly, digital payments themselves are not the ultimate goal of the Better Than Cash Alliance. Digital payments are only a means to an end to realize the United Nations Sustainable Development Goals, issued by a different UN organization.
Because of its primary focus, the Better Than Cash Alliance concentrates on issues that I myself have only studied in passing. For example, I have concentrated on the issues faced by people with no verifiable identity, but have not specifically looked at this from the lens of Sustainable Development Goal number 5, Gender Equality.
Principle 2 of the UN Principles for Responsible Digital Payments (October 2021 revision)
One of the key factors outlined in the report is “trust.” Now trust can have a variety of meanings (including trust that the information about my identity will not be used to throw me into a terrorist concentration camp), but for my purposes I want to concentrate on the trust that I, as a digital payments recipient, will receive the payments to which I am entitled.
To that end, the revised principles include items such as “ensure funds are protected and accessible” (principle 2), “champion value chain accountability” (principle 9), and other principles that impact on digital identity.
The introduction to the discussion on principle 2 highlights the problem:
A prerequisite of digital payments is that they match or surpass the qualities of cash. All users rightly expect their funds to be safe and readily available, but this is not always the case. The causal factors behind this are multiplex.
(“Multiplex”? Yes, this document was written by government committees. Or movie theater owners.)
To avoid the multiplexity of these issues, one offered response is to “proactively track and protect against unauthorized transactions, including fraud and mistakes.” This can be done by several methods near and dear to us in identity-land:
Advocate for appropriate security controls to mitigate transaction risks (e.g., biometric security,34 two factor authentication,35 limits on logins or transaction amounts,36 creating “need-to-know” administrative privileges for interacting with client data).
Now most people who read this report aren’t interested in the footnotes. But I am. Here are footnotes 34, 35, and 36 from the document.
34 Examples include the use of biometrics in India’s Aadhaar identification system, and UNHCR’s use of iris technology to distribute cash to refugees in Jordan
35 See EU PSD2 Articles 97–98, Ghana’s Payments Systems and Service Act, 2019 (section 65(1)), and Malawi’s 2019 e-Money regulations (section 17)
36 India Master Direction on Prepaid Payment Instruments, Section 15.3
Of course the report could have cited other examples, such as the use of fingerprints for benefits payments in the United States in the 1990s and 2000s, but I’m sure that falls afoul of some Sustainable Development Goal.
Although it’s harder to criticize a UN entity, such as the aforementioned UNHCR, when it uses biometrics.
Refugees should not be required to hand over personal biometric data in exchange for basic needs such as purchasing food, or accessing money. However, iris scan technology supplied by UK-registered company, IrisGuard, is reportedly being used by the World Food Programme (WFP) and the United Nations High Commissioner for Refugees (UNHCR) in refugee camps and urban centers in Jordan.
Based on reports suggesting the absence of meaningful consent, and an opaque privacy policy, Access Now has serious objections to the lack of transparency and privacy safeguards around this precarious tech rollout.
Wow. Jordan is as bad as Illinois. Maybe Jordan needs a BIPA! Hope their doorbell cameras aren’t a problem…
So while the Better Than Cash Alliance is focusing on other things, it’s at least paying lip service to some of the stronger identity controls that many in the identity industry advocate.
Of course, it’s outside of the scope of the Better Than Cash Alliance to dictate HOW to implement “appropriate security controls.”
But anything that saves the whales AND the plankton (and complies with BIPA) will be met with approval.
I’m sure that many people imagine that standards are developed by a group of reasonable people, sitting in a room, who are pursuing things for the good of the world.
You can stop laughing now.
As I noted back in 2013, and again in February, there are many instances in which standards do not evolve from a well-designed process. In reality, standards emerge via that process that I referred to in February as “brute force.”
For those who are not familiar with the “brute force” process, I’ll provide two illustrations.
If a lot of people like something, it’s a standard.
If a trillion dollar company likes something, and I like something different, then the thing that the trillion dollar company likes is a standard.
If two trillion dollar companies like two different things…it can get messy.
Back in February, I was just beginning to talk about something that I called “health passports” at the time. Later, I personally decided that “health passports” is a poor choice of words, and have instead gravitated to using the phrase “vaccine certificate.”
Regardless, my concern back in February was that there were all sorts of these things floating around. Even back then, Clear had its own solution, IATA had one, IBM had one, iProov had one, Daon had one, and there were many, many more.
So what happens if I have a Clear vaccine certificate but the airline or building that I’m approaching supports the iProov certificate? Can the iProov certificate read the Clear certificate? Or do I have to get multiple certificates?
This post looks at a new development in the vaccine certificate brouhaha. I’m not talking about what vaccines are honored by the vaccine certificate, but about acceptability of the vaccine certificates themselves. In particular, I’m talking about acceptance of one certificate, the EU Digital COVID Certificate (EUDCC).
How do international air transport folks feel about the EUDCC?
While the EUDCC can conceivably be used for a number of use cases, such as entering a private business like a restaurant, one of the most popular use cases for the EUDCC is to board an airplane that is crossing an international border.
So if there was an organization that was dedicated to the business of flying airplanes across international borders, and if that organization thought that the EUDCC was pretty cool, then that endorsement would have as much pull as Google (and Facebook) endorsing a web image format.
Now those who read my February post will recall that IATA was one of those groups that was already developing its own vaccination certificate. So how does the EUDCC compare with the the IATA Travel Pass?
The DCC…is fully supported by IATA Travel Pass.
But in addition to mere self-interest, there is another reason why IATA is endorsing the EUDCC: it’s supported by a lot of countries inside the EU, and other countries are looking at the EUDCC as a model.
The EU DCC is implemented in the 27 EU Member states and a number of reciprocal agreements have been agreed with other states’ own vaccination certificates, including Switzerland, Turkey, and Ukraine. In the absence of a single global standard for digital vaccination certificates, up to 60 other countries are looking to use the DCC specification for their own certification.
Oh no, I’m just looking
However, it’s one thing to be “looking” at something, and another thing entirely to actually “do” something.
Before assuming that the EUDCC will become the de facto DCC, consider how two countries in particular will approach it.
This image or media was taken or created by Matt H. Wade. To see his entire portfolio, click here. @thatmattwade This image is protected by copyright! If you would like to use it, please read this first. – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=5004719
One of those countries is my own, the United States of America. While one can argue whether or not the U.S. enjoys the same level of power that it enjoyed immediately after the end of the Cold War, it is still a major player in world economic and travel affairs. And regardless of who the President of the United States is at any given time, the U.S. has often decided to go its own way. Couple this with the power of individual U.S. states in my country’s federal system, and it’s quite possible that even if the U.S. goes along with IATA, and some form of the EUDCC is adopted by our Transportation Security Administration, that does not necessarily mean that the same certificate can be used as it is in Europe to grant access to museums, sporting events, and concerts.
The other country that may have an issue with the EUDCC is China. If the United States is potentially a waning world power, China is potentially a gaining world power. The relationship between China and the rest of the world varies from time to time and from issue to issue. China may decide that it’s not in its best interest to adhere to an international standard for certifications of COVID vaccination, testing, or contraction. And if it’s not in China’s best interest, China won’t do it.
So before declaring that IATA endorsement of the EUDCC settles the issue…we’ll see.
THE TALIBAN HAVE seized U.S. military biometrics devices that could aid in the identification of Afghans who assisted coalition forces, current and former military officials have told The Intercept.
This post talks about the data the Taliban could POTENTIALLY get from captured biometric devices and other sources, and how that data could conceivably pose a threat to the Taliban’s enemies AND the Taliban itself.
What data could the Taliban get from biometric devices?
The specific device referenced by the Intercept article was HIIDE…and let’s just say that while I don’t know as much about that device as I should, I do know a little bit about it. (It was manufactured by a company that was subsequently acquired by Safran.)
Another source implies that the Taliban may have acquired another device that the Intercept DIDN’T reference. The Taliban may not only have acquired live HIIDE devices, but also may have acquired devices from another company called SEEK.
(Yes, folks, these devices are called HIIDE and SEEK.)
At the time that this was revealed, I posted the following comment on LinkedIn:
Possession is not enough. Can the Taliban actually access the data? And how much data is on the devices themselves?
Someone interviewed by the Intercept speculated that even if the Taliban did not have the technological capability to hack the devices, it could turn to Pakistan’s Inter-Service Intelligence to do so. As we’ve learned over the years, Pakistan and the Taliban (and the Taliban’s allies such as al Qaeda) are NOT bitter enemies.
As I said, I don’t know enough about HIIDE and SEEK, so I’m not sure about some key things.
For example, I don’t know whether their on-board biometric data is limited to just biometric features (rather than images). While there’s the possibility that the devices stored biometric images, that has a drawback because of the large size of the images. Features derived from the images (which are necessary in matching anyway) take up much less storage space. And while biometric images are necessary in some cases (such as forensic latent fingerprint examination), there’s no need for images in devices that make a hit/no-hit decision without human intervention.
In addition, I don’t know what textual data is linked to the features (or images) on these devices. Obviously the more textual information that is available, such as a name, the more useful the data can be.
Also, the features stored on the devices may or may not be useful. There is no one standard for the specification of biometric features (each vendor has its own proprietary feature specification), and while it may be possible to convert fingerprint features from one vendor system to be used by another vendor’s system, I don’t know if this is possible for face and iris features.
Best-case scenario? Even if the Taliban or its friends can access the data on the devices, the data does not provide enough information for it to be used.
Worst-case scenario? The data DOES provide enough information so that EVERY PERSON whose data is stored on the device can be identified by a Taliban-equivalent device, which would presumably be called FIND (Find Infidels, Neutralize, Destroy).
I’ll return to that “every person” point later in this post.
But biometric data isn’t the only data that might have fallen into the Taliban’s hands.
What data could the Taliban get from non-biometric devices?
Now Politico has come out with its own article that asserts that the Taliban can potentially acquire a lot of other data. And Politico is not as pessimistic as the Intercept about the Taliban’s tech capabilities:
That gives today’s technologically adept Taliban tools to target Afghans who worked with the U.S. or the deposed Afghan government with unprecedented precision, increasing the danger for those who don’t get out on evacuation flights.
Before looking at the data the Taliban may have acquired, it’s useful to divide the data sources between data acquired from clients and data acquired from on-premise servers. HIIDE and SEEK, for example, are clients. (I’m only talking about on-premise servers because any data stored in a US government cloud can hopefully be secured so that the Taliban can’t get it. Hopefully.)
Unlike HIIDE and SEEK, which are mobile client devices, the Politico article focuses on data that is stored on on-premise Afghan government servers. It notes that American IT officials were more likely than Afghan IT officials to scrub their systems before the Taliban takeover, and one would hope that any data stored in US government cloud systems could also be secured before the Taliban could access it.
So what types of data would the Afghan government servers store?
Telecom companies store reams of records on who Afghan users have called and where they’ve been. Government databases include records of foreign-funded projects and associated personnel records.
More specifics are provided regarding telecom company data:
Take call logs. Telecommunications companies keep a record of nearly every phone call placed and to whom. U.S. State Department officials used the local cell networks to make calls to those who were working with the United States, including interpreters, drivers, cooks and more…
And mobile phone data is even more revealing:
Cell phones and mobile apps share data about users with third-party apps, such as location data, that the Taliban could easily get…
The geolocation issue has been known for years. Remember the brouhaha when military users of a particular fitness app effectively revealed the locations of secret U.S. military facilities?
In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.
Now perhaps enemy forces already knew about these locations, but it doesn’t help to broadcast them to everyone.
Back to Afghanistan and other data sources.
Afghan citizens’ ethnicity information can also be found in databases supporting the national ID system and voter registration.
This can be used by digital identity opponents to argue that digital identity, or any identity, is dangerous. I won’t dive into that issue right now.
Politico mentions other sources of data that the Taliban could conceivably access, including registration information (including identity documents) for non-governmental organization workers, tax records, and military commendation records.
So if you add up all of the data from all of the Afghan servers, and if the Taliban or its allies are able to achieve some level of technical expertise, then the data provides enough information so that EVERY PERSON whose data is stored on the servers can be identified by the Taliban.
Before we completely panic…
Of course it takes some effort to actually EMPLOY all of this data. In the ideal world, the Taliban would create a supercomputer system that aggregates the data and creates personal profiles that provide complete pictures of every person. But the world is not ideal, even in technologically advanced countries: remember that even after 9/11, it took years for the U.S. Departments of Justice, Homeland Security, and Defense to get their biometric systems to talk to each other.
Oh, and there’s one more thing.
Remember how I’ve mentioned a couple of times that the Taliban could conceivably get information on EVERY PERSON whose data is stored on these devices and servers?
One thing that’s been left unsaid by all of these commentaries is that this data trove not only reveals information about the enemies of the Taliban, but also reveals information about the Taliban itself.
The HIIDE and SEEK devices could include biometric templates of Taliban members (who would be considered “enemies” by these devices and may have been placed on “deny lists”).
The telecommunications records could reveal calls placed and received by Taliban members, including calls to Afghan government officials and NATO members that other Taliban members didn’t know about.
Mobile phone records could reveal the geolocations of Taliban members at any time, including locations that they didn’t want their fellow Taliban members to know about.
In general, the records could reveal Taliban members, including high-ranking Taliban members, who were secretly cooperating with the Taliban’s enemies.
With the knowledge that all of this data is now available, how many Taliban members will assist in decrypting this data? And how many will actively block this?
Oh, and even if all of the Taliban were completely loyal, any entity (such as the Pakistani Inter-Service Intelligence) that gets a hold of the data will NOT restrict its own data acquisition efforts to American, NATO, and former Afghan government intelligence. No, it will acquire information on the Taliban itself.
After all, this information could help the Pakistanis (or Chinese, or Russians, or whoever) put the, um, finger on Taliban members, should it prove useful to do so in the future.
And there are a ton of ramifications and unintended consequences.
Covishield and the EUDCC
When I last looked at the EUDCC, I examined its effect on travel from people outside of the European Union. The question at the time was what would happen to people who were vaccinated with something other than the European Medicines Agency-approved vaccines, thus rendering them ineligible for the EUDCC.
In particular, people who were vaccinated with the Covishield vaccine were not eligible for the EUDCC. Depending upon whom you asked, Covishield is either just the same as the EMA-approved AstraZeneca vaccine (now referred to as “Vaxzervria” in EU-speak), or it has a radically different manufacturing process that disqualifies it from automatic acceptance.
This non-recognition of Covishield has a great impact on African nations, because that vaccine is popular there. However, EUDCC disapproval has been offset by the actions of several individual countries to recognize Covishield as a vaccine. For example, Greece recognizes ten vaccines (including Covishield) as opposed to the EU’s four. Of course, you have to go through additional paperwork to get authorization to enter a specific country.
But Joseph Atick notes that there’s another issue that adversely impacts the ability of Africans to enter Europe.
Linking a vaccination to a person
Assume for the moment that you have received an EU-authorized vaccine. This is only part of the battle, because the act of vaccination has to be tied to you as a person.
One of the biggest barriers to setting up these systems—and one that could greatly complicate digital health certificates – involves traceability, which for an official digital ID means documenting one’s birth event.
In Africa, not everyone has a birth certificate, and many struggle to trace their identity to the birth event.
If you cannot prove to the satisfaction of the European Union (or whoever) that you were the actual person who received a vaccine, then you may face barriers to entering Europe (or wherever).
And what are the ramifications of this?
A digital health certificate has appeal as an efficient and effective way to manage COVID-19 risks. But if we don’t pause now to consider the implications of getting it wrong and look for ways to get it right, these marvellous digital innovations could also be supremely effective at creating a binary world of those who can prove their COVID-19 risk status and those who cannot.
The requirement for a digital identity
Oh, and there’s another issue that Atick didn’t address, but which bears noting.
All of the solutions listed above assume as a given that people will be the owners of a unique, government-authorized digital identity.
In my country, both some people on the left and some people on the right believe that “governmental digital identity” naturally equates to “governmental digital surveillance,” and that governments shouldn’t be abusing the data that they can obtain from all the vaccinations you get, all the places you travel, all the things you buy, and all the other things that you do.
(Well, except for voting. Some on the right fervently believe that government identities are essential to voting, even if they’re not essential to any other activity.)
But are people truly banned from travel?
So where does this leave the people who cannot prove that they were vaccinated with an authorized vaccine, or perhaps were never vaccinated at all?
In many cases travel for the unvaccinated is not banned, but they have to go through additional hoops to travel. Using one example, unvaccinated U.S. citizens can travel to Austria if they “have recovered from COVID-19 in the past 180 days; or present a negative COVID-19 PCR or antigen test result procured within 72 or 48 hours of travel.” For more country-by-country specifics as of August 13, click here.
But how will the unvaccinated get to Europe, or anywhere else?
United Airlines isn’t requiring passengers to be vaccinated. Employees? That’s another matter.
But on the other hand, a vaccination in and of itself is not a guarantee that you can travel. Norway has a long list of requirements that an incoming person must satisfy, vaccination or not. This isn’t the time for an American to go on a sightseeing tour to Oslo.
So a binary division into the “travels” and “travel nots” may not become a reality. Instead, it will be a gradation of travel allowances and non-allowances, based upon a variety of factors.
As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.
What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.
Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.
However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.
I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.
One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.
Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.
Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.
As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUs, University of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).
As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.
And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.
Reluctance to set national standards for mobile driver’s licenses
Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.
Some people are not especially wowed with this use case.
The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.
We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…
You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.
Is a Non-Governmental Identity (NGI) feasible and reliable?
Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).
…others are animated by a vision of “self-sovereign identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….
DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.
For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.
Who issues Verifiable Credentials?
As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:
There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.
In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)
Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.
Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)
But NGIs are not a cure-all
Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.
Here’s what McKinsey has said:
…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.
Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.
In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several yearsAFTER 9/11.
And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:
At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.
1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)
Which identiy(ies) will prevail?
Back to governmental recognition of NGI.
Don’t count on it.
Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.
So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.
But frankly, I’m still not sure that I want Facebook to know how much I weigh.
(Although, now that I think about it, Apple already knows.)
Bredemarket 