It’s the end of an era for a once-critical pandemic document: The ubiquitous white COVID-19 vaccination cards are being phased out.
Now that COVID-19 vaccines are not being distributed by the federal government, the U.S. Centers for Disease Control and Prevention has stopped printing new cards.
This doesn’t affect the validity of current cards. It just means that if you get a COVID vaccine, or any future vaccine, and you need to prove you obtained it, you will have to contact the medical facility who administered it.
Or, in selected states (because in the U.S. health is generally a state and not a federal responsibility), you can access the state’s digital health information. For example, the state of Washington offers MyIRmobile, as do the states of Arizona, Louisiana, Maryland, Mississippi, North Dakota, and West Virginia.
Sign up for MyIR Mobile by going to myirmobile.com and follow the registration instructions. Your registration information will be used to match your records with the state immunization registry. You will be sent a verification code on your phone to finalize the process. Once registration is complete, you’ll be able to view your immunization records, Certificate of Immunization Status (CIS) and access your COVID-19 vaccination certificate.
Victoria Gardens, Rancho Cucamonga, California, August 12, 2023.
Can someone pretend to be you if they have no idea who you are?
It’s been a couple of weeks since I last addressed Worldcoin’s activities, but a lot has happened in Kenya, and now in Argentina also. Here’s a succinct (I hope) update that looks beyond the blaring headlines to see what is REALLY happening.
And, at the end of this post, I address what COULD happen if a fraudster “cut off someone’s face, including gouging out their eyes, and then you draped it all over your own face.” Hey, you have to consider ALL the use cases.
According to the AAIP, an entity like Worldcoin must register with the AAIP, provide information about its data processing policy, and indicate the purpose for collecting sensitive data and the retention period for such data. Additionally, the agency requires details of the security and confidentiality measures applied to safeguard personal information. The AAIP did not confirm whether Worldcoin complies with the standards.
Worldcoin told CoinDesk in an emailed statement that “the project complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including but not limited to Argentina’s Personal Data Protection Act 25.326.”
But what is this “personal data” that concerns Argentina so much?
The data that Worldcoin collects
Now a number of companies need to comply with local privacy regulations in numerous countries, and Worldcoin obviously must obey the law in the countries where it conducts business, including laws about personally identifiable information (PII). For illustration, here is an incomplete list of examples of PII, compiled by the University of Pittsburgh:
Name: full name, maiden name, mother’s maiden name, or alias
Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
Personal address information: street address, or email address
Personal telephone numbers
Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
Biometric data: retina scans, voice signatures, or facial geometry
Information identifying personally owned property: VIN number or title number
Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
To my knowledge, Worldcoin acquires PII in two separate instances: when downloading the World App, and when registering at an Orb.
Data collected by the World App
First, Worldcoin collects data when you download the World App. The data that is collected by the iOS version of the World App includes a user ID, the user’s coarse location, a name, contacts, and a phone number. I’ll admit that the collection of contacts is a little odd, but let’s see what happens to that data later in the process.
Your biometric data is first processed locally on the Orb and then permanently deleted. The only data that remains is your iris code. This iris code is a set of numbers generated by the Orb and is not linked to your wallet or any of your personal information. As a result, it really tells us — and everyone else — nothing about you. All it does is stop you from being able to sign up again.
But what about the second use case, in which the user consents to have Worldcoin retain information (so that the user does not have to re-enroll if they get a new phone)?
Your biometric data is first processed locally on the Orb and then sent, via encrypted communication channels, to our distributed secure data stores, where it is encrypted at rest. Once it arrives, your biometric data is permanently deleted from the Orb.
Regardless of whether biometric data is retained or not, other PII isn’t even collected at the Orb:
Since you are not required to provide personal information like your name, email address, physical address or phone number, this means that you can easily sign up without us ever knowing anything about you.
“But John,” you’re saying, “names and phone numbers are not collected at the Orb, but names and phone numbers ARE collected by the World App. So how are the name, phone number, user ID, and ‘iris code’ linked together?” Let me reprint what Worldcoin says about the app:
Your Worldcoin App is your self-custodial wallet. That means, just like a physical wallet, that no banks, governments or corporations can do anything to it — like lose or freeze your money — you’re in complete control.
You also don’t need to enter any personal information to get or use the App. But even if you do, you can rest assured that, unlike others, we will never sell or try to profit from your personal information.
So apparently, while the World App asks for your name, it is not a mandatory field. I just confirmed this on my World App (which I enabled on May 16, without orb verification); the only identifying information that I could find was my phone number and my user ID.
And I’m assuming that if I were to enroll at an Orb, the iris code would be linked to my user ID.
Depending upon Worldcoin’s internal architecture:
It’s possible that the iris code could be linked to my phone number, either intentionally or unintentionally. But even if it is, an iris code in and of itself is useless outside of the Worldcoin ecosystem. In the same way that an Aware, IDEMIA, NEC, or Thales fingerprint template (not the fingerprint image) can’t be used to generate a full fingerprint image, a Worldcoin iris code can’t be used to generate a full iris image.
If I choose the “with data custody” option, my biometric images could be linked to my phone number. Again, they could be linked either intentionally or unintentionally. If such a linkage exists, then that IS a problem. If a user chooses to back up both their World App data and their Orb biometric image data with Worldcoin (and again, the user must CHOOSE to back up both sets of data), how does Worldcoin ensure that the two sets of data can’t be linked?
Presumably Argentina’s AAIP will investigate Worldcoin’s architecture to ensure that there are no financial identity threats.
Which leads us to Kenya.
Kenya and data protection laws
When we last visited Kenya and Worldcoin on August 2, the government had announced that “(r)elevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, the safety and protection of the data being harvested, and how the harvesters intend to use the data.”
Those investigations continue, Worldcoin’s Kenya offices have been raided, and Parliament is angry at the regulatory authorities…for not doing enough. The article that reports this states that the Data Protection Unit feels it is not responsible for investigating the “core business” of the registered companies, but Parliament feels otherwise.
The article also makes another interesting statement:
…the office failed to conduct background checks on the company, whose operations have been banned in both the United States of America (USA) and Germany.
Now what I CAN’T do is obtain some Worldcoin when I register my irises.
In addition, Worldcoin tokens (“WLD”) are not intended to be available for use, purchase, or access by US persons, including US citizens, residents, or persons in the United States, or companies incorporated, located, or resident in the United States, or who have a registered agent in the United States. We do not make WLD available to such US persons. Furthermore, you agree that you will not sell, transfer or make available WLD to US persons.
I continued on a darker vein: What if a criminal mastermind decided to cut out someone’s eyes, and use them to steal their identity?
The Orb engineer told me that it wouldn’t work. This Orb needs to see alive, blinking eyes, and a human face that is real attached to them. A picture of someone’s eyes won’t scan, robot eyes won’t scan, canine eyes won’t scan.
But then I got him.
If you cut off someone’s face, including gouging out their eyes, and then you draped it all over your own face, could you register as them with a Worldcoin scanner and steal their identity?
Yes.
Although he promised that the Worldcoin R&D team has not tested this particular edge case.
“Relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, the safety and protection of the data being harvested, and how the harvesters intend to use the data,” read part of the statement.
“Further, it will be critical that assurances of public safety and the integrity of the financial transactions involving such a large number of citizens be satisfactorily provided upfront.”
And even the iris image data that Worldcoin DOES collect isn’t retained unless people request it.
Since no two people have the same iris pattern and these patterns are very hard to fake, the Orb can accurately tell you apart from everyone else without having to collect any other information about you — not even your name.
Importantly, the images of you and your iris pattern are permanently deleted as soon as you have signed up, unless you opt in to Data Custody to reduce the number of times you may need to go back to an Orb. Either way, the images are not connected to your Worldcoin tokens, transactions, or World ID.
Ah, but Worldcoin does retain…an iris code. A lot of good THAT’S gonna do a scammer.
Your biometric data is first processed locally on the Orb and then permanently deleted. The only data that remains is your iris code. This iris code is a set of numbers generated by the Orb and is not linked to your wallet or any of your personal information. As a result, it really tells us — and everyone else — nothing about you. All it does is stop you from being able to sign up again.
Since you are not required to provide personal information like your name, email address, physical address or phone number, this means that you can easily sign up without us ever knowing anything about you.
And no, you cannot reverse engineer an iris image from the iris code. In fact, you can’t reverse engineer any biometric image from its biometric template.
And even if you could reverse engineer an iris image, what are you going to do with it? You don’t know who owns it. It probably doesn’t belong to Bill Gates. It probably belongs to an impoverished Kenyan. (Good luck getting that person’s US$2.00. Which they probably already sold.)
Because—and here’s the thing that people forget about Worldcoin—”Worldcoin’s World ID emphasizes privacy so much that it does not conclusively prove a person’s identity (it only proves a person’s uniqueness).” (Link)
Companies could pay Worldcoin to use its digital identity system, for example if a coffee shop wants to give everyone one free coffee, then Worldcoin’s technology could be used to ensure that people do not claim more than one coffee without the shop needing to gather personal data, Macieira said.
Yup, that’s the use case. To allow 8 billion people to each claim one cup of coffee.
Not just the people who are members of the coffee company’s rewards club.
Not just the people who have purchased a certain amount of coffee.
Not just the people in the United States and Colombia.
Worldcoin can’t do those things, because even Worldcoin doesn’t know anything about its users.
Which means, by the way, that the World ID can’t be used in elections or national/state government welfare benefits distribution.
Sure it can be used to prove that someone hasn’t voted twice, or received benefits under two different names.
But it has no way of knowing whether the individual is qualified to vote or receive benefits. Maybe the person doesn’t live in the local jurisdiction. For voting, maybe the person lives there but is not a citizen. For benefits, maybe the person has too much income to qualify. Worldcoin doesn’t have a clue if any of these things are true.
So apparently the Kenyan authorities are worried that Worldcoin is gathering too much data.
I’m worried that Worldcoin is gathering not enough data for most practical use cases.
Whether a student is attending a preschool, a graduate school, or something in between, the educational institution needs to know who is accessing their services. This post discusses the types of identity verification and authentication that educational institutions may employ.
Why do educational institutions need to verify and authenticate identities?
Whether little Johnny is taking his blanket to preschool, or Johnny’s mother is taking her research notes to the local university, educational institutions such as schools, colleges, and universities need to know who the attendees are. It doesn’t matter whether the institution has a physical campus, like Chaffey High School’s campus in the video above, or if the institution has a virtual campus in which people attend via their computers, tablets, or phones.
Access boils down to two questions:
Who is allowed within the educational institution?
Who is blocked from the educational institution?
Who is allowed within the educational institution?
Regardless of the type of institution, there are certain people who are allowed within the physical and/or virtual campus.
Students.
Instructors, including teachers, teaching assistants/aides, and professors.
Administrators.
Staff.
Parents of minor students (but see below).
Others.
All of these people are entitled to access to at least portions of the campus, with different people having access to different portions of the campus. (Students usually can’t enter the teacher’s lounge, and hardly anybody has full access to the computer system where grades are kept.)
Before anyone is granted campus privileges, they have to complete identity verification. This may be really rigorous, but in some cases it can’t be THAT rigorous (how many preschoolers have a government ID?). Often, it’s not rigorous at all (“Can you show me a water bill? Is this your kid? OK then.”).
Once an authorized individual’s identity is verified, they need to be authenticated when they try to enter the campus. This is a relatively new phenomenon, in response to security threats at schools. Again, this could be really rigorous. For example, when students at a University of Rhode Island dining hall want to purchase food from the cafeteria, many of then consent to have their fingerprints scanned.
But some authentiation is much less rigorous. In these cases, people merely show an ID (hopefully not a fake ID) to authenticate themselves, or a security guard says “I know Johnny.”
(Again, all this is new. Many years ago, I accompanied a former college classmate to a class at his new college, the College of Marin. If I had kept my mouth shut, the professor wouldn’t have known that an unauthenticated student was in his class.)
Who is blocked from the educational institution?
At the same time, there are people who are clearly NOT allowed within the physical and/or virtual campus. Some of these people can enter campus with special permission, while some are completely blocked.
Former students. Once a student graduates, their privileges are usually revoked, and they need special permission if they want to re-enter campus to visit teachers or friends. (Admittedly this isn’t rigorously enforced.)
Expelled students. Well, some former students have a harder time returning to campus. If you brought a gun on campus, it’s going to be much harder for you to re-enter.
Former instructors, administrators, and staff. Again, people who leave the employ of the institution may not be allowed back, and certain ones definitely won’t be allowed back.
Non-custodial parents of minor students. In some cases, a court order prohibits a natural parent from contact with their child. So the educational institutions are responsible for enforcing this court order and ensuring that the minor student leaves campus only with someone who is authorized to take the child.
Others.
So how do you keep these people off campus? There are two ways.
If they’re not on the allowlist, they can’t enter campus anyway. As part of the identity verification process for authorized individuals, there is a list of people who can enter the campus. By definition, the 8 billion-plus people who are not on that “allowlist” can’t get on campus without special permission.
Sometimes they can be put on a blocklist. Or maybe you want to KNOW that certain people can’t enter campus. The inverse of an allowlist, people who are granted access, is a blocklist, people who are prevented from getting access. (You may know “blocklist” by the older term “blacklist,” and “allowlist” by the older term “whitelist.” The Security Industry Association and the National Institute of Standards and Technology recommend updated terminology.)
There’s just one teeny tiny problem with blocklists. Sometimes they’re prohibited by law.
In some cases (but not in others), a person is required to give consent before they are enrolled in a biometric system. If you’re the ex-student who was expelled for brining a gun on campus, how motivated will you be to allow that educational institution to capture your biometrics to keep you off campus?
And yes, I realize that the expelled student’s biometrics were captured while they were a student, but once they were no longer a student, the institution would have on need to retain those biometrics. Unless they felt like it.
This situation becomes especially sticky for campuses that use video surveillance systems. Like Chaffey High School.
Chaffey High School, Ontario, California.
Now the mere installation of a video surveillance system does not (usually) result in legally prohibited behavior. It just depends upon what is done with the video.
If the video is not integrated with a biometric facial recognition system, there may not be an issue.
If Chaffey High School has its own biometric facial recognition system, then a whole host of legal factors may come into play.
If Chaffey High School does not have a biometric facial recognition system, but it gives the video to a police agency or private entity that does have a biometric facial recognition system, then some legal factors may emerge.
As you can see, educational identity is not as clear-cut as financial identity, both because financial institutions are more highly regulated and because blocklists are more controversial in educational identity. Vladimir Putin may not be able to open a financial account at a U.S. bank, but I bet he’d be allowed to enroll in an online course at a U.S. community college.
So if you are an educational institution or an identity firm who serves educational institutions, people who write for you need to know all of these nuances.
You need to provide the right information to your customers, and write it in a way that will motivate your customers to take the action you want them to take.
Speaking of motivating customers, are you with an identity firm or educational institution and need someone to write your marketing text?
Someone with 29 years of identity/biometric marketing experience?
Someone who understands that technological, organizational, and legal issues surrounding the use of identity solutions?
Someone who will explain why your customers should care about these issues, and the benefits a compliant solution provides to them?
If I can help you create your educational identity content, we need to talk.
Bank of America, Euclid Avenue, Ontario, California.
Here’s a sign of the times from Ontario, California. The sign at the end of this video appears on the door of a bank branch in downtown Ontario, and basically says that if you wanted to go to THIS branch on Saturday, you’re out of luck.
Of course, that assumes that you actually WANT to go to a physical bank branch location. Unlike the old days, when banks were substantive buildings that you visited to deposit and withdraw money, now banks can be found in our smartphones.
What locational, technological, and organizational changes have taken place at banks over the last 50 years? And now that you can open an account to buy crypto on your smartphone, does your financial institution’s onboarding solution actually WORK in determining financial identity?
Three changes in banking over the last fifty years
Over the last fifty years, banking has changed to the point where someone from 1973 wouldn’t even recognize “banking” today. Stick around to see a video from a company called “Apple” showing you how to use a “wallet” on a “smartphone” to pay for things even if you’re not carrying your “chip card.” Karl Malden would be spinning in his grave. So let’s talk about the three changes:
The locational change.
The technological change.
The organizational change.
The locational change: from stand-alone buildings to partitioned grocery store sections
When I was growing up, a “bank” (or a “savings & loan,” which we will discuss later) was located in a building where you would go on weekdays (or even Saturdays!) and give money to, or get money from, a person referred to as a teller.
There was this whole idea of “going to the bank,” perhaps on your lunch hour because you couldn’t go to the bank on Sunday at midnight, could you?
The first crack in the whole idea of “going to the bank” was the ability to bank without entering the door of the bank…and being able to bank on Sunday at midnight if you felt like it. Yes, I’m talking about Automated Teller Machines (ATMs), where the “teller,” instead of being a person, was a bunch of metal and a TV screen. The first ATM appeared in 1967, but they didn’t really become popular until several years later.
For the most part, these ATMs were located at the bank buildings themselves. But those buildings were costly, and as competition between banks increased, banks sought alternatives. By 1996, a new type of banking location emerged (PDF):
The largest U.S. commercial banks are restructuring their retail operations to reduce the cost disadvantage resulting from a stagnant deposit base and stiffer competition. As part of this effort, some banks are opening “supermarket,” or “in-store,” branches: a new type of banking office within a large retail outlet. An alternative to the traditional bank office, the supermarket branch enables banks to improve the efficiency of the branch network and offer greater convenience to customers.
To traditionalists, these bank branches looked pretty flimsy. Where are the brick and (fake) marble walls that protect my cash? Heck, anyone can walk into the store and just steal all my money, right?
Well, these newfangled bank branches apparently WERE able to protect our cash, and the idea of banking right in the grocery store proved to be very popular because of its convenience.
But the changes were just beginning.
The technological change: from store sections to smartphones
As banks changed where they were located, there were technological changes also.
During the 1990s, more and more people were using home computers. As the computers and their security became more and more sophisticated, some people asked why we needed to “go to the bank” (either a stand-alone building or a partitioned area next to the cigarettes) at all. Why not just bank at the computer? So PC banking emerged.
The term “PC banking” refers to the online access of banking information from a personal computer. A solution for both personal or business banking needs, this type of financial management allows you to conduct transactions using an Internet connection and your computer in lieu of a trip to the local bank branch or the use of an ATM. PC banking enables an account holder to perform real-time account activities and effectively manage finances in a way that avoids the hassle of daytime bank visits and eliminates the postage required to pay bills by mail.
Ah yes; there was another benefit. You could use the computer to pay your bills electronically. The U.S. Postal Service was NOT a fan of this change.
As we crossed into the new millennium, the online banking ideas got even wilder. Cellular telephones, which followed a modified version of the “Princess phone” form factor, became more complex devices with their own teeny-tiny screens, just like their larger computer cousins. Eventually, banks began offering their services on these “smartphones,” so that you didn’t even need a computer to perform your banking activities.
Imagine putting the video below on 8mm film and traveling back in time to show it to a 1973 banking customer. They would have no idea what was going on in the film.
But are PC and smartphone banking secure? After all, smartphones don’t have brick or (fake) marble walls. We’ll get to that question.
The organizational change: from banks to…who knows what?
The third change was not locational or technological, but a change in terms of business organization. Actually, many changes.
Back in 1973, the two major types of banks were banks, and something called “savings & loans.” Banks had been around for centuries, but savings & loans were a little newer, having started in 1831. They were regulated a little differently: banks were insured by the FDIC, S&Ls by the FSLIC.
Everything was all hunky dory until the 1980s, when the S&Ls started collapsing. This had monumental effects; for example, this PDF documenting the S&L crisis is hosted on the FDIC website, because the FSLIC was abolished many years ago.
After savings & loans became less popular, other “banks” emerged.
Members-only associations called credit unions had started in 1864, and in the United States they had their own government-sponsored insurance, separate from the FDIC and FSLIC.
But there was one similarity between banks, savings & loans, credit unions, and payday loans. They all dealt in U.S. dollars (or the currency of the nation where they were located).
Enter the crypto providers, who traded cryptocurrencies that weren’t backed by any government. Since they were very new entrants, they didn’t have to make the locational and technological changes that banks and related entities had to make; they zoomed straight to the newest methods. Everything was performed on your smartphone (or computer), and you never went to a physical place.
Now, let’s open a financial account
Back in 1973, the act of opening an account required you to travel to a bank branch, fill out some forms, and give the teller some form of U.S. dollars.
You can still do that today, for the most part. But it was hard to do that in the summer and fall of 2020 when Bredemarket started.
Bredemarket pretty much started because of the COVID-19 pandemic, and those first few months of Bredemarket’s existence were adversely affected by COVID-19. When I wanted to start a bank account for Bredemarket, I COULDN’T travel to my nearby bank branch to open an account. I HAD to open my account with my computer.
So, without a teller (human or otherwise) even meeting me, I had to prove that I was a real person, and give my bank enough information during onboarding so that they knew I wasn’t a money-laundering terrorist. Banks had to follow government regulations (know your customer, anti-money laundering, know your business), even in the midst of a worldwide pandemic.
This onboarding process had to be supported whether you were or were not at a physical location of a financial institution.
Whether you were conducting business in person, on a computer, or on a smartphone.
Whether you were working with U.S. dollars or (as crypto regulations tightened) something named after a dog or an entire planet or whatever.
How can you support all that?
Liminal’s “Link™ Index for Account Opening in Financial Services”
Back in 2020 when I was onboarding the new-fashioned way, I had no way of predicting that in less than two years, I would be working for a company that helped financial institutions onboard customers the new-fashioned way.
At the time, I estimated that there were over 80 companies that provided such services.
According to Liminal, my estimate was too low. Or maybe it was too high.
Liminal’s July 2023 report, “Link™ Index for Account Opening in Financial Services,” covers companies that provide onboarding services that allow financial institutions to use their smartphone apps (or web pages) to sign up new clients.
Account opening solutions for the financial services industry are critical to ensuring compliance and preventing fraud, enabling companies to effectively identify new users during customer registration and deliver a seamless onboarding experience. The primary purpose of these solutions is to facilitate mandatory compliance checks, with a particular emphasis on the Know Your Customer (KYC) process.
If I can summarize KYC in layperson terms, it basically means that the person opening a financial institution account is who they say they are. For example, it ensures that Vladimir Putin can’t open a U.S. bank acccount under the name “Alan Smithee” to evade U.S. bans on Russian national transctions.
Remember how I found over 80 identify proofing vendors? Liminal found a few more who claimed to offer identity proofing, but thinks that less than 80 firms can actually deliver.
Around 150 vendors claim to offer account opening compliance and fraud solutions in banking, but only 32 (21.3%) have the necessary product features to meet buyer demands.
Now I have not purchased the entire Liminal report, and even the Executive Summary (which I do have) is “privileged and confidential” so I can’t reprint it here. But I guess that I can say that Liminal used something called the “Link Score” to determine which vendors made the top category, and which didn’t.
I’m not sure how the vendors who DIDN’T make the top category are reacting to their exclusion, but I can bet that they’re not happy.
Writing about Financial Identity
As you can gather, there are a number of issues that you have to address if you want to employ identity proofing at a financial institution.
And if you’re an identity firm or financial institution, you need to provide the right information to your customers, and write it in a way that will motivate your customers to take the action you want them to take.
Speaking of motivating customers, are you with an identity firm or financial institution and need someone to write your marketing text?
Someone with 29 years of identity/biometric marketing experience?
Someone who consistently tosses around acronyms like ABM, FRVT, KYB, KYC, and PAD, but who would never dump undefined acronyms on your readers? (If you’re not a financial/identity professional and don’t know these acronyms, they stand for anti-money laundering, Face Recognition Vendor Test, Know Your Business, Know Your Customer, and Presentation Attack Detection.)
Someone who will explain why your customers should care about these acronyms, and the benefits a compliant solution provides to them?
If I can help you create your financial identity content, we need to talk.
Back in 2021, it seemed that I was commenting on the EU Digital COVID Certificate (EUDCC) ad nauseum. The EUDCC is the “vaccine passport” that was developed to allow people in member EU countries to prove their COVID vaccination status in another EU country.
August 2021 was the last time that I wrote about the EUDCC in the Bredemarket blog. Until now.
Enter…WHO?
You know how standards are adopted by brute force from big players? Well, one big player has forced itself into the discussion. That player is the World Health Organization, commonly known as WHO.
Stella Kyriakides, the European commissioner for health and food safety (announced) that the voluntary certificate program has already been taken up by almost 80 countries.
Last I checked there were not 80 countries in the EU. So this health standards thing took off after the initial hiccups. Although the Wikipedia list of non-EU adopting countries does not include two big players—the United States and China (the same two countries I cited in my August 2021 post).
WHO’s Global Digital Health Certification Network is an open-source platform, built on robust & transparent standards that establishes the first building block of digital public health infrastructure for developing a wide range of digital products for strengthening pandemic preparedness and to deliver better health for all….
The GDHCN is builds (sic) upon the experience of regional networks for COVID-19 Certificates and takes up the infrastructure and experiences with the digital European Union Digital COVID Certificate (EU DCC) system, which has seen adoption across all Member States of the EU as well as 51 non-EU countries and territories. The GDHCN has been designed to be interoperable with other existing regional networks (e.g., ICAO VSD-NC, DIVOC, LACPass, SMART Health Cards) specifications.
On the surface it sounds great, but we’ll see what happens when it goes live (Borak states that the go-live date is July 1).
And we’ll see how it expands:
To facilitate the uptake of the EU DCC by WHO and contribute to its operation and further development, WHO and the European Commission have agreed to partner in digital health.
This partnership will work to technically develop the WHO system with a staged approach to cover additional use cases, which may include, for example, the digitisation of the International Certificate of Vaccination or Prophylaxis. Expanding such digital solutions will be essential to deliver better health for citizens across the globe.
(Updated 4/16/2022 with additional benefits information.)
Everything is virtual
Many of our lives changed significantly in March 2020, when we left our offices and cubicles and decamped to makeshift desks in our homes. Since that time, those of us who are still working from home (WFH) have interacted with others via telephone, Cisco WebEx, Google Meet, Microsoft Teams, Slack, Zoom, and other virtual collaboration tools.
As part of our Sustainability Strategy and commitment to reach net zero greenhouse gas emissions by 2045, SDG&E is launching a Virtual Power Plant (VPP) Pilot Project in 2022, an initiative to strengthen community resilience and electric reliability in the unincorporated community of Shelter Valley in East San Diego County.
SDG&E realizes that you can’t just talk about the features of virtual power plants. SDG&E’s customers don’t care about features. Its customers only care about what’s in it for them. So SDG&E collected some benefits of virtual power plants.
(4/16/2022: For additional information on benefits, click here.)
The first benefit: community resilience and electric reliability
The first benefit that SDG&E identified for VPPs can be found in the text above, where it noted that virtual power plants can “strengthen community resilience and electric reliability.”
Now I’ll grant that Californa isn’t Texas, but there are more and more times where California’s electric power goes out, due either to very high temperatures, very high winds, or very high fire danger.
So SDG&E consumers (and consumers from other electric utilities) are more interested in electric reliability. If VPPs can provide that reliability, great!
So how does a VPP strengthen community resilience and electric reliability?
A key element of a VPP is its distributed energy resources, or DERs. With home-based solar power, batteries, smart thermostats, and other energy technologies, the days of a single centralized power source are over.
The second benefit: lower investment and operating costs
But rather than siloing these DERs, a VPP arranges to have them work as a single unit, just like a conventional power plant, but with a difference.
In other words, a VPP can mimic or potentially replace a conventional power plant and help address distribution network bottlenecks, but with lower investment and operating costs.
Note that SDG&E doesn’t take this a step further and say that this will result in a reduction in building of conventional power plants.
Since VPPs look like residential/commercial communities (because they are), most of us think that VPPs are prettier than many conventional power plants such as this one. By Cgord (talk) – (Cgord (talk)) created this work entirely by himself. Transferred from Wikipedia., GFDL, https://commons.wikimedia.org/w/index.php?curid=19912142
And SDG&E definitely doesn’t say that this will result in lower rates for energy consumers. But maybe some energy utility will make this commitment.
A musical postlude
A major component of a VPP is the solar energy that is generated by solar cells on people’s homes. Of course, solar energy is nothing new, as those of us who recall a certain song know all too well.
(UPDATE: I have indicated portions of this post that include speculation from myself and others.)
When I wrote “About THAT Reuters article” (specifically, the February 4 articlespeculating about a possible sale of IDEMIA by Advent International to Thales Group), I noted that I have no expertise in predicting corporate acquisitions.
However, I’ve experienced three of them, including Motorola’s acquisition of Printrak in 2000, Safran’s acquisition of Motorola’s Biometric Business Unit in 2008-2009, and Advent International’s acquisition of Safran’s Morpho unit in 2016-2017 (and Advent’s merger of Oberthur and Morpho to form OT-Morpho, later IDEMIA).
None of these was a simple matter of the acquiring company and the acquired company approving the acquisition. It was more complicated than that.
UPDATE 8/20/2025. I just had to disable browser notifications from two rogue sites. See bold paragraph below.
[UPDATE 8/20/2025: I have disabled the links below because the link now redirects to adware malware. Pity, because the original page was an excellent source of the negotiations between Printrak and Motorola.]
Even the most straightforward of the acquisitions that I experienced, the U.S. company Motorola’s acquisition of the U.S. company Printrak, required a number of government approvals.
Under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, and the rules promulgated under the Hart-Scott-Rodino Act, Printrak, Acquisition Sub and Motorola cannot complete the Merger until they notify and furnish information regarding the acquisition of Printrak by Acquisition Sub to the Federal Trade Commission and the Antitrust Division of the U.S. Department of Justice and satisfy specified waiting period requirements. Printrak and Motorola (as the sole stockholder of Acquisition Sub) filed notification and report forms under the Hart-Scott-Rodino Act with the FTC and the Antitrust Division on September 26, 2000 and received early termination of the waiting period from the Federal Trade Commission effective October 11, 2000.
From [REDACTED]/Document/0000912057-00-045478/
And not just from the U.S. government.
In addition, Printrak and Motorola are required to furnish certain information and materials to the antitrust authorities of Argentina, Brazil, the Federal Republic of Germany, and Romania. Filings were made in Argentina on September 22, 2000, in Brazil on September 19, 2000 and in the Federal Republic of Germany on September 27, 2000. German antitrust authorities have one month after the parties file their application to review the transaction. During that one month period, they can either approve the transaction or initiate an examination of the transaction which could take an additional three months, during which time the parties cannot close the transaction. During this three month period, the antitrust authorities will either approve the transaction or prohibit it. Approval may be granted before the initial one month review or before the additional three month review period. If approved, the antitrust authorities can not later challenge the transaction under their merger law but could challenge the transaction under other provisions of their antitrust laws. Printrak and Motorola intend to make a post-closing filing in Romania as soon as practicable after the closing.
From [REDACTED]/Document/0000912057-00-045478/
Why did the Motorola acquisition of Printrak require all of those approvals? Because Printrak did business in these countries (and many others), and the governments of those particular countries wanted to exert control over who does business in their country. For example, Printrak was the automated fingerprint identification system (AFIS) supplier in Romania, and the government of Romania had a need to know what would happen if Motorola were to become the supplier of its AFIS. Would all of the fingerprints be replaced by batwings? Would the new owner require the Romanian employees to apply Six Sigma in their everyday lives? Would Romania have to use Iridium to communicate AFIS data?
Well, everyone in the U.S. and the other countries granted approval, and the Motorola acquisition of Printrak was eventually completed, although it took roughly three months to get all the approvals. I remember that we were at a trade show (IACP, I think) with Printrak signage, and received mid-show approval to string up Motorola banners after receiving final approval.
And that was the relatively EASY acquisition of the three that I experienced. The next one was harder.
CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons, in order to determine the effect of such transactions on the national security of the United States.
Because Motorola not only sold fingerprint identification technology, an export controlled technology, but also managed law enforcement data for a number of states and (on a limited basis) for the U.S. Federal Bureau of Investigation and other federal government agencies.
Never mind the fact that France has been a long-standing ally of the United States. Heck, Israel is an ally of the U.S., and we didn’t like it when Israel spied on us.
CFIUS had to make sure that foreign control of Motorola’s biometric assets wouldn’t cause issues. Would French intelligence personnel steal all of the personal identifiable information (PII) from the AFIS databases in Minnesota, North Carolina, and other states?
Safran acquires other things
Eventually CFIUS decided that there was no critical threat and allowed the Safran acquisition of Motorola’s Biometric Business Unit to go through.
After all, it wasn’t like Motorola managed the main FBI criminal database, or state driver’s license databases, or anything like that.
You see, the main FBI criminal database, then known as IAFIS, was already managed by Safran.
And the state driver’s license databases were managed by neither Safran nor Motorola. A separate company, L-1 Identity Solutions, managed the majority of those databases.
So Safran’s acquisition of Motorola’s biometric assets was approved by all necessary government entities, and everyone was happy.
But Safran wasn’t done with its acquisitions, and a few years later acquired L-1 Identity Systems also. So now U.S. driver’s license production would be under French control.
This time around, CFIUS insisted on mitigating the effects of “Foreign Ownership, Control or Influence” (FOCI). Specifically, L-1 Identity Solutions (renamed “MorphoTrust”) was placed under a proxy structure, in which MorphoTrust’s Board of Directors was entirely composed of U.S. citizens. In addition, a number of MorphoTrust employees who were not U.S. citizens were shifted away from MorphoTrust to other Safran companies (most notably MorphoTrak, the company that contained the former Motorola Biometric Business Unit and other stuff).
By the way, I wrote about this before, but it’s in a Bredemarket Premium article so most of you can’t read it. Consider this information a freebie.
Even though they were owned by the same company, and used some of the same hardware components, MorphoTrust and MorphoTrak were managed separately. MorphoTrust had to log its contacts with foreigners, including U.S. employees of the foreign-owned MorphoTrak. Any transactions between MorphoTrust and MorphoTrak had to be carefully monitored to ensure that “foreign” components didn’t sneak their way into MorphoTrust products. And (most notably) because we couldn’t really talk to each other, MorphoTrust and MorphoTrak actually competed against each other on several occasions, including instances in which both subsidiaries proposed fingerprint livescan stations to the same customers.
But we were one big happy fractured family, and CFIUS was satisfied.
Well, until the next acquisition took place.
Advent International (and Oberthur) acquires part of Safran
Remember how I said that I couldn’t really predict acquisitions? After Safran acquired Motorola’s Biometric Business Unit, I thought I was home free. Printrak was the odd man out in Motorola, since our part of Motorola (later becoming Motorola Solutions) specialized in the sale of lots and lots of police radios, while we in Printrak specialized in the sale of a few AFIS systems. Once we joined Safran, we became part of a huge division (Sagem Sécurité, later known as Morpho) that ONLY performed identity functions.
So now an American investment firm would buy a French company.
You can bet that this required a round of approvals on both sides of the Atlantic.
France and the European Union certainly had an interest. As I noted in a recent post about Alaska’s HB389 bill, Advent International was not the sole owner; Advent had to bring the French government-owned entity Bpifrance on as a minority owner. And the European Union had to grant antitrust approval.
But on the U.S. side, CFIUS got involved again because MorphoTrust was part of the acquisition. Never mind the fact that MorphoTrust was now majority American-owned; MorphoTrust’s corporate parent was headquartered in France, and Bpifrance owned part of MorphoTrust.
So what happened?
MorphoTrust was removed from FOCI control, sort of, and merged with MorphoTrak and some parts of Oberthur to form IDEMIA Identity & Security USA LLC.
And my job became really complicated, because I, a former MorphoTrak employee, reported to someone who was a former MorphoTrust employee. And even though the U.S. part of IDEMIA (excluding IDEMIA NSS) was no longer FOCI-mitigated, some leftovers from the old MorphoTrust days were still around.
Initially there were still two separate computer networks, and I had to have access to both of them, which meant that I had to obtain a second computer from the Billerica, Massachusetts office to access the old MorphoTrust network. (Before obtaining that second computer, I had to undergo a security screening.)
Eventually the two separate networks went away…after I left IDEMIA. Actually, I’m not entirely certain that they COMPLETELY went away, but at least the email addresses were all standardized throughout the United States after I left. (Yes, I had two email addresses also.)
Two new complications when some future entity acquires IDEMIA
So what happens in the future? Reuters has speculated what may happen, and I am speculating also.
As I noted previously, Advent International acquires businesses, revamps them, and sells them (hopefully) at a profit.
So even if the Reuters article turns out to be factuallyincorrect, Advent is going to sell IDEMIA someday.
Based upon past acquisitions, I believe it is pretty likely that the French government is going to have some say in the sale. Reuters speculated that nothing will happen until after next month’s Presidential election in France. (See my LinkedIn post in Bredemarket Identity Firm Services about the French election.) The French President, whoever he or she may be when Advent finally tries to sell IDEMIA in 2022, 2023, or 2033, is going to exert control over who the final buyer will be. Perhaps the President may insist that IDEMIA be sold to a French company, or at least a European Union company.
And based upon past acquisitions, I believe it is pretty likely that the U.S. government is going to have some say in the sale. The U.S. President, whoever he or she may be when Advent tries to sell IDEMIA (again, whenever that may occur), is going to exert control over who the final buyer will be, because of the significant business that IDEMIA NSS and the rest of IDEMIA does with U.S. federal, state, and local government entities. Oh, and there’s also the matter of fingerprint identification export control.
But those are not the two complications that I’m talking about. There are two NEW complications.
Possible Complication Number One: IDEMIA has locations all over the world, including a location in Moscow.
As I write this post, a number of Western businesses are ceasing their business operations in Russia because of the war in Ukraine. This has caused issues with the Russian government.
As of Monday (March 14), at least 375 companies had announced some sort of pullback from Russia, according to a list maintained by the School of Management at Yale University. The list includes companies that have cut ties with Russia completely, as well as those that have suspended operations there while attempting to preserve the option to return.
According to multiple media reports, dozens of Western companies have been contacted by prosecutors in Russia with warnings that their assets, including production facilities, offices, and intellectual property, such as trademarks, may be seized by the government if they withdraw from the country.
Unless IDEMIA is acquired by a Russian company (which is extremely unlikely, given French and U.S. interests), anyone who acquires IDEMIA (or any company with Russian offices) has to consider how Russia will react. Will the Russian portion of the business be a total loss? Will Russian entities acquire IDEMIA intellectual property? (This would be ironic, considering some past allegations that have been made but not IMHO proven.)
But Russia isn’t the only potential complication of a sale of IDEMIA.
Possible Complication Number Two: IDEMIA also has locations in Beijing, Hong Kong, and Shenzen. And it’s possible that the Chinese government is going to have some interest in who IDEMIA’s future owner will be.
It is possible that China’s State Administration for Market Regulation (SAMR) might review any acquisition.
In early September of 2021, China’s competition authority, the State Administration for Market Regulation (“SAMR”) issued a report (“SAMR 2020 Report”) summarizing its Anti-Monopoly Law enforcement activities during the period covering the 13th Five-Year Plan (2016-2020).
While relations between the West and China are certainly better than current relations between the West and Russia, there is always an underlying tension in those relations. For example, if a Taiwanese company were to acquire IDEMIA, this could be considered a declaration of war.
And in the specific case of IDEMIA, the biometric algorithms from IDEMIA directly compete with biometric algorithms from China. The February 2022 printed version of the NIST FRVT 1:1 report indicates that dozens of tested facial recognition algorithms are of Chinese origin, including algorithms from Cloudwalk, Dahua, Fujitsu, Hikvision, Megvii, Sensetime, Tencent, Xforward, and a host of other companies and universities.
What if (again, I’m speculating) China decides to oppose an acquisition of IDEMIA unless it receives assurances that IDEMIA will not threaten the domestic Chinese biometric providers?
Conclusion
So whoever buys IDEMIA from Advent may have to pay attention to government regulators in the U.S., France, the European Union, and possibly Argentina, Brazil, China, Germany, Romania, and Russia.
People in the biometric and banking industries like to use the word “frictionless.” It refers to the ability to make tasks such as building access and online purchases as easy as possible. When you make a purchase as hard as possible, it’s referred to as “friction.”
Provided that the transaction is secure, a frictionless transaction is preferable to a friction one. If you introduce too much friction into an operation, then the person trying to access a building or the person trying to complete an online transaction will give up. In the finance world, the online transaction is “abandoned,” sometimes after the potential buyer has already selected what they want to purchase. The end result is referred to in the industry as an abandoned shopping cart.
(And no, I don’t know the German for “abandoned,” but whatever it is, you can pair it with “Einkaufswagen” and come up with a really long description.)
At one point in my corporate career, I was looking at (virtual) abandoned shopping carts, and trying to figure out how digital identity mechanisms could reduce the number of abandoned shopping carts for online transactions. Any reduction would naturally translate to increased sales and increased profits for the online vendor.
Well, at this point in my post-corporate career, I was able to look at abandoned shopping carts from another perspective.
I abandoned a shopping cart this morning.
Not because of a horrendous CAPTCHA.
I abandoned it because the vendor wasn’t there.
Check
When I started Bredemarket in 2020, one of the things that I did was open a business banking account. The process was a little complex because of raging COVID, since I had to submit all of my relevant documents online. (I also looked at THAT issue during my corporate years.)
As I finished setting up the account, my bank provided me with an offer for business checks. The offer was relatively expensive and didn’t include that many checks, but I didn’t care about that because I didn’t need that many checks anyway. In fact, after thinking about it, I decided that I didn’t need ANY checks. My business was just starting, and I couldn’t really afford to throw away money on extravagances such as bank checks.
And I got by for a while, until February 2022. I was considering a particular purchase from a small nonprofit, and I noticed that this small nonprofit didn’t take credit cards, or Zelle, or PayPal, or Venmo. (Or Bitcoin.) This nonprofit accepted payment in…checks.
So I decided that after a year, it’s time that Bredemarket had its own checks like all the cool companies have. I didn’t need that many, but obviously I was going to need one or two or a few.
So I logged in to my bank’s website to order some checks.
Now why would I log into the bank’s website to buy something that I knew was expensive? Again, the frictionless experience. It was worth some money to me to just go directly to my bank and order the expensive item, rather than having to hunt around for some other service and order the less expensive item. After all, my bank had all my information right there, so ordering checks through the bank should be a breeze, right?
Not exactly.
After logging in to my bank account nd searching through several places on the website, I finally found out that I could order checks. Not online on the bank’s own website, but via an 800 number belonging to the bank’s third party check printing partner.
So I called the 800 number…and was disconnected.
So I called the 800 number again.
(For those playing along at home, take a moment and count the number of instances of friction that I have encountered so far in making this purchase that I thought was going to be really really frictionless. There will be more instances as we go along.)
Now telephone customer service centers are wonderful things. (I should know, I just finished a job for a client that included a discussion of a telephone customer service center, and the CSC was a wonderful thing.) While I know of people who despite phone trees, they have the advantage of getting you help as soon as possible. And once you’re routed to the proper department, even if you’re not immediately helped, the phone trees often tell you either how many people are ahead of you in line, or approximately how long it will take before someone helps you. (The REALLY good phone trees take your number and call you back, so you don’t have to sit on hole.)
My bank doesn’t have a good phone tree.
I think I answered one or two simple questions at most, and then learned that all of their representatives were busy. I didn’t learn how many people were ahead of me in line. I didn’t learn how long it would take to answer my call. Instead, I was fed promotional stuff about some streamling TV special of some sort. I didn’t pay attention to the details, because I was thinking to myself:
John, why are you sitting on hold to buy expensive bank checks?
So I abandoned my shopping cart before I even had a chance to put anything into it.
Checkmate
I then went to the website of one of the major warehouse stores (the one that ISN’T based in Arkansas) where I had a personal membership, easily found the link in the business services section where I could order checks online, went to the warehouse store’s check vendor, and (in a fairly frictionless fashion) ordered checks for Bredemarket. The most typing that I did was to input my bank account routing information and account number, and input my warehouse membership number to get the warehouse discount. (My business address is saved in my browser. It’s not a huge security risk to do this.)
I immediately received two emails.
One was from the check vendor, with information about my order, including the items ordered, the anticipated delivery date, and a link to track the status of my order. (It’s in production.)
The other was from my bank, informing me that an online purchase had just been made from my bank account.
Unfortunately for the bank, it probably doesn’t have the advanced analytics to link that purchase from a check printing company to my unanswered phone call to the bank’s own check printing company a few minutes prior.
Because if the bank was able to put two and two together, it would realize that the money I paid to that check printing company could have gone to the bank’s check printing company instead.
But how to measure?
There’s one interesting wrinkle in the measurement of this abandoned shopping cart.
I never got to the point of receiving a price quote from the bank’s check printer, but from my hazy recollections from 2020, I think that the price that I paid for checks today was roughly half what the bank’s check printer would have charged me. (And I got more checks, but since I probably won’t use them all, that isn’t really a factor.)
So the warehouse’s check printer made a sale of $x, while the bank’s check printer lost a sale of roughly twice that amount, or $2x.
And I have an additional $x in my pocket which I wouldn’t have had if the bank’s check printer had answered its phone before I had second thoughts.
I intentionally chose an obscure title for this post.
I could have entitled the post “Ricardo Montalban.” Just because.
In a more relevant way, I could have entitled the post “Former IDEMIA employee weighs in on Advent’s possible sale of the company.” That would have got some clicks, to be sure.
But it would have misled the reader, because the reader would have gotten the idea that I have some expertise in corporate acquisitions, and an abillity to predict them.
And as past history has shown, I do not have any such expertise.
In 2000, I was completely and totally surprised when I learned that Printrak wanted to sell itself to Motorola. I didn’t have a clue that any such thing was going to happen.
In 2008, I was reading online late one evening and was completely and totally surprised when I learned that Motorola wanted to sell off half of Printrak to the French company Safran, the Sagem Morpho folks. Yes, Motorola was in trouble, but I didn’t have any idea that we would be sold off.
Years later, I was kinda sorta surprised when Safran decided that it wanted to get rid of its entire identity and security business, and was completely and totally surprised when the buyer was an American investment firm that owned Oberthur Technologies.
So my record on really understanding these acquisitions is pretty low.
With that caveat, I’ll go ahead and use a really eye-catching SUBtitle. Better late than never.
Former IDEMIA employee weighs in on Advent’s possible sale of the company
Impressive, isn’t it?
But before proceeding, I should let you know about THAT Reuters article that I referenced in the real post title.
Advent (actually, Advent International) is the American investment firm that I mentioned earlier. As an investment firm, its purpose in life is to buy businesses, improve them, and sell them for a profit.
So Advent began thinking about ways to make Oberthur more attractive.
At the same time, Safran was trying to decide what to do with its identity and security business. The purchase of Printrak was just a blip in Safran’s plans, as it acquired L-1 Identity Solutions (renamed MorphoTrust) and other businesses. But Safran is not an identity and security company. It’s a “de plane” company.
Anyway, in the end Advent announced in 2016 that it had entered into an agreement to negotiate the purchase of Safran’s identity and security business. The purchase was completed on May 31, 2017, and Advent combined Oberthur (OT) and the portion of Safran (Morpho) into OT-Morpho, which was quickly renamed IDEMIA.
I was an employee of IDEMIA at the time, and I don’t think I’m spilling any company secrets if I reveal that Advent wanted IDEMIA to do really really well, so that it could make a profit on the two acquisitions. I wasn’t at the highest executive level that was setting the high-level strategy, but I was often working on initiatives to help realize Advent’s profitability goal.
The possibility of an IDEMIA IPO or sale receded somewhat in early 2020. Among other things, COVID adversely affected two of IDEMIA’s core businesses in the United States, TSA PreCheck (nobody was flying) and driver’s licenses (the DMV offices were all closed).
Advent International is looking to sell its French biometrics and fingerprint identification firm IDEMIA in a deal worth up to $4.6 billion as it seeks to capitalise on growing demand for cybersecurity assets in Europe, two sources told Reuters.
The U.S. buyout fund is reviewing a series of options to sell IDEMIA, including a possible break-up of the company which was formed in 2016 by combining Safran’s identity and security business with Oberthur Technologies, the sources said.
As you, the wise reader, know, Reuters goofed here.
IDEMIA was NOT formed in 2016. The formation of IDEMIA was ANNOUNCED in 2016, but the deal wasn’t actually COMPLETED until 2017. Hey, at least Biometric Update got it right.
Anyway, if you read either Reuters or Biometric Update, you’ll learn that nothing is going to happen immediately (France is holding an election in April, and the composition of the new government could impact any sale), and that the possible split-up may separate the part of the business that sells to governments from the part that sells to commercial firms.
Of course, the big question about any sale of IDEMIA would be the identity of the buyer. Would Advent try (again) to issue an IPO, or would Advent look for one or more existing companies to purchase IDEMIA?
Both Reuters and Biometric Updare speculate that Thales could be a potential buyer. While Safran was slimming down to concentrate on its aircraft business, Thales has been beefing to to diversify its business, most notably in its purchase of Gemalto. (As people in my industry know, that purchase provided Thales with the technology of the old Cogent Systems.)
However, there are two possible issues with a Thales purchase of all or part of IDEMIA.
Antitrust issues. Automated fingerprint identification systems isn’t the only product that Thales and IDEMIA have in common. For example, both companies provide driver’s licenses in the United States. As any Thales purchase of IDEMIA is considered by the United States, France, and dozens of other countries, the deal could be opposed on antitrust grounds. This can be mitigated by limiting what Thales can buy, but it could complicate matters.
Thales is French. Some of the driver’s license and biometric technology that IDEMIA sells was developed in the United States, and is used by many government agencies, including the Federal Bureau of Investigation and the Department of Homeland Security. At present, while IDEMIA is headquartered in France, it is primarily owned by Americans, so there’s a teeny bit of comfort in that. But what if a French firm were to own IDEMIA? The horror! (Many years ago, when Cogent Systems first sold itself, it intentionally chose a U.S. buyer, 3M, for this very reason.) Never mind that the U.S. government has been using French (and Japanese) technology for years, and that some very specific arrangements have been set up to mitigate the risks of foreign ownership. Some Senator or another is guaranteed to raise a big stink if U.S. government institutions are dependent upon a French company.
So perhaps Thales could buy all or part of IDEMIA, or perhaps it may pass. But if Thales passes, are there any U.S.-owned companies that may have an interest in IDEMIA’s technology?
Because of my biometric bias, the first thing that I would consider would be American companies that are active in the biometric market. However, many of the U.S. companies are small, and don’t have a few billion dollars lying around to buy IDEMIA. So don’t look for Aware, Clearview AI, Paravision, Rank One Computing, or the like to be a buyer.
There are of course much bigger U.S. firms in high tech that have dipped their fingers into the biometrics market. Amazon, Apple, Facebook, Google, and Microsoft all come to mind. However, those same customers that are of prime concern to U.S. Senators are also or prime concern to the employees of some of those firms, who don’t want their employers to do business with the “evil” Department of Homeland Security or even the “evil” local police departments that should all be defunded. (Amazon quit selling Rekognition to police agencies, for example.) Even Apple, which is developing its own digital driver’s license technology, is probably reluctant to own IDEMIA.
But there’s one tech company that intrigues me as possibly having an interest in IDEMIA.
Oracle.
It’s big enough to make the purchase, certainly likes to make acquisitions, and has no hesitation about working with government agencies.
ANY government agency.
After all, the name “Oracle” came from a database project that Ellison worked on before founding the company with the same name.
His client was the Central Intelligence Agency.
If you’ve paid attention to this article, then you already know that since I have speculated that Oracle could purchase IDEMIA, that puts the chances of Oracle actually purchasing IDEMIA at zero.
And for all we know, Reuters’ two sources might be unreliable, or something else might happen (another COVID variant?) that could cause Advent to hold on to IDEMIA for a few more years.
Bredemarket 