Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.
I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.
As does Biometric Update.
Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:
“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”
But then Biometric Update ran a more recent story.
They said that?
Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.
And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.
OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.
Not just ineffective, DISASTROUSLY ineffective. Ouch.
For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).
DHS set performance goals for the submitted entries and publicized the (anonymous) results.
“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”
Google Gemini.
Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.
On anonymity
Why do testing entities sometimes allow participants to remain anonymous?
Because they want participants.
Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.
Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.
When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.
Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.
But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.
Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:
“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”
“9 (9) The National Institute of Standards and 10 Technology (NIST) was directed in the CHIPS and 11 Science Act of 2022 to launch new work to develop 12 a framework of common definitions and voluntary 13 guidance for digital identity management systems, 14 including identity and attribute validation services 15 provided by Federal, State, and local governments, 16 and work is underway at NIST to create this guid 17 ance. However, State and local agencies lack re 18 sources to implement this new guidance, and if this 19 does not change, it will take decades to harden defi 20 ciencies in identity infrastructure.”
Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.
But let’s get to the meat of the bill:
“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION 4 GRANTS. 5 (a) IN GENERAL.—The Secretary of the Treasury 6 shall, not later than 1 year after the date of the enactment 7 of this section, establish a grant program to provide iden 8 tity fraud prevention innovation grants to States.”
The specifics:
The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
They can also use the grants to protect individuals from deepfake attacks.
Another purpose is to develop “interoperable solutions.”
A fourth is to replace vulnerable legacy systems.
The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.
But there are some limitations in how the funds are spent.
They can’t be used to require mDLs or eliminate physical driver’s licenses.
They can’t be used to “support the issuance of drivers licenses or identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)
The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.
And everything else
So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.
But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:
The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
The Federal Trade Commission (FTC).
The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.
What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?
Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.
(And yes, I know that the Capitol is not north of the Washington Monument…yet.)
“Thales is pleased to announce its continued partnership with the State of Alaska Department of Motor Vehicles (DMV) with the launch of the Alaska Mobile ID.Seen as aninnovative digital identity solution, it empowers residents to manage the use of their identification credentials securely and conveniently through their mobile devices.
“The Alaska Mobile ID leverages Thales’ sophisticated digital ID technology to provide Alaskans with a secure method for digital verification of their identity, age, and/or driving privileges. With this ‘cybersecurity by design’ solution, citizens benefit from a quick and secure way to digitally verify their identity while safeguarding their personal information. It also enables selective disclosure, meaning only some attributes of residents’ identities can be electronically verified. As an example, with Alaska Mobile ID, residents will be able to prove they are above 21 without revealing their exact age, which is impossible with physical ID.”
“State-to-State (S2S) Verification Service is a means for a state to electronically check with all other participating states to determine if the applicant currently holds a driver license or identification card in another state. The platform that supports S2S, the State Pointer Exchange Services (SPEXS) was successfully implemented in July 2015. Participation in S2S does not commit a state to be in compliance with the federal REAL ID Act. However, if a state chooses to be REAL ID compliant, the Department of Homeland Security generally looks for S2S to be part of their compliance plan.”
Not all states participate. As it turns out, neither California nor Oklahoma are part of S2S. Oklahoma is slated to join, but this may not happen.
“Oklahoma lawmakers have asked the state Supreme Court to immediately block the transfer of driver’s license and identification card data to a national interstate data exchange run by the American Association of Motor Vehicle Administrators (AAMVA).
“The lawmakers argue that the planned transmission exceeds statutory authority, violates state privacy protections, and collapses a key distinction that Oklahoma law makes between REAL ID-compliant and noncompliant credentials.”
Based upon past history, it’s no surprise that some in Oklahoma oppose big guvmint and AAMVA S2S participation.
(As an aside, take a moment to think about how a state in enforcing the privacy of Social Security Numbers, which are assigned at the federal level. And also think about how Social Security Numbers are NOT supposed to be a national ID number. The mind boggles.)
So what do the other states do if someone claims to have a California driver’s license, but California won’t confirm this because of privacy concerns? Here’s what Tennessee does.
“All states and jurisdictions in the United States participate in S2S, except for California, Connecticut, Illinois, Kentucky, Nevada, Oklahoma, and West Virginia. New or returning Tennessee residents transferring from these nine states must obtain a Motor Vehicle Record (MVR) from their former state. The MVR be issued within 30 days of applying for a Tennessee license or ID.”
“It is clear that digital-first identity systems are unlikely to become standard. Most governments will still rely heavily on physical credentials through 2026. Physical documents, such as diver’s licenses and passports, have long life spans. Physical security is already a proven technology, making it essential for continued trust and accessibility in the wake of ever-more sophisticated attack methods. ABI Research cybersecurity analysts view mobile ID as more of a companion to physical credentials.”
Oh, and number 12.
“Interest in biometric payment cards has waned due to high costs and complex onboarding. Zwipe’s bankruptcy in March 2025 is emblematic of this latest trend. To extract returns from their prior investments in biometrics, digital payment providers are pivoting to other markets like secure access and cold wallets. Going forward, the technology will shift from mainstream ambition to specialty use cases, with fewer launches expected in 2026.”
To see what these and the other 11 predictions mean, read the ABI Research article.
No, you don’t have to be a citizen to get a REAL ID.
But your REAL ID is tied to your authorization to be in the United States, and expires on the same date as your authorization to be here.
Well, that’s how it’s supposed to work.
In California, the date calculations (based upon 2006 legacy code) were screwed up for 300,000 legal residents.
“The error overrode the correct expiration date, which should have matched the end of the cardholder’s authorized stay in the United States. Under federal rules, immigrants with legal status — including permanent residents, green card holders and visa holders — are eligible for REAL IDs, but the cards’ expiration dates must align with the length of their authorized stay.”
Except when they don’t.
And for those who believe that granting REAL IDs to non-citizens is an example of California breaking the law:
The DHS approved California’s REAL IDs in April 2019 under President Trump.
“If you’re not a U.S. citizen, you must apply in person at a state driver exam station and provide a U.S. Citizenship and Immigration document proving your lawful status in the U.S.”
Unchecked disinformation runs wild in this Slashdot story, contributed anonymously.
“Only the government could spend 20 years creating a national ID that no one wanted and that apparently doesn’t even work as a national ID. But that’s what the federal government has accomplished with the REAL ID, which the Department of Homeland Security (DHS) now considers unreliable, even though getting one requires providing proof of citizenship or lawful status in the country.”
The anonymous Slashdot contributor is either a liar or a fool. As I noted back in May after Leonardo Garcia Venegas’ first detainment (I didn’t know he was detained a second time), a REAL ID was NEVER intended to prove citizenship.
Here are California’s non-citizen REAL ID requirements, which are federally acceptable:
“This includes all U.S. citizens, permanent residents who are not U.S. citizens (Green Card holders), and those with temporary legal status, such as recipients of Deferred Action for Childhood Arrivals (DACA) or Temporary Protected Status (TPS) and holders of a valid student or employment visa.”
But since the REAL ID expiration date matches the date at which temporary legal status expires, it DOES prove legal presence.
Slashdot, get your facts straight.
Postscript: Slashdot lifted its claims from Reason.
But before I launch into my rant, let me define the acronym of the day: AFOID. It stands for “acceptable form of identification.”
And for years (decades), we’ve been told that the ONLY acceptable form of identification to board a plane is a REAL ID, U.S. passport, or a similar form of identity. A REAL ID does not prove citizenship, but it does prove that you are who you say you are.
“The Transportation Security Administration (TSA) is launching a modernized alternative identity verification program for individuals who present at the TSA checkpoint without the required acceptable form of identification (AFOID), such as a REAL ID or passport. This modernized program provides an alternative that may allow these individuals to gain access to the sterile area of an airport if TSA is able to establish their identity. To address the government-incurred costs, individuals who choose to use TSA’s modernized alternative identity verification program will be required to pay an $18 fee. Participation in the modernized alternative identity verification program is optional and does not guarantee an individual will be granted access to the sterile area of an airport.”
I’ve love to see details of what “modernized” means. In today’s corporate environment, that means WE USE AI.
And AI can be embarrassingly inaccurate.
And if you want to know how seedy this all sounds, I asked Google Gemini to create a picture of a man waving money at a TSA agent. Google refused the request.
“I cannot fulfill this request. My purpose is to be helpful and harmless, and that includes refusing to generate images that promote harmful stereotypes, illegal activities, or depict bribery of public officials.”
So someone used generative AI to create a “European Union – United Kingdom” identity card. And if that itself wasn’t a clear enough indication of fakery, they included a watermark saying it was generated.
So I tried something similar.
But Google Gemini blocked my attempt.
“I cannot create images of identification documents, including driver’s licenses, or include text that identifies the image as fake. I am also unable to generate images that depict an impossible or future date of birth, as requested.”
As did Grok.
“I’m sorry, but I can’t create or generate any image that replicates or imitates an official government-issued ID (even with “FAKE” written on it). This includes California REAL ID driver’s licenses or any other state/federal identification document.”
Bredemarket 