Alaska HB389 does NOT repeal REAL ID. But it has a “foreign ownership” clause.

The title of Alaska HB389, introduced last month, sounds grandiose:

“An Act repealing the implementation of the federal REAL ID Act of 2005; relating to identification cards; relating to drivers’ licenses; and providing for an effective date.”

Does HB389 prevent Alaska from issuing REAL IDs?

When you read the title of the bill, alarms go off in your head.

If the title is true, it’s a true setback. After many years, the entire country (perhaps minus a territory or two) has finally gotten on board with REAL ID in advance of the due date, and now one of the states is pulling out.

Except that when you read the detail of the bill (at least as originally written; it could change in committee), it doesn’t repeal Alaska’s compliance of REAL ID.

As Chris Burt notes in a Biometric Updatre post, it only provides an option for the Alaska Division of Motor Vehicles to issue an identification card that is non-REAL ID compliant. This is not different from any other state (for example, California) that issues non-REAL ID cards that are “not for federal purposes” or “not for federal identification” or “federal limits apply.”

So Alaskans, don’t panic. If you want to get a REAL ID to board a plane, you can still do this. Note the [BRACKETED ALL CAPS] text in Section 1 of HB389 as originally written, illustrated below.

So Alaska can still issue “federally compliant” (i.e., REAL ID) driver’s licenses.

But what about foreign ownership?

But as long as I was reading the text of the bill, I thought I’d see what else it proposed to change, and ran across this text in Section 4.

Now THAT caught my eye. (Alaska Statutes Chapter 15 is the portion of the statutes that governs driver’s licenses in general, so this clause affects EVERYTHING.)

If your company is 94% U.S.-owned, that’s not good enough in Alaska.

(Well, at least until Putin decides that Edouard de Stoeckl’s 1867 sale of Alaska was illegal…)

The signing of the Alaska Treaty of Cessation on March 30, 1867. Left to right: Robert S. Chew, William H. Seward, William Hunter, Mr. Bodisco, Eduard de StoecklCharles Sumner, and Frederick W. Seward. By Emanuel Leutze (d. 1868) –, Public Domain,

Most if not all U.S. state agencies do not produce driver’s licenses themselves, but instead contract with private companies to do the work. These private companies either produce the licenses at state agency offices, or produce them as a service (DLaaS) at a secure production center (which may produce licenses for multiple states). To my knowledge, all of the production centers for U.S. driver’s licenses are located within the United States.

But who are the “private entities” that provide driver’s license manufacturing services? Let’s look at the major ones and see if they’re affected by Section 4 of the draft of Alaska HB389.


It is a matter of public record that the majority of U.S. states use IDEMIA to produce their driver’s licenses, either within agency offices or in secure IDEMIA production centers. When I was an employee of IDEMIA, I did not have the necessary security clearance to enter any of these production centers. Employees should only have the security permissions that they need, and my job had no need for me to access the PII of IDEMIA’s driver’s license customers, or to enter the facilities in which these secure documents are manufactured. There are security requirements governing this.

…our state-of-the-art central issuance facilities…are highly secure and meet North American Security Products Organization (NASPO) Level I security requirements. 


We’ll return to NASPO later in this post.

As I’ve noted before, IDEMIA is (currently) majority owned by Advent International, a U.S. based investment firm. IDEMIA entered the U.S. driver’s license market by acquiring Morpho (French), which had previously acquired MorphoTrust/L-1 Identity Solutions (U.S.), which had previously acquired Digimarc’s ID Systems business (also U.S.).

And, as I’ve noted, Advent International will probably choose to sell IDEMIA at some point in the future.

However, Advent International is not the exclusive owner of IDEMIA, because part of the company is owned by Bpifrance, which is (drumroll) French.

Alaska’s HB389, if passed in its original form, would prohibit the state from “communicating” personally identifying information (PII) to a private entity with more than five percent foreign ownership. I do not know the percentage that Bpifrance owns (all of the press releases failed to include that little tidbit), so I don’t know if IDEMIA would run afoul of the law or not.

HB389, if unmodified, is just one thing that any company that purchases IDEMIA must keep in mind.

IDEMIA doesn’t produce Alaska driver’s licenses. Who does?

But that doesn’t matter, because IDEMIA isn’t the Alaska driver’s license vendor anyway. That contract is controlled by another company.

Austin, TX – October 31, 2018 – Gemalto (Euronext NL0000400653 GTO),  and Alaska’s Division of Motor Vehicles will continue their work of providing credentials to citizens with the additional goal of helping the state become Real ID compliant by increasing security of the state’s driver’s license and identification cards.


Gemalto (a Dutch company) was subsequently acquired by Thales, which is a French company. Gemalto entered the U.S. driver’s license market when it acquired Marquis ID Systems.

Now I do not know the details of Alaska’s contract with Thales, but it stands to reason that if Thales is “providing credentials to citizens” (implying a service bureau relationship), then at some point the state is going to have to “convey, distribute, or communicate” PII to Thales.

Other vendors

But don’t worry. IDEMIA and Thales are not the only driver’s license manufacturers out there, so you don’t have to worry about foreigners getting your data. Just select an American company!

For example, Veridos can provide driver’s licenses. Veridos is a joint venture between Giesecke+Devrient and Bundesdruckerei…whoops, that’s not a U.S. company.

And there’s another driver’s license manufacturer out there. It’s called…Canadian Bank Note.

There’s also Valid, which is…Brazilian.

Let’s look at NASPO

Despite the fact that these entities are foreign-owned, all of them (either on their own, or through parents or acquired companies) are members of NASPO, and many of them have NASPO certification.

So what?

NASPO international was formed as the North American Security Products Organization.  The non-profit organization was founded in 2002 by companies and individuals in industry that recognized the need for security focused standards to prevent fraudulent acts that support criminal and terrorist activity….

NASPO INTERNATIONAL was formed to combat the ever increasing amount of fraud within the areas of brand protection, document security, and identity.  Our focus is to produce credible, structured, and, when appropriate, certifiable standards.  NASPO INTERNATIONAL has created a risk reduction standard and auditing process to certify security focused organizations.  This structure also provides the end user with the ability to create a secure supply chain from supplier to end users.


From my point of view, NASPO tries to achieve what HB389 clumsily tries to achieve by its “minimal foreign ownership” clause. 100% U.S. ownership does not guarantee the security of your data, and 94% U.S. ownership does not guarantee that your data will wind up in a foreign capital.

So what happens next?

I have no idea whether HB389 will get passed, but unless it is substantially amended, Alaskans can still get REAL ID driver’s licenses so that they can board planes, enter secure federal facilities, and the like without getting a passport or other authorized document.

But I’m not sure what’s going to happen regarding the foreign ownership clause. Maybe people at some of the firms listed above are already looking into this.

But if my assumptions on HB389 are correct, and it passes with Section 4 intact, perhaps Alaska may not be able to rely on a private entity to provide driver’s licenses as a service (DLaaS). In that case, the state will have to produce its own driver’s licenses, free from foreign influence.

About THAT Reuters article

I intentionally chose an obscure title for this post.

I could have entitled the post “Ricardo Montalban.” Just because.

In a more relevant way, I could have entitled the post “Former IDEMIA employee weighs in on Advent’s possible sale of the company.” That would have got some clicks, to be sure.

But it would have misled the reader, because the reader would have gotten the idea that I have some expertise in corporate acquisitions, and an abillity to predict them.

And as past history has shown, I do not have any such expertise.

  • In 2000, I was completely and totally surprised when I learned that Printrak wanted to sell itself to Motorola. I didn’t have a clue that any such thing was going to happen.
  • In 2008, I was reading online late one evening and was completely and totally surprised when I learned that Motorola wanted to sell off half of Printrak to the French company Safran, the Sagem Morpho folks. Yes, Motorola was in trouble, but I didn’t have any idea that we would be sold off.
  • Years later, I was kinda sorta surprised when Safran decided that it wanted to get rid of its entire identity and security business, and was completely and totally surprised when the buyer was an American investment firm that owned Oberthur Technologies.

So my record on really understanding these acquisitions is pretty low.

With that caveat, I’ll go ahead and use a really eye-catching SUBtitle. Better late than never.

Former IDEMIA employee weighs in on Advent’s possible sale of the company

Impressive, isn’t it?

But before proceeding, I should let you know about THAT Reuters article that I referenced in the real post title.

On Friday, Reuters published an exclusive article entitled “Advent gears up for $4.6 bln sale of French biometrics firm IDEMIA – sources.”

So who is Advent?

Advent (actually, Advent International) is the American investment firm that I mentioned earlier. As an investment firm, its purpose in life is to buy businesses, improve them, and sell them for a profit.

Back in 2011, Advent bought Oberthur Technologies with this intent. To that end, Advent announced in 2015 that Oberthur Technologies planned an Initial Public Offering. Within a month, those plans were shelved. Advent determined that an Oberthur IPO wouldn’t do so well.

So Advent began thinking about ways to make Oberthur more attractive.

At the same time, Safran was trying to decide what to do with its identity and security business. The purchase of Printrak was just a blip in Safran’s plans, as it acquired L-1 Identity Solutions (renamed MorphoTrust) and other businesses. But Safran is not an identity and security company. It’s a “de plane” company.

By ABC Television – eBay itemphoto frontphoto back, Public Domain,

And Safran is also a defense company to protect France and other countries from evil forces.

The identity part of the business was clearly the odd one out. Heck, rich Corinthian leather would have fit better into the Safran product line.

By dave_7 – originally posted to Flickr as Chrysler Cordoba, CC BY 2.0,

OK, I’ll stop now.

Anyway, in the end Advent announced in 2016 that it had entered into an agreement to negotiate the purchase of Safran’s identity and security business. The purchase was completed on May 31, 2017, and Advent combined Oberthur (OT) and the portion of Safran (Morpho) into OT-Morpho, which was quickly renamed IDEMIA.

I was an employee of IDEMIA at the time, and I don’t think I’m spilling any company secrets if I reveal that Advent wanted IDEMIA to do really really well, so that it could make a profit on the two acquisitions. I wasn’t at the highest executive level that was setting the high-level strategy, but I was often working on initiatives to help realize Advent’s profitability goal.

The possibility of an IDEMIA IPO or sale receded somewhat in early 2020. Among other things, COVID adversely affected two of IDEMIA’s core businesses in the United States, TSA PreCheck (nobody was flying) and driver’s licenses (the DMV offices were all closed).

Back to THAT Reuters article

Fast forward to 2022 and Reuters’ exclusive revelations.

Advent International is looking to sell its French biometrics and fingerprint identification firm IDEMIA in a deal worth up to $4.6 billion as it seeks to capitalise on growing demand for cybersecurity assets in Europe, two sources told Reuters.

The U.S. buyout fund is reviewing a series of options to sell IDEMIA, including a possible break-up of the company which was formed in 2016 by combining Safran’s identity and security business with Oberthur Technologies, the sources said.


As you, the wise reader, know, Reuters goofed here.

IDEMIA was NOT formed in 2016. The formation of IDEMIA was ANNOUNCED in 2016, but the deal wasn’t actually COMPLETED until 2017. Hey, at least Biometric Update got it right.

Anyway, if you read either Reuters or Biometric Update, you’ll learn that nothing is going to happen immediately (France is holding an election in April, and the composition of the new government could impact any sale), and that the possible split-up may separate the part of the business that sells to governments from the part that sells to commercial firms.

Of course, the big question about any sale of IDEMIA would be the identity of the buyer. Would Advent try (again) to issue an IPO, or would Advent look for one or more existing companies to purchase IDEMIA?

Both Reuters and Biometric Updare speculate that Thales could be a potential buyer. While Safran was slimming down to concentrate on its aircraft business, Thales has been beefing to to diversify its business, most notably in its purchase of Gemalto. (As people in my industry know, that purchase provided Thales with the technology of the old Cogent Systems.)

However, there are two possible issues with a Thales purchase of all or part of IDEMIA.

  • Antitrust issues. Automated fingerprint identification systems isn’t the only product that Thales and IDEMIA have in common. For example, both companies provide driver’s licenses in the United States. As any Thales purchase of IDEMIA is considered by the United States, France, and dozens of other countries, the deal could be opposed on antitrust grounds. This can be mitigated by limiting what Thales can buy, but it could complicate matters.
  • Thales is French. Some of the driver’s license and biometric technology that IDEMIA sells was developed in the United States, and is used by many government agencies, including the Federal Bureau of Investigation and the Department of Homeland Security. At present, while IDEMIA is headquartered in France, it is primarily owned by Americans, so there’s a teeny bit of comfort in that. But what if a French firm were to own IDEMIA? The horror! (Many years ago, when Cogent Systems first sold itself, it intentionally chose a U.S. buyer, 3M, for this very reason.) Never mind that the U.S. government has been using French (and Japanese) technology for years, and that some very specific arrangements have been set up to mitigate the risks of foreign ownership. Some Senator or another is guaranteed to raise a big stink if U.S. government institutions are dependent upon a French company.

So perhaps Thales could buy all or part of IDEMIA, or perhaps it may pass. But if Thales passes, are there any U.S.-owned companies that may have an interest in IDEMIA’s technology?

Because of my biometric bias, the first thing that I would consider would be American companies that are active in the biometric market. However, many of the U.S. companies are small, and don’t have a few billion dollars lying around to buy IDEMIA. So don’t look for Aware, Clearview AI, Paravision, Rank One Computing, or the like to be a buyer.

There are of course much bigger U.S. firms in high tech that have dipped their fingers into the biometrics market. Amazon, Apple, Facebook, Google, and Microsoft all come to mind. However, those same customers that are of prime concern to U.S. Senators are also or prime concern to the employees of some of those firms, who don’t want their employers to do business with the “evil” Department of Homeland Security or even the “evil” local police departments that should all be defunded. (Amazon quit selling Rekognition to police agencies, for example.) Even Apple, which is developing its own digital driver’s license technology, is probably reluctant to own IDEMIA.

But there’s one tech company that intrigues me as possibly having an interest in IDEMIA.


It’s big enough to make the purchase, certainly likes to make acquisitions, and has no hesitation about working with government agencies.

ANY government agency.

After all, the name “Oracle” came from a database project that Ellison worked on before founding the company with the same name.

His client was the Central Intelligence Agency.

If you’ve paid attention to this article, then you already know that since I have speculated that Oracle could purchase IDEMIA, that puts the chances of Oracle actually purchasing IDEMIA at zero.

And for all we know, Reuters’ two sources might be unreliable, or something else might happen (another COVID variant?) that could cause Advent to hold on to IDEMIA for a few more years.

So we’ll have to see what happens.

Are unified digital IDs a thing?

I’ve been busy helping a client who needed summer fill-in help, but I’m finally making the time to catch up on my reading. And this article from Government Technology was on my reading list.

When I read the title “Mobile Driver’s Licenses Pave the Way for Unified Digital IDs,” I was intrigued by the last three words. I mean, there are more and more states releasing (non-pilot) mobile driver’s licenses, and the standard is coming along, and work is being done to prepare for federal acceptance.

But what about the “unified” part? How did David Raths address that?

Government uses of digital ID

Well, he listened to Eric Jorgensen, director of Arizona’s Department of Transportation.

“I actually hate the term ‘mDL’ because it doesn’t recognize the power of what we’re doing here….The whole concept is that we’re providing a way to remotely authenticate a person, to provide a trusted digital identity that doesn’t exist today. Once we provide that, we’re opening doors to enhanced government services. Also, the government can play a key role in facilitating commerce, providing a better citizen experience and providing for the security of that citizen — that goes way beyond what a driver’s license is about.”

Although all that Jorgensen is discussing is providing a trusted digital identity that is equivalent to a trusted physical identity. If you have to show your driver’s license when visiting a government office’s physical location, conceivably you can show your digital driver’s license when visiting a government office’s website.

Enterprise uses of digital ID

And there are applications beyond government. Delaware and other states are persuading private businesses to accept mobile driver’s licenses as valid forms of identification. There’s a powerful use case for age-restricted products, of course; since all that an alcohol-selling business needs to know is whether you are over the age of 21, the mobile driver’s license ONLY shows that you are over the age of 21. It doesn’t show your address, your weight, or even your birthdate.

But what about a true UNIFIED digital ID?

However, I semantically question whether this is truly a “unified” ID. This is just digitization of an existing government-endorsed ID. A “unified” ID would be one that would not only let me drive, vote, and buy alcohol, but would also serve as my ID to log into Facebook or buy Bitcoin. (Yes, I realize that use of a government ID to buy Bitcoin violates the space-time continuum in some way.)

And for that to happen, work may need to be done to make mobile IDs compatible with existing authentication/authorization methods such as OAuth and OpenID Connect.

And the whole “but what if I don’t have a digital ID?” question must be addressed.

And the whole “but what if I want to use a self-sovereign ID that is NOT government endorsed?” question must be addressed.

And presumably a myriad of other questions would need to be addressed also.

But for me, I can’t address unified digital IDs today. Just got a message from my summer-challenged client…

The infancy of mobile driver’s licenses

More and more states are adopting mobile driver’s licenses that can be stored on a smartphone. Mobile driver’s licenses (mDLs) are available from Colorado, Delaware, Louisiana, and Oklahoma, and may be available from additional states by the time you read this.

LA Wallet Louisiana Digital Driver’s License.

For me, the two key benefits of mDLs are the following:

  • If you have your smartphone, you have your mDL. Since smartphones are becoming more of a necessary must-have item – and wallets are not – the presence of a driver’s license on a smartphone is beneficial. (Unless, of course, you’re the type of person who misplaces your smartphone.)
  • mDLs can be designed to show only the information that is necessary. If I want to enter a bar or other facility for people over 21, I don’t have to show the bouncer my weight, my address, or even my birthdate. I just have to show the bouncer that I’m over 21.

While mDLs are becoming available in more states, they are not fully mature yet.

  • They are only valid in the state where they were issued. You can’t show your Oklahoma mDL in California. (Well, I guess you CAN show it, but a Californian isn’t obligated to do anything.)
  • Even within the state of issue, they’re still not always valid. At least some states require you to carry your physical driver’s license while driving, even if you have an mDL. And you can’t present an mDL to airport security in Denver or any other city. (See the LA Wallet image above, which clearly states “NOT FOR FEDERAL IDENTIFICATION.” So even if Louisiana’s physical driver’s license is REAL ID compliant, its mDL isn’t.)

Part of the issue regarding acceptance of mDLs is that the standards are still evolving. One key standard, ISO/IEC FDIS 18013-5 (Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application), is still under development.

But these four states, and others, didn’t want to wait until the standards were fully approved, and their solutions were fully certified, before issuing mDLs. Louisiana’s LA Wallet solution was introduced back in July 2018. While none of the solutions by definition can claim compliance with ISO/IEC FDIS 18013-5, they are already providing benefits to the license holders in these four states.

How long will it be until all states, provinces, and territories support mDLs?

The five authentication factors

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic.

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

  • Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
  • Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
  • Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
  • Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
  • Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.