driver's license – Page 3

About THAT Reuters article

I intentionally chose an obscure title for this post.

I could have entitled the post “Ricardo Montalban.” Just because.

In a more relevant way, I could have entitled the post “Former IDEMIA employee weighs in on Advent’s possible sale of the company.” That would have got some clicks, to be sure.

But it would have misled the reader, because the reader would have gotten the idea that I have some expertise in corporate acquisitions, and an abillity to predict them.

And as past history has shown, I do not have any such expertise.

In 2000, I was completely and totally surprised when I learned that Printrak wanted to sell itself to Motorola. I didn’t have a clue that any such thing was going to happen.
In 2008, I was reading online late one evening and was completely and totally surprised when I learned that Motorola wanted to sell off half of Printrak to the French company Safran, the Sagem Morpho folks. Yes, Motorola was in trouble, but I didn’t have any idea that we would be sold off.
Years later, I was kinda sorta surprised when Safran decided that it wanted to get rid of its entire identity and security business, and was completely and totally surprised when the buyer was an American investment firm that owned Oberthur Technologies.

So my record on really understanding these acquisitions is pretty low.

With that caveat, I’ll go ahead and use a really eye-catching SUBtitle. Better late than never.

Former IDEMIA employee weighs in on Advent’s possible sale of the company

Impressive, isn’t it?

But before proceeding, I should let you know about THAT Reuters article that I referenced in the real post title.

On Friday, Reuters published an exclusive article entitled “Advent gears up for $4.6 bln sale of French biometrics firm IDEMIA – sources.”

So who is Advent?

Advent (actually, Advent International) is the American investment firm that I mentioned earlier. As an investment firm, its purpose in life is to buy businesses, improve them, and sell them for a profit.

Back in 2011, Advent bought Oberthur Technologies with this intent. To that end, Advent announced in 2015 that Oberthur Technologies planned an Initial Public Offering. Within a month, those plans were shelved. Advent determined that an Oberthur IPO wouldn’t do so well.

So Advent began thinking about ways to make Oberthur more attractive.

At the same time, Safran was trying to decide what to do with its identity and security business. The purchase of Printrak was just a blip in Safran’s plans, as it acquired L-1 Identity Solutions (renamed MorphoTrust) and other businesses. But Safran is not an identity and security company. It’s a “de plane” company.

By ABC Television – eBay itemphoto frontphoto back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=20143137

And Safran is also a defense company to protect France and other countries from evil forces.

By TrekCore: [1], Fair use, https://en.wikipedia.org/w/index.php?curid=24107020

The identity part of the business was clearly the odd one out. Heck, rich Corinthian leather would have fit better into the Safran product line.

By dave_7 – originally posted to Flickr as Chrysler Cordoba, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=6890171

OK, I’ll stop now.

Anyway, in the end Advent announced in 2016 that it had entered into an agreement to negotiate the purchase of Safran’s identity and security business. The purchase was completed on May 31, 2017, and Advent combined Oberthur (OT) and the portion of Safran (Morpho) into OT-Morpho, which was quickly renamed IDEMIA.

I was an employee of IDEMIA at the time, and I don’t think I’m spilling any company secrets if I reveal that Advent wanted IDEMIA to do really really well, so that it could make a profit on the two acquisitions. I wasn’t at the highest executive level that was setting the high-level strategy, but I was often working on initiatives to help realize Advent’s profitability goal.

The possibility of an IDEMIA IPO or sale receded somewhat in early 2020. Among other things, COVID adversely affected two of IDEMIA’s core businesses in the United States, TSA PreCheck (nobody was flying) and driver’s licenses (the DMV offices were all closed).

Back to THAT Reuters article

Fast forward to 2022 and Reuters’ exclusive revelations.

Advent International is looking to sell its French biometrics and fingerprint identification firm IDEMIA in a deal worth up to $4.6 billion as it seeks to capitalise on growing demand for cybersecurity assets in Europe, two sources told Reuters.
The U.S. buyout fund is reviewing a series of options to sell IDEMIA, including a possible break-up of the company which was formed in 2016 by combining Safran’s identity and security business with Oberthur Technologies, the sources said.
From https://www.reuters.com/business/exclusive-advent-gears-up-46-bln-sale-french-biometrics-firm-idemia-sources-2022-02-04/

As you, the wise reader, know, Reuters goofed here.

IDEMIA was NOT formed in 2016. The formation of IDEMIA was ANNOUNCED in 2016, but the deal wasn’t actually COMPLETED until 2017. Hey, at least Biometric Update got it right.

Anyway, if you read either Reuters or Biometric Update, you’ll learn that nothing is going to happen immediately (France is holding an election in April, and the composition of the new government could impact any sale), and that the possible split-up may separate the part of the business that sells to governments from the part that sells to commercial firms.

Of course, the big question about any sale of IDEMIA would be the identity of the buyer. Would Advent try (again) to issue an IPO, or would Advent look for one or more existing companies to purchase IDEMIA?

Both Reuters and Biometric Updare speculate that Thales could be a potential buyer. While Safran was slimming down to concentrate on its aircraft business, Thales has been beefing to to diversify its business, most notably in its purchase of Gemalto. (As people in my industry know, that purchase provided Thales with the technology of the old Cogent Systems.)

However, there are two possible issues with a Thales purchase of all or part of IDEMIA.

Antitrust issues. Automated fingerprint identification systems isn’t the only product that Thales and IDEMIA have in common. For example, both companies provide driver’s licenses in the United States. As any Thales purchase of IDEMIA is considered by the United States, France, and dozens of other countries, the deal could be opposed on antitrust grounds. This can be mitigated by limiting what Thales can buy, but it could complicate matters.
Thales is French. Some of the driver’s license and biometric technology that IDEMIA sells was developed in the United States, and is used by many government agencies, including the Federal Bureau of Investigation and the Department of Homeland Security. At present, while IDEMIA is headquartered in France, it is primarily owned by Americans, so there’s a teeny bit of comfort in that. But what if a French firm were to own IDEMIA? The horror! (Many years ago, when Cogent Systems first sold itself, it intentionally chose a U.S. buyer, 3M, for this very reason.) Never mind that the U.S. government has been using French (and Japanese) technology for years, and that some very specific arrangements have been set up to mitigate the risks of foreign ownership. Some Senator or another is guaranteed to raise a big stink if U.S. government institutions are dependent upon a French company.

So perhaps Thales could buy all or part of IDEMIA, or perhaps it may pass. But if Thales passes, are there any U.S.-owned companies that may have an interest in IDEMIA’s technology?

Because of my biometric bias, the first thing that I would consider would be American companies that are active in the biometric market. However, many of the U.S. companies are small, and don’t have a few billion dollars lying around to buy IDEMIA. So don’t look for Aware, Clearview AI, Paravision, Rank One Computing, or the like to be a buyer.

There are of course much bigger U.S. firms in high tech that have dipped their fingers into the biometrics market. Amazon, Apple, Facebook, Google, and Microsoft all come to mind. However, those same customers that are of prime concern to U.S. Senators are also or prime concern to the employees of some of those firms, who don’t want their employers to do business with the “evil” Department of Homeland Security or even the “evil” local police departments that should all be defunded. (Amazon quit selling Rekognition to police agencies, for example.) Even Apple, which is developing its own digital driver’s license technology, is probably reluctant to own IDEMIA.

But there’s one tech company that intrigues me as possibly having an interest in IDEMIA.

Oracle.

It’s big enough to make the purchase, certainly likes to make acquisitions, and has no hesitation about working with government agencies.

ANY government agency.

After all, the name “Oracle” came from a database project that Ellison worked on before founding the company with the same name.

His client was the Central Intelligence Agency.

If you’ve paid attention to this article, then you already know that since I have speculated that Oracle could purchase IDEMIA, that puts the chances of Oracle actually purchasing IDEMIA at zero.

And for all we know, Reuters’ two sources might be unreliable, or something else might happen (another COVID variant?) that could cause Advent to hold on to IDEMIA for a few more years.

So we’ll have to see what happens.

Are unified digital IDs a thing?

I’ve been busy helping a client who needed summer fill-in help, but I’m finally making the time to catch up on my reading. And this article from Government Technology was on my reading list.

From https://www.govtech.com/products/mobile-drivers-licenses-pave-the-way-for-unified-digital-ids

When I read the title “Mobile Driver’s Licenses Pave the Way for Unified Digital IDs,” I was intrigued by the last three words. I mean, there are more and more states releasing (non-pilot) mobile driver’s licenses, and the standard is coming along, and work is being done to prepare for federal acceptance.

But what about the “unified” part? How did David Raths address that?

Government uses of digital ID

Well, he listened to Eric Jorgensen, director of Arizona’s Department of Transportation.

“I actually hate the term ‘mDL’ because it doesn’t recognize the power of what we’re doing here….The whole concept is that we’re providing a way to remotely authenticate a person, to provide a trusted digital identity that doesn’t exist today. Once we provide that, we’re opening doors to enhanced government services. Also, the government can play a key role in facilitating commerce, providing a better citizen experience and providing for the security of that citizen — that goes way beyond what a driver’s license is about.”

Although all that Jorgensen is discussing is providing a trusted digital identity that is equivalent to a trusted physical identity. If you have to show your driver’s license when visiting a government office’s physical location, conceivably you can show your digital driver’s license when visiting a government office’s website.

Enterprise uses of digital ID

And there are applications beyond government. Delaware and other states are persuading private businesses to accept mobile driver’s licenses as valid forms of identification. There’s a powerful use case for age-restricted products, of course; since all that an alcohol-selling business needs to know is whether you are over the age of 21, the mobile driver’s license ONLY shows that you are over the age of 21. It doesn’t show your address, your weight, or even your birthdate.

But what about a true UNIFIED digital ID?

However, I semantically question whether this is truly a “unified” ID. This is just digitization of an existing government-endorsed ID. A “unified” ID would be one that would not only let me drive, vote, and buy alcohol, but would also serve as my ID to log into Facebook or buy Bitcoin. (Yes, I realize that use of a government ID to buy Bitcoin violates the space-time continuum in some way.)

And for that to happen, work may need to be done to make mobile IDs compatible with existing authentication/authorization methods such as OAuth and OpenID Connect.

And the whole “but what if I don’t have a digital ID?” question must be addressed.

And the whole “but what if I want to use a self-sovereign ID that is NOT government endorsed?” question must be addressed.

And presumably a myriad of other questions would need to be addressed also.

But for me, I can’t address unified digital IDs today. Just got a message from my summer-challenged client…

The infancy of mobile driver’s licenses

More and more states are adopting mobile driver’s licenses that can be stored on a smartphone. Mobile driver’s licenses (mDLs) are available from Colorado, Delaware, Louisiana, and Oklahoma, and may be available from additional states by the time you read this.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

For me, the two key benefits of mDLs are the following:

If you have your smartphone, you have your mDL. Since smartphones are becoming more of a necessary must-have item – and wallets are not – the presence of a driver’s license on a smartphone is beneficial. (Unless, of course, you’re the type of person who misplaces your smartphone.)
mDLs can be designed to show only the information that is necessary. If I want to enter a bar or other facility for people over 21, I don’t have to show the bouncer my weight, my address, or even my birthdate. I just have to show the bouncer that I’m over 21.

While mDLs are becoming available in more states, they are not fully mature yet.

They are only valid in the state where they were issued. You can’t show your Oklahoma mDL in California. (Well, I guess you CAN show it, but a Californian isn’t obligated to do anything.)
Even within the state of issue, they’re still not always valid. At least some states require you to carry your physical driver’s license while driving, even if you have an mDL. And you can’t present an mDL to airport security in Denver or any other city. (See the LA Wallet image above, which clearly states “NOT FOR FEDERAL IDENTIFICATION.” So even if Louisiana’s physical driver’s license is REAL ID compliant, its mDL isn’t.)

Part of the issue regarding acceptance of mDLs is that the standards are still evolving. One key standard, ISO/IEC FDIS 18013-5 (Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application), is still under development.

But these four states, and others, didn’t want to wait until the standards were fully approved, and their solutions were fully certified, before issuing mDLs. Louisiana’s LA Wallet solution was introduced back in July 2018. While none of the solutions by definition can claim compliance with ISO/IEC FDIS 18013-5, they are already providing benefits to the license holders in these four states.

How long will it be until all states, provinces, and territories support mDLs?

The five authentication factors

(Part of the biometric product marketing expert series)

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic. (You’d expect an identity content marketing expert to do that.)

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.