Tag Archives: driver's license

Looking at One Voter ID State

Back in 2023, I wrote “How to Vote Fraudulently in a Voter ID State.” But that only works if the voter ID state fails to protect its precincts from fake IDs.

Here is an example of voter ID legislation, this one from South Dakota.

12-18-6.1. Voters required to provide identification before voting.

When the voter is requesting a ballot, the voter shall present a valid form of personal identification. The personal identification that may be presented shall be either:

(1)    A South Dakota driver’s license or nondriver identification card;

(2)    A passport or an identification card, including a picture, issued by an agency of the United States government;

(3)    A tribal identification card, including a picture; or

(4)    A current student identification card, including a picture, issued by a high school or an accredited institution of higher education, including a university, college, or technical school, located within the State of South Dakota.

Source:  SL 2003, ch 82, § 1; SL 2004, ch 108, § 3; SL 2006, ch 71, § 1.

As most people know, legislators only define the law in broad strokes. It is up to the executive to figure out the details of how to implement the law.

So how does the South Dakota Board of Elections determine that the presented identification is valid?

Does every precinct worker in South Dakota possess a copy of a guide (such as this one) that includes, among other items:

“Explanation of what the proper alphanumeric sequencing of a South Dakota ID or Driver’s License should be (how many letters, numbers, etc.).”

In addition, does every precinct worker in South Dakota have access to software and equipment (such as this one that uses “white, infrared, ultraviolet and coaxial lights”) that detects deepfake IDs? This one has a $1,600 list price. You can get cheaper ones that only support white light and can’t detect the other security features, but such readers would violate the law.

If the state can negotiate a discount of $1,000 per reader, then you can equip almost 700 precincts for less than $1 million (excluding training and maintenance, and assuming only 1 reader per precinct). A small price to pay for democracy.

Unfortunately, I could not find Regula in the list of certified South Dakota voting equipment. Perhaps South Dakota uses a competitor.

Of course voter ID fraud doesn’t just affect South Dakota, as I previously noted. But even if South Dakota doesn’t equip its precinct workers to reject voters with fake IDs, I’m sure the other states do.

Well, maybe not Alabama.

Age Estimation is Challenging

(Part of the biometric product marketing expert series)

Two Biometric Update stories that were published on March 27, 2025 reminded me of something I wrote before.

One involved Paravision.

An announcement from Paravision says its biometric age estimation technology has achieved Level 3 certification from the Age Check Certification Scheme (ACCS), the leading independent certification body for age estimation. The results make it one of only six companies globally to receive ACCS’s highest-level designation for compliance.

San Francisco-based Paravision’s age estimation tech posted 100 percent precision in Challenge 25 compliance, with 0 subjects falsely identified as over 25 years old. It also scored a 0 percent Failure to Acquire Rate, meaning that every image submitted for analysis returned a result. Mean Absolute Error (MAE) was 1.37 years, with Standard Deviation of 1.17.

Now this is an impressive achievement, and Paravision is a quality company, and Joey Pritikin is a quality biometric executive, but…well, let me share the other story first, involving a Yoti customer (not Yoti).

Fenix responded that it set a challenge threshold at 23 years of age. Any user estimated to be that age or younger based on their face biometrics is required to use a secondary method for age verification.

Fenix had set OnlyFans challenge age, it turns out, at 20 years old. A correction to 23 years old was carried out on January 16, and then Fenix changed it again three days later, to 21 years old, Ofcom says.

Now Biometric Update was very clear that “Yoti provides the tech, but does not set the threshold.”

Challenge ages and legal ages

But do challenge thresholds have any meaning? I addressed that issue back in May 2024.

Many of the tests used a “Challenge-T” policy, such as “Challenge 25.” In other words, the test doesn’t estimate whether a person IS a particular age, but whether a person is WELL ABOVE a particular age….

So if you have to be 21 to access a good or service, the algorithm doesn’t estimate if you are over 21. Instead, it estimates whether you are over 25. If the algorithm thinks you’re over 25, you’re good to go. If it thinks you’re 24, pull out your ID card.

And if you want to be more accurate, raise the challenge age from 25 to 28.

NIST admits that this procedure results in a “tradeoff between protecting young people and inconveniencing older subjects” (where “older” is someone who is above the legal age but below the challenge age).

You may be asking why the algorithms have to set a challenge age above the lawful age, thus inconveniencing people above the lawful age but below the challenge age.

The reason is simple.

Age estimation is not all that accurate.

I mean, it’s accurate enough if I (a person well above the age of 21 years) must indicate whether I’m old enough to drink, but it’s not sufficiently accurate for a drinker on their 21st birthday (in the U.S.), or a 13 year old getting their first social media account (where lawful).

Not an official document.

If you have a government issued ID, age verification based upon that ID is a much better (albeit less convenient) solution.

(Kid computer picture by Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727.)

(Fake driver license picture from https://www.etsy.com/listing/1511398513/editable-little-drivers-license.)

How Much Does Synthetic Identity Fraud Cost?

Identity firms really hope that prospects understand the threat posed by synthetic identity fraud, or SIF.

I’m here to help.

(Synthetic identity AI image from Imagen 3.)

Estimated SIF costs in 2020

In an early synthetic identity fraud post in 2020, I referenced a Thomson Reuters (not Thomas Reuters) article from that year which quoted synthetic identity fraud figures all over the map.

  • My own post referenced the Auriemma Group estimate of a $6 billion cost to U.S. lenders.
  • McKinsey preferred to use a percentage estimate of “10–15% of charge offs in a typical unsecured lending portfolio.” However, this may not be restricted to synthetic identity fraud, but may include other types of fraud.
  • Thomson Reuters quoted Socure’s Johnny Ayers, who estimated that “20% of credit losses stem from synthetic identity fraud.”

Oh, and a later post that I wrote quoted a $20 billion figure for synthetic identity fraud losses in 2020. Plus this is where I learned the cool acronym “SIF” to refer to synthetic identity fraud. As far as I know, there is no government agency with the acronym SIF, which would of course cause confusion. (There was a Social Innovation Fund, but that may no longer exist in 2025.)

Never Search Alone, not National Security Agency. AI image from Imagen 3.

Back to synthetic identity fraud, which reportedly resulted in between $6 billion and $20 billion in losses in 2020.

Estimated SIF costs in 2025

But that was 2020.

What about now? Let’s visit Socure again:

The financial toll of AI-driven fraud is staggering, with projected global losses reaching $40 billion by 2027 up from US12.3 billion in 2023 (CAGR 32%)., driven by sophisticated fraud techniques and automation, such as synthetic identities created with AI tools​.

Again this includes non-synthetic fraud, but it’s a good number for the high end. While my FTC fraud post didn’t break out synthetic identity fraud figures, Plaid cited a 2023 $1.8 billion figure for the auto industry alone, and Mastercard cited a $5 billion figure.

But everyone agrees on a figure of billions and billions.

The real Carl Sagan.
The deepfake Carl Sagan.

(I had to stop writing this post for a minute because I received a phone call from “JP Morgan Chase,” but the person didn’t know who they were talking to, merely asking for the owner of the phone number. Back to fraud.)

Reducing SIF in 2025

In a 2023 post, I cataloged four ways to fight synthetic identity fraud:

  1. Private databases.
  2. Government documents.
  3. Government databases.
  4. A “who you are” test with facial recognition and liveness detection (presentation attack detection).

Ideally an identity verification solution should use multiple methods, and not just one. It doesn’t do you any good to forge a driver’s license if AAMVA doesn’t know about the license in any state or provincial database.

And if you need an identity content marketing expert to communicate how your firm fights synthetic identities, Bredemarket can help with its content-proposal-analysis services.

Find out more about Bredemarket’s “CPA” services.

Digital Driving Licences With Two Cs

(Imagen 3)

In my country, the issuance of driver’s licenses is performed at the state level, not the national level. This has two ramifications.

REAL ID

The U.S. government wanted to tighten down on identification cards to stop terrorists from hijacking planes and crashing them into buildings. 

But it couldn’t. 

When it told the states to issue “REAL ID” cards by 2008, the states said they wouldn’t be told what to do. 

Today all of them support REAL ID cards as an option, but use of REAL IDs for federal functions such as plane travel won’t be enforced until 2027…if then.

mDLs

For years there has been a move to replace physical driver’s licenses with mobile driver’s licenses, or mDLs.

Again, in my country this has been pursued in a piecemeal basis on the state level. Louisiana has its own mDL, with a separate one in Oklahoma, one in California, others in other states, and none in other states. And one state (Florida) that had one, then didn’t have one.

Some mDLs are in custom wallets, while others are or are not in wallets from Apple, Google, and Samsung.

Oh, and don’t try using your Louisiana mDL to buy a beer in Arkansas.

Meanwhile, in the UK

Things are different in other countries. Amit Alagh shared a BBC article with me.

“Digital driving licences are to be introduced in the UK as the government looks to use technology to ‘transform public services’…. The new digital licences will be introduced later this year….”

Throughout the entire United Kingdom, including Scotland and Northern Ireland, apparently.

In one fell swoop. Entire country done.

REAL ID: When Enforcement Isn’t Enforcement

Follow up to the long-standing history of REAL ID enforcement delays.

Lots of delays.

When then-President George W. Bush signed into law the “Real ID Act of 2005,” American adults initially had a May 11, 2008 deadline to ensure their identification documents met federal standards.

For those who didn’t notice, we didn’t all adopt REAL IDs in 2008.

In fact, a few years later I was working on a driver’s license proposal for a state I won’t identify, and the RFP clearly and emphatically stated that REAL ID compliance for the new driver’s license was not…um…OK.

Even during the short history of the Bredemarket blog, the REAL ID enforcement date of May 5, 2023 has been adopted and superseded. And more recently there was a report that that new date of May 7, 2025 would slip.

Well, that won’t happen.

Or will it?

The (so-called) “final” rule

The Transportation Security Administration has published a final rule which clearly states that the REAL ID enforcement date of May 7, 2025 still stands and has not been delayed.

Or perhaps it’s not so clear.

This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases. Under this rule, agencies may implement the card-based enforcement provisions through a phased enforcement plan if they determine it is appropriate upon consideration of relevant factors including security, operational feasibility, and public impact. The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.

So the enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027.

Date subject to change.

It’s not only the U.S.

But at least these decades of delays give me an excuse to share a Geico commercial.

And Europe (the continent, not the band) has its own problems with delays to its Entry/Exit System (EES)…and a graduated rollout is proposed.

From https://www.youtube.com/watch?v=1H9FI87HK-s.

Meta Verified is Worthless

I thought X’s blue checks were bad enough, but Meta has topped (or bottomed) Elon in the realm of meaningless identity verification.

The janeaustenpen Instagram account is Meta verified.

From janeaustenpen on Instagram: Meta Verified!

Even though Jane Austen is dead.

Come to think of it, Austen never had a driver’s license. How did she get verified?

But Meta’s AI creation isn’t dead.

And you can’t block “her.”

And probably can’t report “her” for impersonation.

I really dread what LinkedIn is planning. Will Henry Ford dispense advice? Steve Jobs?

KYV: Know Your (Healthcare) Visitor

Who is accessing healthcare assets and data?

Healthcare identity verification and authentication is often substandard, as I noted in a prior Bredemarket blog post entitled “Medical Fraudsters: Birthday Party People.” In too many cases, all you need to know is a patient’s name and birthdate to obtain fraudulent access to the patient’s protected health information (PHI).

But healthcare providers need to identify more than just patients. Providers need to identify their own workers, as well as other healthcare workers.

Know Your Visitor

Healthcare providers also need to identify visitors. When a patient is in a hospital, a rehabilitation facility, or a similar place, loved ones often desire to visit them. (So do hated ones, but we won’t go there now.)

I was recently visiting a loved one in a facility that required identification of visitors. The usual identification method was to present a driver’s license at the desk. The staffer would then print out a paper badge showing the visitor’s name and the validity date.

Like this…

John Bederhoft?

So John “Bederhoft” (sic) enjoyed access that day. Whoops.

Oh, and I could have handed my badge to someone else after a shift change, and no one would have been the wiser.

Let’s apply “somewhat you why”

There’s a more critical question: WHY was John “Berdehoft” visiting (REDACTED PHI)? Was I a relative? A friend? A bill collector? 

My proposed sixth factor of identity verification/authentication, “somewhat you why,” would genuinely help here. 

Somewhat you why “applies a test of intent or reasonableness to any identification request.” 

Maybe I should have said “and” instead of “or.”

  • Visiting a relative shows intent AND reasonableness.
  • Visiting a debtor shows intent but (IMHO) does NOT show reasonableness.

Do you need to analyze healthcare identity issues for your healthcare product or service? Or create go-to-market content for the same? Or proposals?

Contact me at Bredemarket’s “CPA” page.

Temporary REAL-ity?

Your driver’s license isn’t real forever.

When talking about the validity periods for U.S. driver’s licenses (which vary from state to state) in a February 2024 post, Veriff points out one oft-overlooked part of the REAL ID Act:

“If a document bears the typical Real ID star symbol (or some accepted adaptation of it), meaning it is a Real ID-compliant document, it cannot be valid for longer than 8 years (Section 202(d)(10) of the Real ID Act).”

At the time of Veriff’s post, the REAL ID deadline was due for enforcement on May 7, 2025 after numerous delays. Several months later, in September 2024, the Transportation Security Administration started planning to be flexible about that deadline…

Someday the REAL ID Act will be real…

California Knows How to Party (California mDL)

Well, it took long enough.

In part because when I first tried to get a mobile driver’s license (mDL), I used my OLD physical driver’s license AFTER I had renewed my driver’s license online (but before I received the new physical license). Data mismatch. Rejected.

And in part because I kept on forgetting to perform the additional steps to confirm my identity.

And in part because I didn’t truly NEED the mDL—I haven’t flown anywhere since April 2023, and for some strange reason no vendor of age-controlled products has insisted on carding me.

California mobile driver’s license (mDL).

But I now have a California mDL. After talking about mDLs for years as a former IDEMIA employee.

I’ve previously espoused the benefits of mDLs. For example, when a retailer DOES check my age before I buy a beer, the retailer doesn’t learn my address or my (claimed) height and weight. The retailer only needs to confirm that I am old enough to buy a beer.

Oddly enough, I had to block out certain information on my displayed mDL in the image above. Because MY privacy requirements obviously don’t conform to California’s privacy requirements.