federal bureau of investigation

Know Your Contactless Fingerprint Scanning History

As I write this, contactless fingerprint scanners cannot submit their prints to the U.S. Federal Bureau of Investigation’s (FBI) Next Generation Identification (NGI) system.

But the FBI does certify such scanners under a special category.

CFS flats from IDloop

Biometric Update recently wrote about one such scanner.

“Hungarian border police are exploring the use of contactless biometric technology made by German startup IDloop in border control and law enforcement….

“The product [CFS flats] was first introduced in 2024 and is the world’s first 3D contactless fingerprint scanner certified by the FBI, according to the firm.”

Note the last four words.

Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims. So they just says that THE FIRM SAYS it’s certified, and it’s the first.

Well, IDloop is half right.

Is IDloop’s CFS flats FBI certified?

The way to check certification is to go to the Certified Products List web page at the FBI Biometric Specifications website. You can go there yourself: https://fbibiospecs.fbi.gov/certifications-1/cpl

And if you do, scroll down to the “Firm” area and look for IDloop in the list of firms.

Yes, it’s there, and it has a certification under the Personal Identity Verification (PIV) specification, originally dated 10/30/2024, modified 1/28/2026.

Here’s the description:

“CFS flats contactless, up to 4-finger, capture device at 500 ppi (PIV-071006) (original 10/24; algorithm update 1/26) Note: Device images a 3-dimensional object, but testing was primarily 2-dimensional – Not for use with CJIS systems.”

Again, the FBI isn’t allowing contactless submissions to CJIS systems such as NGI, in part because the Appendix F specifications assume analysis of fingerprint images on a 2-dimensional object. Obviously very, very difficult with contactless devices that capture 3-dimensional objects.

Is IDloop’s CFS flats first?

Again, here’s what IDloop claims.

“Introducing CFS flats—the world’s first FBI-certified 3D contactless fingerprint scanner.“

Um…perhaps I should share a bit of my personal history, for those who don’t know.

From 2009 to 2017 I worked for a company called MorphoTrak. Know where this is going?

But I’m not going to focus on my former employer.

Initial CPL search

Remember that unusual sentence that appears in IDloop’s description of its PIV certification?

“Device images a 3-dimensional object, but testing was primarily 2-dimensional”

I assert that if we can find ANY contactless product in the Certified Products List that uses that same language and was certified before 10/30/2024, then IDloop’s claim of being first is…somewhat inaccurate.

So I checked.

Two products received PIV certification before October 2024, MorphoWave XP (July 2020) and MorphoWave TP (May 2024). The first was originally certified over 4 years BEFORE the IDloop product.

“MorphoWave XP (formerly MorphoWave Compact) contactless, up to 4-finger, livescan device at 500 ppi (PIV-071006) (alternate enrollment processing 6/23; name change 2/22; contrast stretch 9/21; original 7/20) Note: Device images a 3-dimensional object, but testing was primarily 2-dimensional – Not for use with CJIS systems.”

Subsequent CPL search

And what if you search for the word “contactless” instead and just look at the 4-finger PIV certifications?

If you do so, you can find certifications from 2019 and earlier for products from Advanced Optical Systems (October 2015 May 2017), Safran Morpho (November 2015, under the original name “Finger On The Fly”), and Thales (May 2019). All years BEFORE the IDloop product.

IDloop, meet Advanced Optical Systems

While Advanced Optical Systems is no more, let’s look at the description for that original AOS product.

“ANDI OTG

contactless, up to 4-finger, livescan capture system at 500ppi (PIV-071006). Note: Device images a 3-dimensional object, but testing was only 2-dimensional – Not for use with CJIS systems”

Oh, and there was a press release:

“Huntsville, AL, November 30, 2015 (Newswire.com) –Advanced Optical Systems, Inc made the historic announcement today that their revolutionary, zero-contact “On The Go” fingerprint technology, ANDI® OTG, is the first non-contact fingerprint system to be certified by the US Federal Bureau of Investigation (FBI). The FBI added the device to the agency’s Certified Product List (CPL) on November 27th, 2015.”

From https://www.newswire.com/news/andi-otg-zero-contact-fingerprint-system-certified-by-fbi.

So IDloop may be certified, but it’s NOT the first contactless 4-finger scanner to receive certification.

It should have fact checked with the biometric product marketing expert.

Biometric product marketing expert, somewhere an ocean away from Hungary.

The “Repurposing a Blog Post On YouTube via NotebookLM” Experiment

This is definitely an experiment. When I started, I had no idea how it would turn out. In the end I’m fairly satisfied with how NotebookLM repurposed my blog post as a YouTube video, but there were definitely some lessons learned to apply in future repurposing.

Ahref’s best way to get your product listed on LLMs

As we all know, there has been a partial shift from search engine optimization to answer engine optimization. The short version is that content performs well when it answers a question that someone proposes to a large language model (LLM) such as Google Gemini or ChatGPT.

So how do we optimize our content for LLMs?

Yes, I know I could have asked an LLM that question, but I still do some old school things and attended a webinar instead.

I live-blogged Wednesday’s webinar, hosted by the Content Marketing Institute and sponsored by Ahrefs. The speaker was Ahref’s Ryan Law, the company’s Director of Content Marketing. As is usual with such affairs, the webinar provided some helpful information…which is even more helpful if you use Ahref’s tools. (Funny how that always happens. The same thing happens with Bredemarket’s white papers.)

One of the many topics Law addressed was the TYPE of content that resonates most with LLM inquirers. Law’s slide 20 answered this question.

“LLMs LOVE YOUTUBE”

Law then threw some statistics at us.

“YouTube has fast-become the most cited domain in AI search:

1 in AI Overviews

1 in AI Mode

2 in ChatGPT

2 in Gemini

2 in Copilot

2 in Perplexity”

So even if it isn’t number 1 on some of the engines themselves, it’s obviously high, and very attractive to inquirers.

But what of people like me who prefer the portability of text? It’s easier to quote from text than it is to take a short snippet of a video.

YouTube covers that also, since it automatically creates a transcript of every word spoken in a YouTube video.

But…

Bredemarket’s problem

…most of the videos that Bredemarket has created have zero or few spoken words, which kinda sorta makes it tough to create a transcript.

For example, the “Landscape (Biometric Product Marketing Expert)” video that I frequently share on the Bredemarket blog for some odd reason is not only on WordPress, but also on YouTube. However, it has zero spoken words, so therefore no transcript.

This video (actually a short) DOES have a transcript.

“Yo, I’m the outlaw of this country sound, dropping rhymes that shake the ground.”

But I do have some YouTube videos with more extensive transcripts. And one of them suggests a possible solution to my desire to provide YouTube videos to LLMs.

Using Google’s NotebookLM to create videos from non-copyrighted material

A still from Bredemarket’s movie “Inside the EBTS.” Are you jealous, Stefan Gladbach?

Last November, I uploaded material to Google’s NotebookLM and asked the service to create a movie from it.

The material wasn’t authored by me, but by the U.S. Federal Bureau of Investigation. (Which meant that it wasn’t copyrighted.)

What was it?

Version 11.3 of the Electronic Biometric Transmission Specification (EBTS).

A few of you are already laughing.

For those who aren’t, the EBTS is a fairly detailed standard dictating how biometric and biographic data is exchanged between the FBI’s Next Generation Identification (NGI) system and other federal, state, and local automated biometric identification systems.

As a standard, it’s not as riveting as a Stephen King novel.

But NotebookLM made a movie out of it anyway.

Inside the FBI’s EBTS.

And once I uploaded the movie to YouTube, YouTube created a transcript.

First 21 seconds of the YouTube transcript of the video above.

So this potentially helps Bredemarket to be visible.

And if I want to follow Ryan Law’s advice and repurpose my content for YouTube, NoteBookLM provides a method to do it.

Using Google’s NotebookLM to create videos from MY copyrighted material

Time for an experiment, the goal of which is to convert a Bredemarket blog post into a video with a minimum amount of effort.

NotebookLM can use either files or web links as source material for videos, so the easiest method to create my video is as follows:

Paste the web link to the blog post into NotebookLM.
Instruct NotebookLM to create a “Video Overview” from this single piece of content.

My blog post of choice is my post from earlier today, “Government Anti-Fraud Efforts: They’re Still Siloed.” The post contains a Gemini AI image of silos on the National Mall in Washington DC (inaccurately displaying the U.S. Capitol as NORTH of the Washington Monument). It also includes my text as well as links to outside sources such as the initial draft of H.R. 7270.

So let’s see what NotebookLM gives us.

The first thing that we get is Google’s summary of the content at the link.

NotebookLM’s summary of the web link I provided.

“1 source

The provided text examines the fragmented nature of U.S. anti-fraud efforts, arguing that current strategies lack a unified, government-wide approach. While the Stop Identity Fraud and Identity Theft Bill seeks to modernize identity verification through Treasury Department grants to states, the author contends that the proposal is too narrow. The legislative focus on mobile driver’s licenses and digital infrastructure fails to consolidate the many overlapping responsibilities held by the FBI, Secret Service, and FTC. This bureaucratic separation creates siloed operations where different agencies and state governments often work independently rather than as a cohesive front. Ultimately, the source suggests that despite new legislative attempts, the American response to identity theft remains decentralized and inefficient.”

But that’s just text. Time to create the video overview.

After I cklicked the “Video Overview” button in the upper right.

A while later…

Even with relatively minimal content, video creation isn’t immediate. It has to shape the content into a narrative video, after all. Sadly I forgot to time the result, but I received this video, “A Tale of Two Threats,” within a half hour.

A Tale of Two Threats (WordPress version). Created by Google NotebookLM based upon “Government Anti-Fraud Efforts: They’re Still Siloed.”

As is par for the course with NotebookLM, the narration is self-generated in a viewer-friendly form (“let’s pop the hood”). And it used my source material as a basis to narrate the tale of the U.S. Government’s responses to the “two threats” of terrorism and fraud. As my original blog post noted, the two responses have been quite different.

The video then takes portions of the blog post, including the list of agencies that are NOT part of H.R. 7270, as well as my example of what could happen if the Secret Service’s mission is compromised because of what some other agency is doing.

But it DOESN’T take other portions of my blog post, such as the potential shuttering of the Consumer Financial Protection Bureau, my reference to “evil Commie Chinese facial recognition algorithms,” or my graphic of silos on the Mall. NotebookLM generated its own cartoon graphics instead.

This image didn’t make the video, even though Google created it.

The final step

The first place where I uploaded the video was WordPress, so I could include it in this blog post. I’ll probably upload it to other places, but the second target is YouTube.

A Tale of Two Threats (YouTube version). Created by Google NotebookLM based upon “Government Anti-Fraud Efforts: They’re Still Siloed.”

And yes, there is a transcript. Although it took a few minutes to generate. So now the bot’s text is out there for the LLMs to find.

First 24 seconds of the YouTube transcript of the video above.

Grading the experiment

I’ll give the experiment a B. It’s not really MY video, but it encapsulates some of my views.

NotebookLM users need to remember that when it creates audio and video content, it doesn’t simply parrot the source, but reshapes it. You may remember the NotebookLM 20-minute “Career Detective” podcast of my resume, in which a male and female bot talked about how great I am. My blog post was processed similarly.

If I want something that better promotes Bredemarket to LLM users, I need to shape the blog post to do the following:

Address some question that the LLM user asks.
Include text that promotes Bredemarket as the solution to the inquirer’s problems.

Anyway, I’ll keep these tips in mind when writing…and repurposing…future blog posts.

Government Anti-Fraud Efforts: They’re Still Siloed

When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.

Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.

But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.

Stop Identity Fraud and Identity Theft Bill

As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”

Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:

“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”

Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:

“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”

Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.

But let’s get to the meat of the bill:

“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”

The specifics:

The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
They can also use the grants to protect individuals from deepfake attacks.
Another purpose is to develop “interoperable solutions.”
A fourth is to replace vulnerable legacy systems.
The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.

But there are some limitations in how the funds are spent.

They can’t be used to require mDLs or eliminate physical driver’s licenses.
They can’t be used to “support the issuance of drivers licenses or
identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)

The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.

And everything else

So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.

But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:

The Department of Justice, through the Federal Bureau of Investigation and the new Division for National Fraud Enforcement.
The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
The Federal Trade Commission (FTC).
The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
The U.S. Postal Inspection Service.
The Consumer Financial Protection Bureau.

These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.

And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.

What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?

Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.

(And yes, I know that the Capitol is not north of the Washington Monument…yet.)

Google Gemini. Results may not be accurate.

When Bureaucrats Cooperate…and When They Don’t

If you’ve read a few hundred job descriptions, one phrase that you’ll often see is “cross-functional collaboration.” The theory is that the employee (for example, a senior product marketing manager) will seamlessly work with marketing, product, R&D, customer success, sales, finance, legal, and everyone else, all working together for the good of the company.

But the world usually doesn’t work like that. YOUR department is great. The other departments are the bozos.

There’s actually a benefit to this when you look at government agencies. If you believe that “the government that governs least” is preferable to Big Brother, then the fact that multiple agencies DON’T gang up against you is a good thing. You don’t want to be chased by the FBI and the CIA and the BBC and B.B. King and Doris Day. And Matt Busby.

But there are times when government agencies work together, usually when facing a common threat. Sometimes this is good…and sometimes it isn’t. Let’s look at two examples and see where they fall in the spectrum.

The Central Intelligence Agency and the Federal Bureau of Investigation in 1972

Normally bureaucrats are loyal to their agency, to the detriment of other agencies. This is especially true when the agencies are de facto competitors.

In theory, and certainly in the 1970s, the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) have completely separate spheres of operation. But on the highest level they perform the same function: catch bad people. And each agency certainly wants to take the credit when a bad person is caught. Conversely, if one of the agencies has a bad person, the other one usually works to expose it.

Usually.

A few of you are old enough to remember a third-rate burglary in Washington, DC in 1972. The burglary took place at a political party office in some hotel or another. We now know with the benefit of hindsight that the FBI-CIA rivalry worked. Bob Woodward learned a few days after the break-in that two of the alleged burglars were connected to E. Howard Hunt, a former CIA operative. Who told Woodward?

“Woodward, we now know, had been tipped off by Mark Felt, the deputy director of the FBI. The Bureau had itself become involved in the investigation of a mere burglary because once the police found wiretapping equipment, the investigation fell under its remit.”

This is how it should work. Although the mere fact that Hunt knew Bernard Barker and Eugenio Martinez was not a crime, the FBI was certainly bound to investigate the matter.

Until it wasn’t.

“Richard Nixon and senior White House personnel including Chief-of-Staff Bob Haldeman and domestic policy tsar John Ehrlichman devised a strategy to block the investigation. This began to unfold as early as June 23, a mere three days after the break-in. That day, Haldeman proposed to Nixon to “have [Vernon] Walters [deputy director of the CIA] call Pat Gray [director of the FBI] and just say ‘stay the h*ll out of this’ on grounds of ‘national interest.’”

This recorded conversation would become very important two years later, but back in 1972 very few people knew about it. And very few people knew that Gray “destroyed secret documents removed from Howard Hunt’s safe.”

Think about it. If Richard Nixon hadn’t recorded his own conversations, we may have never learned that the CIA partially neutralized an FBI investigation.

But other instances of cross-functional collaboration come to light in other ways.

Immigration and Customs Enforcement and the Transportation Security Administration before 2026

The FBI-CIA episode of 1972 was an aberration. Normally agencies don’t cooperate, even when massive amounts of effort are performed to make them work together.

One prime example was the creation of the Department of Homeland Security (DHS) in 2002-2003. Because it was believed that 9/11 happened because relevant agencies were scattered all over the government, Congress and the President performed a massive reorganization. This affected the Departments of Agriculture, Energy, Health and Human Services, Justice, Transportation, and Treasury.

For our discussion:

The Department of Justice lost the Immigration and Naturalization Service (INS), which was broken up into three separate agencies within DHS. One of these is Immigration and Customs Enforcement, or ICE. Perhaps you’ve heard of it.

The relatively new Transportation Security Administration (TSA) was moved from the Department of Transportation to DHS.

The theory, of course, is that once all these agencies were under the DHS umbrella, they would magically work together to stop the evil terrorists. However, each of the component agencies had vastly different missions. Here is the mission of the TSA:

“Protect the nation’s transportation systems to ensure freedom of movement for people and commerce.”

Well, “freedom of movement” is not the primary part of ICE’s mission:

“Protect America through criminal investigations and enforcing immigration laws to preserve national security and public safety.”

While these missions are not mutually exclusive, the difference in emphasis is apparent. And the agencies competed.

Some of you may remember air marshals. After 9/11, some airline flight passengers were actually air marshals, but the passengers (and any terrorists) didn’t know which flights had air marshals or who they were.

The Federal Air Marshal Service (FAMS) was part of the Transportation Security Administration.

Until it wasn’t.

“Homeland Security Secretary Tom Ridge announced [in September 2003] that the federal air marshals program will move from the Transportation Security Administration to the Bureau of Immigration and Customs Enforcement (ICE).”

The idea was to concentrate all enforcement operations in one agency, to protect FAMS from uncertain TSA funding, and to allow ICE agents to be cross-trained as air marshals. But this didn’t happen, so two years later FAMS moved from ICE back to TSA.

And both agencies went on their merry little ways.

Immigration and Customs Enforcement and the Transportation Security Administration in 2026

Let’s look at a recent Biometric Update article.

“When Transportation Security Administration (TSA) Acting Director Ha Nguyen McNeill was pressed [by the House Committee on Homeland Security] on reports that ICE is using domestic flight passenger information to support deportation operations, she did not deny cooperation. Instead, she defended it as legitimate intra-departmental coordination and framed it as part of DHS’s overall mission set.

“In response to lawmakers’ questions, McNeill said TSA assistance to ICE is ‘absolutely within our authorities’ when it involves sharing passenger information for immigration enforcement operations.”

McNeill effectively said that TSA doesn’t dump its data on ICE, but responds to individual ICE inquiries.

Civil libertarians argue that this is mission creep, not the original intent.

“Airport travel…becomes a choke point for detentions – no longer just transportation, but a compliance checkpoint for civil enforcement, re-engineering mobility into an enforcement tool.”

And one more thing…

But I took special interest in McNeill’s contradictory statements that TSA is enforcing REAL ID while simultaneously allowing ConfirmID for those who don’t have a REAL ID.

In the future, it will be interesting to see how inter-agency barriers break down…and why.

CIBS: Keeping Secrets From NGI

An interesting item popped up in SAM.gov. According to a Request for Information (RFI) due February 20, the FBI may have interest in a system for secret biometric searches.

“The FBI intends to identify available software solutions to store and search subjects at the classified level. This solution is not intended to replace the Next Generation Identification System Functionality, which was developed and implemented in collaboration with the FBI’s federal, state, local, tribal, and territorial partners. The solution shall reside at the Secret and/or Top-Secret/SCI level with the ability to support data feeds from external systems. The solution must allow the ability to enroll and search face, fingerprint, palmprint, iris, and latent fingerprints, and associated biographic information with a given set of biometrics.”

Now remember that the Next Generation Identification (NGI) system is protected from public access by requiring all users to adhere to the CJIS Security Requirements. But the CJIS Security Requirements aren’t Secret or Top Secret. These biometric searches, whatever they are, must REALLY be kept from prying eyes.

The RFI itself is 8 pages long, and is mysteriously numbered as RFI 01302025. I would have expected an RFI number 01152026. I believe this was an editing error, since FBI RFI 01302025 was issued in 2025 for a completely different purpose.

Whatever the real number is, the RFI is labeled “Classified Identity-Based Biometric System.” No acronym was specified, so I’m self-acronyming it as CIBS. Perhaps the system has a real acronym…but it’s secret.

If your company can support such a system from a business, technical, and security perspective, the due date is February 20 and questions are due by February 2. See SAM.gov for details.

EBTS the Movie, “Inside the FBI’s EBTS”: Using Google’s NotebookLM to Create Videos From Non-Copyrighted Material

Do you want to skip the book and watch the movie version? Thanks to Google’s NotebookLM, you can.

I used the Federal Bureau of Investigation’s Electronic Biometric Transmission Specification (EBTS) for this exercise.

What should you NOT upload to NotebookLM?

But there’s two things I need to say about the EBTS:

First, the EBTS is a public document and not a top secret document. You can download the EBTS yourself from the https://fbibiospecs.fbi.gov/ebts-1/approved-ebts-1 URL. For my test I used version 11.3 of the EBTS from earlier this year.
Second, the EBTS is a public domain document and is not copyrighted. This is something I need to emphasize. If you’re going to take a magazine article and make a movie out of it, the copyright holder may have something to say about that.

Both points are important. If you want to upload your employer’s confidential report into NotebookLM for analysis…well, you probably shouldn’t. But the public, non-copyrighted EBTS is safe for this exercise.

Uploading the EBTS to NotebookLM

So I uploaded the EBTS into NotebookLM, and as expected, I received a short text sumnmary of the document.

“This document outlines the technical specifications for the electronic exchange of biometric and biographic information between various law enforcement agencies and the FBI’s Criminal Justice Information Services (CJIS) Next Generation Identification (NGI) System. It details the Transaction Offense Types (TOTs), which are the standardized requests and responses used for services such as identification, verification, investigation, and data management. Furthermore, the text specifies the precise data fields, formats, and codes required for the submission and retrieval of diverse biometric data, including fingerprints, palm prints, facial images, and iris scans, while also setting forth image quality specifications for scanner and printer certification.”

Now I could continue to query NotebookLM about the document, but I chose to request a video overview instead. This feature was introduced a few months ago, but I missed it.

“Video Overviews transform the sources in your notebook into a video of AI-narrated slides, pulling images, diagrams, quotes, and numbers from your documents. They distill complex information into clear, digestible content, providing a comprehensive and engaging visual deep dive of your material.”

So I launched the video overview creation feature, and waited. As I waited, I mused upon the time it would take me to create this video manually, and I also mused on the usual LLM warning that the result may contain inaccuracies.

I didn’t have to wait that long, maybe 15 minutes, and Google delivered this 7-minute video.

Inside the FBI’s EBTS. Created by Google NotebookLM based upon EBTS Version 11.3.

Not too bad…especially considering that the video was created based upon a single source. Imagine if I had provided multiple sources, such as an old version of the Electronic Fingerprint Transmission Specification (EFTS); then the video may have covered the evolution of the standard.

Oh, and I also created a 12-minute audio version, which NotebookLM structures as a two-host podcast. This is similar to the podcast I generated in late 2024 about…me.

Unpacking the EBTS standard. Created by Google NotebookLM based upon EBTS Version 11.3.

In an environment where many people like to watch or listen rather than read, this helps provide a quick overview. But you still have to dive into the document and read it to truly understand it.

Worries About the Certified Communist Products List

(Imagen 4)

(Part of the biometric product marketing expert series)

How many of you have heard of the Certified Products List (CPL)?

The CPL’s vendor coverage

This list, part of the FBI’s Biometric Specifications website (FBI Biospecs), contains fingerprint card printers, fingerprint card scan systems, identification flats systems, live scan systems, mobile ID devices, and other products. Presence on the CPL indicates that the product complies with a relevant image quality specification such as Appendix F of the Electronic Biometric Transmission Specification.

The Certified Products List has existed since the 1990s and includes a number of products with which I am familiar. These products come from companies past and present, including 3M Cogent, Aware, Biometrics4All, Cross Match, DataWorks Plus, IDEMIA Identity & Security France, Identicator, Mentalix, Morpho, Motorola, NEC Technologies, Printrak, Sagem Defense Securite, Thales, and many others.

As of June 26, 2025, it also references companies such as Shenzhen Interface Cognition Technology Co., Ltd. and Shenzhen Zhi Ang Science and Technology Co., Ltd.

A strongly worded letter

Those and other listings caused heartburn for the bipartisan Members of the U.S. House of Representatives Select Committee on the Chinese Communist Party.

So they sent a strongly worded letter.

“We write to respectfully urge the FBI to put an end to its ongoing certification of products from Chinese military-linked and surveillance companies—including companies blacklisted or red-flagged by the U.S. government—that could be used to spy on Americans, strengthen the repressive surveillance state of the People’s Republic of China (PRC), and otherwise threaten U.S. national security.”

Interestingly enough, they make a big deal of Hikvision products on the list, but I searched the CPL multiple times and found no Hikvision products.

The CPL’s purpose

And it’s important to note the FBI’s own caveat about the CPL:

“The Certified Product List (CPL) provides users with a list of products that have been tested and are in compliance with Next Generation Identification image quality specifications (IQS) regarding the capture of friction ridge images. Specifications and standards other than image quality may still need to be met. Appearance on the CPL is not, and should not be construed as, an FBI endorsement, nor should it be relied upon for any requirement beyond IQS. Users should contact their State CJIS Systems Officer (CSO) or Information Security Officer (ISO) to ensure compliance with the necessary policies and/or guidelines.“

In other words, the ONLY purpose of the CPL is to indicate whether the products in question meet technology standards. It has nothing to do with export controls or any other criteria that any law enforcement agency needs to follow when buying a product.

What about the U.S. Department of Commerce?

But the FBI isn’t the only agency “promoting” Chinese biometrics.

Wait until the Select Committee discovers the Department of Commerce’s NIST FRTE lists, including the FRTE 1:1 and FRTE 1:N lists. The tops of these lists (previously known as FRVT) include many Chinese companies.

And actually, the FRTE testing includes facial recognition products that inspired U.S. export bans. Fingerprint devices are harder to use to repress people.

What next?

What happens if the concern extends beyond China, to products produced in France and products produced in Canada?

Regarding the strongly worded letter, Biometric Update added one detail:

“As of this writing, the FBI has not issued a public response. Whether the bureau will move to decertify the flagged companies or push back on the committee’s recommendations remains to be seen. But with multiple national security statutes already in place, and Congress signaling a willingness to legislate further, the days of quiet certification for foreign adversary-linked tech firms may be numbered.”

Well, the Writer Was 60% Correct (Face-Iris Pixels Per Inch)

(Part of the biometric product marketing expert series)

I recently read a web page (I won’t name the site) that included the following text:

…fingerprints, palm prints, latents, faces, and irises at 500 or 1000 ppi.

Which is partially correct.

Yes, fingerprints, palm prints, and latent prints are measured in pixels per inch (ppi), with older systems capturing 500 ppi images, some newer images capturing 1,000 ppi images, and other systems capturing 2,000 ppi or larger images. 2,000 ppi resolution is used in some images in NIST Special Database 300 because why not?

From https://www.nist.gov/itl/iad/image-group/nist-special-database-300.

I don’t know of any latent fingerprint examiner who is capturing 4,000 ppi friction ridge prints, but I bet that someone out there is doing it.

But faces and irises are not measured in pixels per inch.

Why not?

Because, at least until recently, friction ridge impressions were captured differently than faces and irises.

Since the 19th century, we’ve naturally assumed that friction ridges are captured via a contact method, whether by inking the fingers and palms and pressing against a paper card, pressing the fingers and palms against a livescan platen, or pressing a finger on a designated spot on a smartphone.
You don’t press your face or iris against a camera. Yes, you often have to place your iris very close to a camera, but it’s still a contactless method.

This is not a recommended method of facial image acquisition. From https://www.youtube.com/watch?v=4XhWFHKWCSE.

Obviously things have changed in the friction ridge world over the last decade, as more companies support contactless methods of fingerprint capture, either through dedicated devices or standard smartphone cameras.

And that has caused issues for organizations such as the U.S. Federal Bureau of Investigation, who have very deep concerns about how contactless fingerprints will function in their current contact-based systems.

From https://fbibiospecs.fbi.gov/file-repository/ebts-v11-2_final.pdf/view.

For example, how will Electronic Biometric Transmission Specification Appendix F (version 11.2 here) compliance work in the world where the friction ridges are NOT pressed against a surface?

When Rapid DNA Isn’t

(Part of the biometric product marketing expert series)

Have you heard of rapid DNA?

Fair use, from https://www.racers-behindthehelmet.com/post/first-historic-pole-position-and-podium-for-antonella-bassani-in-porsche-cup-brasil. Photo credits: Porsche Cup Brasil.

Perhaps not as fast as Brazilian race car driver Antonella Bassani, but fast enough.

This post discusses the pros and cons of rapid DNA, specifically in the MV Conception post mortem investigation.

DNA…and fingerprints

I’ve worked with rapid DNA since I was in Proposals at MorphoTrak, when our corporate parent Safran had an agreement with IntegenX (now part of Thermo Fisher Scientific). Rapid DNA, when suitable for use, can process a DNA sample in 90 minutes or less, providing a quick way to process DNA in both criminal and non-criminal cases.

By Zephyris – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=15027555

But as I explain below, sometimes rapid DNA isn’t so rapid. In those cases, investigators have to turn to boring biometric technologies such as fingerprints instead. Fingerprints are a much older identification modality, but they still work.

By Federal Bureau of Investigation – https://washingtonian.com/2016/11/24/the-fbi-opened-its-crime-lab-here-in-dc-back-in-1932, Public Domain, https://commons.wikimedia.org/w/index.php?curid=128508441

DNA, fingerprints…and dental records

From https://doi.org/10.1111/1556-4029.15513.

Bredemarket recently purchased access to a Journal of Forensic Sciences article entitled “Advances in postmortem fingerprinting: Applications in disaster victim identification” (https://doi.org/10.1111/1556-4029.15513) by Bryan T. Johnson MSFS of the Federal Bureau of Investigation Laboratory in Quantico. The abstract (which is NOT behind the paywall) states the following, in part:

In disaster victim identification (DVI), fingerprints, DNA, and dental examinations are the three primary methods of identification….As DNA technology continues to evolve, RAPID DNA may now identify a profile within 90 min if the remains are not degraded or comingled. When there are true unknowns, however, there is usually no DNA, dental, or medical records to retrieve for a comparison without a tentative identity.

In the body of the paper itself (which IS behind the paywall), Johnson cites one example in which use of rapid DNA would have DELAYED the process.

DVI depends upon comparison of a DNA sample from a victim with a previous DNA sample taken from the victim. If this is not available, then the victim’s DNA is compared against the DNA of a family member.

Identifying foreign nationals aboard the MV Conception

MV Conception shortly before it sank. By National Transportation Safety Board – Screen Shot 2020-10-16 at 3.00.40 PM, Public Domain, https://commons.wikimedia.org/w/index.php?curid=95326656

When the MV Conception boat caught fire and sank in September 2019, 34 people lost their lives and had to be positively identified.

While most of the MV Conception victims were California residents, some victims were from Singapore and India. It would take weeks to collect and transport the DNA samples from the victims’ family members back to the United States for comparison against the DNA samples from the victims. Weeks of uncertainty during which family members had no confirmation that their relatives were among the deceased.

However, because the foreign victims were visitors to the United States, they had fingerprints on file with the Department of Homeland Security. Interagency agreements allowed the investigating agencies to access the DHS fingerprints and compare them against the fingerprints of the foreign victims, providing tentative identifications within three days. (Fingerprint identification is a 100+ year old method, but it works!) These tentative identifications were subsequently confirmed when the familial DNA samples arrived.

What does this mean?

The message here is NOT that “fingerprints rule, DNA drools.” In some cases the investigators could not retrieve fingerprints from the bodies and HAD to use rapid DNA.

The message here is that when identifying people, you should use ANY biometric (or non-biometric) modality that is available: fingerprints, DNA, dental records, driver’s licenses, Radio Shack Battery Club card, or anything else that provides an investigative lead or a positive identification.

And ideally, you should use more than one factor of authentication.

And now a word from our sponsor

By the way, if you have a biometric story to tell, Bredemarket can help…um…drive results. Perhaps not as fast as Bassani, but fast enough.

Drive content results with Bredemarket Identity Firm Services.

A Few Thoughts on FedRAMP

The 438 U.S. federal agencies (as of today) probably have over 439 different security requirements. When you add state and local agencies to the list, security compliance becomes a mind-numbing exercise.

For example, the U.S. Federal Bureau of Investigation has its Criminal Justice Information Systems Security Policy (version 5.9 is here). This not only applies to the FBI, but to any government agency or private organization that interfaces to the relevant FBI systems.
Similarly, the U.S. Department of Health and Human Services has its Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Again, this also applies to private organizations.

But I don’t care about those. (Actually I do, but for the next few minutes I don’t.) Instead, let’s talk FedRAMP.

Why do we have FedRAMP?

The two standards that I mentioned above apply to particular government agencies. Sometimes, however, the federal government attempts to create a standard that applies to ALL federal agencies (and other relevant bodies). You can say that Login.gov is an example of this, although a certain company (I won’t name the company, but it likes to ID me) repeatedly emphasizes that Login.gov is not IAL2 compliant.

But forget about that. Let’s concentrate on FedRAMP.

From https://www.informationweek.com/machine-learning-ai/how-fedramp-can-accelerate-cloud-adoption.

Why do we have FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP^®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.
From https://www.fedramp.gov/program-basics/.

Note the critical word “unclassified.” So FedRAMP doesn’t cover EVERYTHING. But it does cover enough to allow federal agencies to move away from huge on-premise server rooms and enjoy the same SaaS advantages that private entities enjoy.

From https://marketplace.fedramp.gov/products.

Today, government agencies can now consult a FedRAMP Marketplace that lists FedRAMP offerings the agencies can use for their cloud implementations.

A FedRAMP authorized product example

When I helped MorphoTrak propose its first cloud-based automated biometric identification solutions, our first customers were state and local agencies. To propose those first solutions, MorphoTrak partnered with Microsoft and used its Azure Government cloud. While those first implementations were not federal and did not require FedRAMP authorization, MorphoTrak’s successor IDEMIA clearly has an interest in providing federal non-classified cloud solutions.

When IDEMIA proposes federal solutions that require cloud storage, it can choose to use Microsoft Azure Government, which is now FedRAMP authorized.

From https://marketplace.fedramp.gov/products/F1603087869.

It turns out that a number of other FedRAMP-authorized products are partially dependent upon Microsoft Azure Government’s FedRAMP authorization, so continued maintenance of this authorization is essential to Microsoft, a number of other vendors, and all the agencies that require secure cloud solutions.

They can only hope that the GSA Inspector General doesn’t find fault with THEM.

Is FedRAMP compliance worth it?

But assuming that doesn’t happen, is it worthwhile for vendors to pursue FedRAMP compliance?

If you are a company with a cloud service, there are likely quite a few questions you are asking yourself about your pursuits in the Federal market. When will the upward trajectory of cloud adoption begin? What agency will be the next to migrate to the cloud? What technologies will be migrated? As you move forward with your business development strategy you will also question whether FedRAMP compliance is something you should pursue?

The answer to the last question is simple: Yes. If you want the Federal Government to purchase your cloud service offering you will, sooner or later, have to successfully navigate the FedRAMP process.
From https://www.mindpointgroup.com/blog/fedramp-compliance-is-it-worth-it.

And a lot of companies are doing just that. But with less than 400 FedRAMP authorized services, there’s obviously room for growth.