Two POSSIBLE complications to a future Advent International sale of IDEMIA

(UPDATE: I have indicated portions of this post that include speculation from myself and others.)

When I wrote “About THAT Reuters article” (specifically, the February 4 article speculating about a possible sale of IDEMIA by Advent International to Thales Group), I noted that I have no expertise in predicting corporate acquisitions.

However, I’ve experienced three of them, including Motorola’s acquisition of Printrak in 2000, Safran’s acquisition of Motorola’s Biometric Business Unit in 2008-2009, and Advent International’s acquisition of Safran’s Morpho unit in 2016-2017 (and Advent’s merger of Oberthur and Morpho to form OT-Morpho, later IDEMIA).

None of these was a simple matter of the acquiring company and the acquired company approving the acquisition. It was more complicated than that.


Motorola acquires Printrak

Even the most straightforward of the acquisitions that I experienced, the U.S. company Motorola’s acquisition of the U.S. company Printrak, required a number of government approvals.

Under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, and the rules promulgated under the Hart-Scott-Rodino Act, Printrak, Acquisition Sub and Motorola cannot complete the Merger until they notify and furnish information regarding the acquisition of Printrak by Acquisition Sub to the Federal Trade Commission and the Antitrust Division of the U.S. Department of Justice and satisfy specified waiting period requirements. Printrak and Motorola (as the sole stockholder of Acquisition Sub) filed notification and report forms under the Hart-Scott-Rodino Act with the FTC and the Antitrust Division on September 26, 2000 and received early termination of the waiting period from the Federal Trade Commission effective October 11, 2000.


And not just from the U.S. government.

In addition, Printrak and Motorola are required to furnish certain information and materials to the antitrust authorities of Argentina, Brazil, the Federal Republic of Germany, and Romania. Filings were made in Argentina on September 22, 2000, in Brazil on September 19, 2000 and in the Federal Republic of Germany on September 27, 2000. German antitrust authorities have one month after the parties file their application to review the transaction. During that one month period, they can either approve the transaction or initiate an examination of the transaction which could take an additional three months, during which time the parties cannot close the transaction. During this three month period, the antitrust authorities will either approve the transaction or prohibit it. Approval may be granted before the initial one month review or before the additional three month review period. If approved, the antitrust authorities can not later challenge the transaction under their merger law but could challenge the transaction under other provisions of their antitrust laws. Printrak and Motorola intend to make a post-closing filing in Romania as soon as practicable after the closing.


Why did the Motorola acquisition of Printrak require all of those approvals? Because Printrak did business in these countries (and many others), and the governments of those particular countries wanted to exert control over who does business in their country. For example, Printrak was the automated fingerprint identification system (AFIS) supplier in Romania, and the government of Romania had a need to know what would happen if Motorola were to become the supplier of its AFIS. Would all of the fingerprints be replaced by batwings? Would the new owner require the Romanian employees to apply Six Sigma in their everyday lives? Would Romania have to use Iridium to communicate AFIS data?

Before Omnitrak, RAZR, and PEBL, there was Iridium. From

Well, everyone in the U.S. and the other countries granted approval, and the Motorola acquisition of Printrak was eventually completed, although it took roughly three months to get all the approvals. I remember that we were at a trade show (IACP, I think) with Printrak signage, and received mid-show approval to string up Motorola banners after receiving final approval.

And that was the relatively EASY acquisition of the three that I experienced. The next one was harder.

Safran acquires part of Motorola

It became more complicated when Motorola, a U.S. supplier of export-controlled fingerprint identification software and hardware, sought to sell a portion of itself to Safran, a French company.

By the time that Safran announced its intent to acquire Motorola’s Biometric Business Unit, a new government entity entered the picture – the Committee for Foreign Investment in the United States (CFIUS).

CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons, in order to determine the effect of such transactions on the national security of the United States.


Why did CFIUS get involved?

Because Motorola not only sold fingerprint identification technology, an export controlled technology, but also managed law enforcement data for a number of states and (on a limited basis) for the U.S. Federal Bureau of Investigation and other federal government agencies.

Never mind the fact that France has been a long-standing ally of the United States. Heck, Israel is an ally of the U.S., and we didn’t like it when Israel spied on us.

CFIUS had to make sure that foreign control of Motorola’s biometric assets wouldn’t cause issues. Would French intelligence personnel steal all of the personal identifiable information (PII) from the AFIS databases in Minnesota, North Carolina, and other states?

Safran acquires other things

Eventually CFIUS decided that there was no critical threat and allowed the Safran acquisition of Motorola’s Biometric Business Unit to go through.

After all, it wasn’t like Motorola managed the main FBI criminal database, or state driver’s license databases, or anything like that.

  • You see, the main FBI criminal database, then known as IAFIS, was already managed by Safran.
  • And the state driver’s license databases were managed by neither Safran nor Motorola. A separate company, L-1 Identity Solutions, managed the majority of those databases.

So Safran’s acquisition of Motorola’s biometric assets was approved by all necessary government entities, and everyone was happy.

But Safran wasn’t done with its acquisitions, and a few years later acquired L-1 Identity Systems also. So now U.S. driver’s license production would be under French control.

This time around, CFIUS insisted on mitigating the effects of “Foreign Ownership, Control or Influence” (FOCI). Specifically, L-1 Identity Solutions (renamed “MorphoTrust”) was placed under a proxy structure, in which MorphoTrust’s Board of Directors was entirely composed of U.S. citizens. In addition, a number of MorphoTrust employees who were not U.S. citizens were shifted away from MorphoTrust to other Safran companies (most notably MorphoTrak, the company that contained the former Motorola Biometric Business Unit and other stuff).

By the way, I wrote about this before, but it’s in a Bredemarket Premium article so most of you can’t read it. Consider this information a freebie.

Even though they were owned by the same company, and used some of the same hardware components, MorphoTrust and MorphoTrak were managed separately. MorphoTrust had to log its contacts with foreigners, including U.S. employees of the foreign-owned MorphoTrak. Any transactions between MorphoTrust and MorphoTrak had to be carefully monitored to ensure that “foreign” components didn’t sneak their way into MorphoTrust products. And (most notably) because we couldn’t really talk to each other, MorphoTrust and MorphoTrak actually competed against each other on several occasions, including instances in which both subsidiaries proposed fingerprint livescan stations to the same customers.

But we were one big happy fractured family, and CFIUS was satisfied.

Well, until the next acquisition took place.

Advent International (and Oberthur) acquires part of Safran

Remember how I said that I couldn’t really predict acquisitions? After Safran acquired Motorola’s Biometric Business Unit, I thought I was home free. Printrak was the odd man out in Motorola, since our part of Motorola (later becoming Motorola Solutions) specialized in the sale of lots and lots of police radios, while we in Printrak specialized in the sale of a few AFIS systems. Once we joined Safran, we became part of a huge division (Sagem Sécurité, later known as Morpho) that ONLY performed identity functions.

Little did I know that Safran, whose main business was in aerospace, would decide to jettison the entire Morpho division.

So now an American investment firm would buy a French company.

You can bet that this required a round of approvals on both sides of the Atlantic.

France and the European Union certainly had an interest. As I noted in a recent post about Alaska’s HB389 bill, Advent International was not the sole owner; Advent had to bring the French government-owned entity Bpifrance on as a minority owner. And the European Union had to grant antitrust approval.

But on the U.S. side, CFIUS got involved again because MorphoTrust was part of the acquisition. Never mind the fact that MorphoTrust was now majority American-owned; MorphoTrust’s corporate parent was headquartered in France, and Bpifrance owned part of MorphoTrust.

So what happened?

MorphoTrust was removed from FOCI control, sort of, and merged with MorphoTrak and some parts of Oberthur to form IDEMIA Identity & Security USA LLC.

IDEMIA created a new FOCI-mitigated entity, IDEMIA National Security Solutions.

And my job became really complicated, because I, a former MorphoTrak employee, reported to someone who was a former MorphoTrust employee. And even though the U.S. part of IDEMIA (excluding IDEMIA NSS) was no longer FOCI-mitigated, some leftovers from the old MorphoTrust days were still around.

By Loudon dodd – Own work, CC BY-SA 3.0,

Initially there were still two separate computer networks, and I had to have access to both of them, which meant that I had to obtain a second computer from the Billerica, Massachusetts office to access the old MorphoTrust network. (Before obtaining that second computer, I had to undergo a security screening.)

Eventually the two separate networks went away…after I left IDEMIA. Actually, I’m not entirely certain that they COMPLETELY went away, but at least the email addresses were all standardized throughout the United States after I left. (Yes, I had two email addresses also.)

Two new complications when some future entity acquires IDEMIA

So what happens in the future? Reuters has speculated what may happen, and I am speculating also.

As I noted previously, Advent International acquires businesses, revamps them, and sells them (hopefully) at a profit.

So even if the Reuters article turns out to be factually incorrect, Advent is going to sell IDEMIA someday.

Based upon past acquisitions, I believe it is pretty likely that the French government is going to have some say in the sale. Reuters speculated that nothing will happen until after next month’s Presidential election in France. (See my LinkedIn post in Bredemarket Identity Firm Services about the French election.) The French President, whoever he or she may be when Advent finally tries to sell IDEMIA in 2022, 2023, or 2033, is going to exert control over who the final buyer will be. Perhaps the President may insist that IDEMIA be sold to a French company, or at least a European Union company.

And based upon past acquisitions, I believe it is pretty likely that the U.S. government is going to have some say in the sale. The U.S. President, whoever he or she may be when Advent tries to sell IDEMIA (again, whenever that may occur), is going to exert control over who the final buyer will be, because of the significant business that IDEMIA NSS and the rest of IDEMIA does with U.S. federal, state, and local government entities. Oh, and there’s also the matter of fingerprint identification export control.

But those are not the two complications that I’m talking about. There are two NEW complications.

Possible Complication Number One: IDEMIA has locations all over the world, including a location in Moscow.

As I write this post, a number of Western businesses are ceasing their business operations in Russia because of the war in Ukraine. This has caused issues with the Russian government.

As of Monday (March 14), at least 375 companies had announced some sort of pullback from Russia, according to a list maintained by the School of Management at Yale University. The list includes companies that have cut ties with Russia completely, as well as those that have suspended operations there while attempting to preserve the option to return.

According to multiple media reports, dozens of Western companies have been contacted by prosecutors in Russia with warnings that their assets, including production facilities, offices, and intellectual property, such as trademarks, may be seized by the government if they withdraw from the country.


Unless IDEMIA is acquired by a Russian company (which is extremely unlikely, given French and U.S. interests), anyone who acquires IDEMIA (or any company with Russian offices) has to consider how Russia will react. Will the Russian portion of the business be a total loss? Will Russian entities acquire IDEMIA intellectual property? (This would be ironic, considering some past allegations that have been made but not IMHO proven.)

But Russia isn’t the only potential complication of a sale of IDEMIA.

Possible Complication Number Two: IDEMIA also has locations in Beijing, Hong Kong, and Shenzen. And it’s possible that the Chinese government is going to have some interest in who IDEMIA’s future owner will be.

It is possible that China’s State Administration for Market Regulation (SAMR) might review any acquisition.

In early September of 2021, China’s competition authority, the State Administration for Market Regulation (“SAMR”) issued a report (“SAMR 2020 Report”) summarizing its Anti-Monopoly Law enforcement activities during the period covering the 13th Five-Year Plan (2016-2020).


Yes, Five-Year Plan. While China has private companies, the Communist Party still oversees things.

From 2016 to 2020, SAMR concluded 2,147 merger reviews and completed 179 antitrust investigations, imposing fines totaling RMB 2.79 billion (or USD 413 million).


While relations between the West and China are certainly better than current relations between the West and Russia, there is always an underlying tension in those relations. For example, if a Taiwanese company were to acquire IDEMIA, this could be considered a declaration of war.

And in the specific case of IDEMIA, the biometric algorithms from IDEMIA directly compete with biometric algorithms from China. The February 2022 printed version of the NIST FRVT 1:1 report indicates that dozens of tested facial recognition algorithms are of Chinese origin, including algorithms from Cloudwalk, Dahua, Fujitsu, Hikvision, Megvii, Sensetime, Tencent, Xforward, and a host of other companies and universities.

What if (again, I’m speculating) China decides to oppose an acquisition of IDEMIA unless it receives assurances that IDEMIA will not threaten the domestic Chinese biometric providers?


So whoever buys IDEMIA from Advent may have to pay attention to government regulators in the U.S., France, the European Union, and possibly Argentina, Brazil, China, Germany, Romania, and Russia.

International business is complicated.

Alaska HB389 does NOT repeal REAL ID. But it has a “foreign ownership” clause.

The title of Alaska HB389, introduced last month, sounds grandiose:

“An Act repealing the implementation of the federal REAL ID Act of 2005; relating to identification cards; relating to drivers’ licenses; and providing for an effective date.”

Does HB389 prevent Alaska from issuing REAL IDs?

When you read the title of the bill, alarms go off in your head.

If the title is true, it’s a true setback. After many years, the entire country (perhaps minus a territory or two) has finally gotten on board with REAL ID in advance of the due date, and now one of the states is pulling out.

Except that when you read the detail of the bill (at least as originally written; it could change in committee), it doesn’t repeal Alaska’s compliance of REAL ID.

As Chris Burt notes in a Biometric Updatre post, it only provides an option for the Alaska Division of Motor Vehicles to issue an identification card that is non-REAL ID compliant. This is not different from any other state (for example, California) that issues non-REAL ID cards that are “not for federal purposes” or “not for federal identification” or “federal limits apply.”

So Alaskans, don’t panic. If you want to get a REAL ID to board a plane, you can still do this. Note the [BRACKETED ALL CAPS] text in Section 1 of HB389 as originally written, illustrated below.

So Alaska can still issue “federally compliant” (i.e., REAL ID) driver’s licenses.

But what about foreign ownership?

But as long as I was reading the text of the bill, I thought I’d see what else it proposed to change, and ran across this text in Section 4.

Now THAT caught my eye. (Alaska Statutes Chapter 15 is the portion of the statutes that governs driver’s licenses in general, so this clause affects EVERYTHING.)

If your company is 94% U.S.-owned, that’s not good enough in Alaska.

(Well, at least until Putin decides that Edouard de Stoeckl’s 1867 sale of Alaska was illegal…)

The signing of the Alaska Treaty of Cessation on March 30, 1867. Left to right: Robert S. Chew, William H. Seward, William Hunter, Mr. Bodisco, Eduard de StoecklCharles Sumner, and Frederick W. Seward. By Emanuel Leutze (d. 1868) –, Public Domain,

Most if not all U.S. state agencies do not produce driver’s licenses themselves, but instead contract with private companies to do the work. These private companies either produce the licenses at state agency offices, or produce them as a service (DLaaS) at a secure production center (which may produce licenses for multiple states). To my knowledge, all of the production centers for U.S. driver’s licenses are located within the United States.

But who are the “private entities” that provide driver’s license manufacturing services? Let’s look at the major ones and see if they’re affected by Section 4 of the draft of Alaska HB389.


It is a matter of public record that the majority of U.S. states use IDEMIA to produce their driver’s licenses, either within agency offices or in secure IDEMIA production centers. When I was an employee of IDEMIA, I did not have the necessary security clearance to enter any of these production centers. Employees should only have the security permissions that they need, and my job had no need for me to access the PII of IDEMIA’s driver’s license customers, or to enter the facilities in which these secure documents are manufactured. There are security requirements governing this.

…our state-of-the-art central issuance facilities…are highly secure and meet North American Security Products Organization (NASPO) Level I security requirements. 


We’ll return to NASPO later in this post.

As I’ve noted before, IDEMIA is (currently) majority owned by Advent International, a U.S. based investment firm. IDEMIA entered the U.S. driver’s license market by acquiring Morpho (French), which had previously acquired MorphoTrust/L-1 Identity Solutions (U.S.), which had previously acquired Digimarc’s ID Systems business (also U.S.).

And, as I’ve noted, Advent International will probably choose to sell IDEMIA at some point in the future.

However, Advent International is not the exclusive owner of IDEMIA, because part of the company is owned by Bpifrance, which is (drumroll) French.

Alaska’s HB389, if passed in its original form, would prohibit the state from “communicating” personally identifying information (PII) to a private entity with more than five percent foreign ownership. I do not know the percentage that Bpifrance owns (all of the press releases failed to include that little tidbit), so I don’t know if IDEMIA would run afoul of the law or not.

HB389, if unmodified, is just one thing that any company that purchases IDEMIA must keep in mind.

IDEMIA doesn’t produce Alaska driver’s licenses. Who does?

But that doesn’t matter, because IDEMIA isn’t the Alaska driver’s license vendor anyway. That contract is controlled by another company.

Austin, TX – October 31, 2018 – Gemalto (Euronext NL0000400653 GTO),  and Alaska’s Division of Motor Vehicles will continue their work of providing credentials to citizens with the additional goal of helping the state become Real ID compliant by increasing security of the state’s driver’s license and identification cards.


Gemalto (a Dutch company) was subsequently acquired by Thales, which is a French company. Gemalto entered the U.S. driver’s license market when it acquired Marquis ID Systems.

Now I do not know the details of Alaska’s contract with Thales, but it stands to reason that if Thales is “providing credentials to citizens” (implying a service bureau relationship), then at some point the state is going to have to “convey, distribute, or communicate” PII to Thales.

Other vendors

But don’t worry. IDEMIA and Thales are not the only driver’s license manufacturers out there, so you don’t have to worry about foreigners getting your data. Just select an American company!

For example, Veridos can provide driver’s licenses. Veridos is a joint venture between Giesecke+Devrient and Bundesdruckerei…whoops, that’s not a U.S. company.

And there’s another driver’s license manufacturer out there. It’s called…Canadian Bank Note.

There’s also Valid, which is…Brazilian.

Let’s look at NASPO

Despite the fact that these entities are foreign-owned, all of them (either on their own, or through parents or acquired companies) are members of NASPO, and many of them have NASPO certification.

So what?

NASPO international was formed as the North American Security Products Organization.  The non-profit organization was founded in 2002 by companies and individuals in industry that recognized the need for security focused standards to prevent fraudulent acts that support criminal and terrorist activity….

NASPO INTERNATIONAL was formed to combat the ever increasing amount of fraud within the areas of brand protection, document security, and identity.  Our focus is to produce credible, structured, and, when appropriate, certifiable standards.  NASPO INTERNATIONAL has created a risk reduction standard and auditing process to certify security focused organizations.  This structure also provides the end user with the ability to create a secure supply chain from supplier to end users.


From my point of view, NASPO tries to achieve what HB389 clumsily tries to achieve by its “minimal foreign ownership” clause. 100% U.S. ownership does not guarantee the security of your data, and 94% U.S. ownership does not guarantee that your data will wind up in a foreign capital.

So what happens next?

I have no idea whether HB389 will get passed, but unless it is substantially amended, Alaskans can still get REAL ID driver’s licenses so that they can board planes, enter secure federal facilities, and the like without getting a passport or other authorized document.

But I’m not sure what’s going to happen regarding the foreign ownership clause. Maybe people at some of the firms listed above are already looking into this.

But if my assumptions on HB389 are correct, and it passes with Section 4 intact, perhaps Alaska may not be able to rely on a private entity to provide driver’s licenses as a service (DLaaS). In that case, the state will have to produce its own driver’s licenses, free from foreign influence.

I may be a fraudster!

I’ve previously contacted a journalist via Help a Reporter Out (HARO), and I occasionally pitch to journalists on the service. In fact, I submitted a new pitch earlier this month.

So I noted with interest this story of how fraudsters fool Help a Reporter Out pitch recipients with synthetic or otherwise fraudulent identities.

When a reporter is writing a story that requires a source that he or she does not have, that reporter will likely turn to HARO, a service that “connects journalists seeking expertise to include in their content with sources who have that expertise.”…

Now, shady SEOs hide behind fake photos and personalities. The latest black hat search-engine optimization trend is to respond to Help-a-Reporter-Out (HARO) inquiries pretending to be a person of whichever gender/ethnicity the journalist is seeking comment from.


As it turns out, I have never responded to a pitch that specifically requested comments from white males. (Probably because if a pitch DOESN’T request gender/ethnicity information, chances are that the respondent will be a white male.) But it’s clear how a HARO pitch scammer could create a synthesized identity of a biometric proposal writing expert.

So if you’re asking your source for a picture, John W. Defeo suggests that you ask for TWO pictures. I think that the technical term for this is MPA, or Multi Photo Authentication.

There’s one other suggestion.

Take those photographs and plug them into a reverse image lookup service like Tineye (or even Google Images). Have they appeared on the web before? Does the context make sense?


I often use the picture that is found on my jebredcal Twitter profile.

So I plugged that in to a Google reverse image search. As expected, it hit on Twitter, but also hit on some other social media platforms such as LinkedIn.

I hadn’t heard of TinEye before, so I figured I’d give it a shot. Here’s what TinEye found:

Very odd, since as I previously mentioned this particular image is available on Twitter, LinkedIn, and other sources. But it turns out that TinEye honors requests from social media services NOT to crawl their sites. (No comment.) And TinEye apparently hasn’t crawled the relevant page on yet.

Which leads to the scary thought – what if someone searched TinEye for me, and didn’t bother to search anywhere else after getting 0 results? Would the searcher conclude that I was a synthetically-generated biobot?

Wow, talk about identity concerns…

“Who Are You” by The Who. Fair use,

Friction and emerging threats: two items to consider when implementing multifactor authentication

For my long-time readers, here’s a quiz. Read the four statements below and take a guess as to which one of these statements best reflects my views.

  1. With recent accuracy improvements, facial identification is the only identification method that you will ever need in the future.
  2. Possession of a driver’s license is sufficient to prove identity.
  3. Fingerprints are the tried and true authentication method; you don’t need anything else.
  4. Passwords are dead.

Readers, this was a trick question. I don’t agree with ANY of these statements. It is possible to subvert facial identification methods. Your twin can steal your driver’s license. Fingerprints can be subverted also. And passwords have their place.

If you’ve read my writings for any length of time, you know that I believe that any single authentication factor is not a reliable method of authenticating someone. Multifactor authentication, in which you use more than one of the five authentication factors, is a much stronger method. It’s possible to spoof any single authentication factor (a gummi fingerprint, a fake driver’s license, etc.), but it’s much harder to spoof multiple factors.

No, they don’t have ridges. By Thomas Rosenau – Own work, CC BY-SA 2.5,

Please note that I am referring to multiple FACTORS, not multiple TYPES OF BIOMETRICS (for example, authenticating finger and face and declaring victory). All biometrics fit within the “something you are” category, and it’s much better to combine this factor with one or more of the other four: something you know, something you have, something you do, and somewhere you are. Or perhaps use two factors other than biometrics. The important thing is that you use multiple factors.

What of the vendor that only offers one type of biometric authentication? Or the vendor that only offers biometric authentication? Or the vendor that only processes secure documents? Or the one with really strong password protection schemes? Well, in my humble opinion these vendors need to partner with other vendors who support other authentication factors, to ensure delivery of a robust solution.

Julie Pattison-Gordon made many of these points in a recent GovTech article, “Cyber Refresher: Understanding Multifactor Authentication.” But she made two additional points that are worth mentioning.

Friction and authentication

The first point that Pattison-Gordon makes is the following:

Agencies may need to consider how their selection of authentication methods creates or avoids friction for employees.

Friction, in which a task becomes hard to perform, is bad.

Not sure how Jack feels now that the Lakers are, um, subpar. By May be found at the following website:, Fair use,

Some authentication methods have, or can have, more friction than others. For example, some password implementations require use of characters from the Roman, Greek, and Cyrillic alphabets and require you to change your password daily. (I exaggerate only slightly.) Older iris readers required you to put your head directly against the reader, like if you were at an opthamologist’s office. Even today, most fingerprint readers require you to touch your finger against a platen. (There are exceptions.)

But why worry about friction? After all, if someone’s required to perform some type of authentication, they’re going to do it regardless of how hard it is.

Oh no they’re not:

Speaking during a panel last month, Delaware Chief Security Officer Solomon Adote said that workers who find MFA processes too cumbersome may adopt unsafe workarounds, such as storing official files on personal devices to let them skip login procedures entirely.

This is worse than an abandoned shopping cart, since it’s the abandonment of an entire security infrastructure. When security is too cumbersome, the result is little or no security at all.

I feel safe now. By IMP Awards, Fair use,

It is possible to improve all authentication methods to reduce friction. Strong yet easy passwords that you don’t have to change all the time. “On the move” capture of all sorts of biometrics, including fingerprints, faces, and irises. The ability to read information on secure documents without sliding them through a card reader (yet incorporating protections against unauthorized reading of the data).

Trust me – frictionless will make people happier and will cause them to use your security methods without objection.

Emerging threats and authentication

Pattison-Gordon makes a second point:

Organizations must also weigh the cyber threats facing each type of authentication, as malicious actors continue evolving their strategies.

No authentication method is foolproof, and every authentication method attracts one or more threats. I’ve mentioned some in passing in this post, such as “gummi fingerprints” in which someone creates a fake fingerprint with the ridge detail from a true fingerprint. Pattison-Gordon mentions another threat, SIM swapping.

There are ways to deal with these two threats. For example, if a gummi fingerprint is literally a piece of non-organic material, there are various methods of liveness detection (tempreature, heartbeat detection, skin features) that can identify the fingerprint as fake.

However, this does not solve the problem, since some day some fraudster will create a fake fingerprint that appears to have human skin, a temperature, a detectable heartbeat, and everything else that a real fingerprint will have.

Security is a constant war between the fraudsters who develop a hack, the cybersecurity folks who develop a block to the hack, and the fraudsters that develop a new hack that avoids the block to the previous hack. No authentication method is foolproof.

This is one of the benefits of multifactor authentication. When this is used, then the fraudster needs to hack something you are AND something you know AND something you have AND something you do AND somewhere you are. MFA hacking is not impossible, but it is much, much more difficult than hacking a single factor.

And you also have to keep up with the latest hacks and continue to research. Don’t quit researching an authentication method just because it seems great now.

(A couple of you may know why I said that.)

Does your biometric/identity firm need proposal or content marketing services?

I really need to update my own website more frequently.

About a year ago, I created a web page and an accompanying brochure entitled “Bredemarket and Identity Firms.” I’ve updated the web page a time or two in the last year, but until a few minutes ago both the web page and the brochure were significantly out of date, and didn’t include some of the projects that I’ve worked on during the past few months.

You can view the updated web page or download the updated brochure (at the end of this post) if you like, but I’ll create a frictionless experience for you by reproducing (repurposing) the list of ALL of Bredemarket’s biometric/identity projects as of today. (And there are more projects in work that I haven’t listed yet.)

By Zhe Wang, Paul C. Quinn, James W. Tanaka, Xiaoyang Yu, Yu-Hao P. Sun, Jiangang Liu, Olivier Pascalis, Liezhong Ge and Kang Lee –, CC BY 4.0,

If I can perform similar services for your biometric/identity firm, contact me.

How can Bredemarket help identity firms?

Here are a few examples of services that I have provided to identity firms under the Bredemarket banner as a biometric proposal writing expert, a biometric content marketing expert, and an expert in other areas of biometric writing.

  • Proposal Writing: Created five proposal letter templates to let a biometric firm’s sales staff propose two products to five separate markets. After completing the first three templates, I received this unsolicited testimonial:

“I just wanted to truly say thank you for putting these templates together. I worked on this…last week and it was extremely simple to use and I thought really provided a professional advantage and tool to give the customer….TRULY THANK YOU!”

  • More Proposal Writing: Responded to three Requests for Information (RFIs) for two biometric firms, positioning the firms for future work from government agencies.
  • Even More Proposal Writing: Assisted a biometric firm in responding to multiple Requests for Proposal (RFPs) and sole source letters.
  • And more…: Created a proposal letter template for a biometric firm.
  • And still more…: Created a Microsoft Word-based response library for a biometric firm.
  • Proposal Analyzing: Monitored the social media activity of a biometric firm’s competition and created responsive proposal text to position the firm against its competition.
  • Proposal Editing: Assisted a biometric firm in the final stages of an RFP response, editing its proposal both before and after its Gold Team review.
  • Strategic Marketing: Updated customer counts and technical data for a secure document firm.
  • More Strategic Marketing: Assisted a leading biometric vendor in analyzing its NIST FRVT 1:1 and 1:N results, providing both public information the firm could share with its clients, and private information for the firm’s internal use.
  • Online Marketing: Analyzed a biometric website and its social media channels, looking for broken links, outdated information, synchronization errors, and other problems, and provided a report to the firm upon completion.
  • More Online Marketing: Wrote three service descriptions for a biometric consulting firm.
  • Online Writing: Interviewed customers and wrote case study text for 14 case studies a biometric firm.
  • More Online Writing: Wrote blog post text for a biometric firm.

About THAT Reuters article

I intentionally chose an obscure title for this post.

I could have entitled the post “Ricardo Montalban.” Just because.

In a more relevant way, I could have entitled the post “Former IDEMIA employee weighs in on Advent’s possible sale of the company.” That would have got some clicks, to be sure.

But it would have misled the reader, because the reader would have gotten the idea that I have some expertise in corporate acquisitions, and an abillity to predict them.

And as past history has shown, I do not have any such expertise.

  • In 2000, I was completely and totally surprised when I learned that Printrak wanted to sell itself to Motorola. I didn’t have a clue that any such thing was going to happen.
  • In 2008, I was reading online late one evening and was completely and totally surprised when I learned that Motorola wanted to sell off half of Printrak to the French company Safran, the Sagem Morpho folks. Yes, Motorola was in trouble, but I didn’t have any idea that we would be sold off.
  • Years later, I was kinda sorta surprised when Safran decided that it wanted to get rid of its entire identity and security business, and was completely and totally surprised when the buyer was an American investment firm that owned Oberthur Technologies.

So my record on really understanding these acquisitions is pretty low.

With that caveat, I’ll go ahead and use a really eye-catching SUBtitle. Better late than never.

Former IDEMIA employee weighs in on Advent’s possible sale of the company

Impressive, isn’t it?

But before proceeding, I should let you know about THAT Reuters article that I referenced in the real post title.

On Friday, Reuters published an exclusive article entitled “Advent gears up for $4.6 bln sale of French biometrics firm IDEMIA – sources.”

So who is Advent?

Advent (actually, Advent International) is the American investment firm that I mentioned earlier. As an investment firm, its purpose in life is to buy businesses, improve them, and sell them for a profit.

Back in 2011, Advent bought Oberthur Technologies with this intent. To that end, Advent announced in 2015 that Oberthur Technologies planned an Initial Public Offering. Within a month, those plans were shelved. Advent determined that an Oberthur IPO wouldn’t do so well.

So Advent began thinking about ways to make Oberthur more attractive.

At the same time, Safran was trying to decide what to do with its identity and security business. The purchase of Printrak was just a blip in Safran’s plans, as it acquired L-1 Identity Solutions (renamed MorphoTrust) and other businesses. But Safran is not an identity and security company. It’s a “de plane” company.

By ABC Television – eBay itemphoto frontphoto back, Public Domain,

And Safran is also a defense company to protect France and other countries from evil forces.

The identity part of the business was clearly the odd one out. Heck, rich Corinthian leather would have fit better into the Safran product line.

By dave_7 – originally posted to Flickr as Chrysler Cordoba, CC BY 2.0,

OK, I’ll stop now.

Anyway, in the end Advent announced in 2016 that it had entered into an agreement to negotiate the purchase of Safran’s identity and security business. The purchase was completed on May 31, 2017, and Advent combined Oberthur (OT) and the portion of Safran (Morpho) into OT-Morpho, which was quickly renamed IDEMIA.

I was an employee of IDEMIA at the time, and I don’t think I’m spilling any company secrets if I reveal that Advent wanted IDEMIA to do really really well, so that it could make a profit on the two acquisitions. I wasn’t at the highest executive level that was setting the high-level strategy, but I was often working on initiatives to help realize Advent’s profitability goal.

The possibility of an IDEMIA IPO or sale receded somewhat in early 2020. Among other things, COVID adversely affected two of IDEMIA’s core businesses in the United States, TSA PreCheck (nobody was flying) and driver’s licenses (the DMV offices were all closed).

Back to THAT Reuters article

Fast forward to 2022 and Reuters’ exclusive revelations.

Advent International is looking to sell its French biometrics and fingerprint identification firm IDEMIA in a deal worth up to $4.6 billion as it seeks to capitalise on growing demand for cybersecurity assets in Europe, two sources told Reuters.

The U.S. buyout fund is reviewing a series of options to sell IDEMIA, including a possible break-up of the company which was formed in 2016 by combining Safran’s identity and security business with Oberthur Technologies, the sources said.


As you, the wise reader, know, Reuters goofed here.

IDEMIA was NOT formed in 2016. The formation of IDEMIA was ANNOUNCED in 2016, but the deal wasn’t actually COMPLETED until 2017. Hey, at least Biometric Update got it right.

Anyway, if you read either Reuters or Biometric Update, you’ll learn that nothing is going to happen immediately (France is holding an election in April, and the composition of the new government could impact any sale), and that the possible split-up may separate the part of the business that sells to governments from the part that sells to commercial firms.

Of course, the big question about any sale of IDEMIA would be the identity of the buyer. Would Advent try (again) to issue an IPO, or would Advent look for one or more existing companies to purchase IDEMIA?

Both Reuters and Biometric Updare speculate that Thales could be a potential buyer. While Safran was slimming down to concentrate on its aircraft business, Thales has been beefing to to diversify its business, most notably in its purchase of Gemalto. (As people in my industry know, that purchase provided Thales with the technology of the old Cogent Systems.)

However, there are two possible issues with a Thales purchase of all or part of IDEMIA.

  • Antitrust issues. Automated fingerprint identification systems isn’t the only product that Thales and IDEMIA have in common. For example, both companies provide driver’s licenses in the United States. As any Thales purchase of IDEMIA is considered by the United States, France, and dozens of other countries, the deal could be opposed on antitrust grounds. This can be mitigated by limiting what Thales can buy, but it could complicate matters.
  • Thales is French. Some of the driver’s license and biometric technology that IDEMIA sells was developed in the United States, and is used by many government agencies, including the Federal Bureau of Investigation and the Department of Homeland Security. At present, while IDEMIA is headquartered in France, it is primarily owned by Americans, so there’s a teeny bit of comfort in that. But what if a French firm were to own IDEMIA? The horror! (Many years ago, when Cogent Systems first sold itself, it intentionally chose a U.S. buyer, 3M, for this very reason.) Never mind that the U.S. government has been using French (and Japanese) technology for years, and that some very specific arrangements have been set up to mitigate the risks of foreign ownership. Some Senator or another is guaranteed to raise a big stink if U.S. government institutions are dependent upon a French company.

So perhaps Thales could buy all or part of IDEMIA, or perhaps it may pass. But if Thales passes, are there any U.S.-owned companies that may have an interest in IDEMIA’s technology?

Because of my biometric bias, the first thing that I would consider would be American companies that are active in the biometric market. However, many of the U.S. companies are small, and don’t have a few billion dollars lying around to buy IDEMIA. So don’t look for Aware, Clearview AI, Paravision, Rank One Computing, or the like to be a buyer.

There are of course much bigger U.S. firms in high tech that have dipped their fingers into the biometrics market. Amazon, Apple, Facebook, Google, and Microsoft all come to mind. However, those same customers that are of prime concern to U.S. Senators are also or prime concern to the employees of some of those firms, who don’t want their employers to do business with the “evil” Department of Homeland Security or even the “evil” local police departments that should all be defunded. (Amazon quit selling Rekognition to police agencies, for example.) Even Apple, which is developing its own digital driver’s license technology, is probably reluctant to own IDEMIA.

But there’s one tech company that intrigues me as possibly having an interest in IDEMIA.


It’s big enough to make the purchase, certainly likes to make acquisitions, and has no hesitation about working with government agencies.

ANY government agency.

After all, the name “Oracle” came from a database project that Ellison worked on before founding the company with the same name.

His client was the Central Intelligence Agency.

If you’ve paid attention to this article, then you already know that since I have speculated that Oracle could purchase IDEMIA, that puts the chances of Oracle actually purchasing IDEMIA at zero.

And for all we know, Reuters’ two sources might be unreliable, or something else might happen (another COVID variant?) that could cause Advent to hold on to IDEMIA for a few more years.

So we’ll have to see what happens.

The Māori relationship between digital identity and collective identity

I live in the United States in a fairly industrialized society with a heavy focus on individual rights, and a (general) preference toward a focus on the brain and body rather than the soul.

This view shapes how I approach a number of topics, including biometrics and digital identity. For example, if my biometrics are encoded on a physical card or in some type of digital representation, I merely think of this as a way to individually identify myself from other individuals.

Frank Hersey of Biometric Update notes that my attitude is not universal. Hersey cites an article in New Zealand’s Gisborne Herald entitled “Maori experts call for closer involvement in creation of taonga.”

Yes, taonga. As you can see, the Maori people have their own language. (And their own views on the individual, society, and identity.) While there is no direct translation of “taonga” to English, the word has been described to mean a treasured possession.

I don’t know about you, but when I look at the ridges on the tips of my fingers, “treasured possession” is not the first thought that comes to mind.

And that’s the problem.

Maori data experts say there has been a lack of undertsanding about te ao Māori (Māori world view) and data sovereignty principles by the Government in the process of making two new data laws.


The Gisborne Herald quotes Dr. Warren Williams regarding how the two data laws (The Digital Identity Services Trust Framework and The Consumer Data Right) could affect the Maori.

Data is a taonga (treasured possession) for me. It is something to be cherished, protected and cared for. And with that comes responsibility….

Māori want to be able to protect our data. We want to have real ownership of our data. We want to understand where it has been stored.

Where there is physical storage of data, can we access that? Or those who hold our data, are they looking after it in a way that is respectful?

Sovereignty is not just ownership but also how it’s cared for, how it’s looked after, how it’s shared. If I say I give you permission to share data about myself to a certain group, sometimes the holder of that data can refuse because it’s private.


This data perspective is literally foreign to many government bureaucrats and policy advocates in North America, the European Union, and other more industrialized societies. Can you imagine someone in Brussels, Belgium or Springfield, Illinois talking about being “respectful” while “caring” for data?

So now let’s move to another Maori word, “tikanga,” which leads us to discuss a profound difference between Western individual perspectives and Maori collective perspectives. This was discussed in that great cultural publication Computerworld, in its description of the “Tikanga in Technology” project.

The project’s focus is on how tikanga Māori (customary protocols) and Mātauranga Māori (indigenous knowledge) inform “the construction of digital identities and relational responsibilities to data.  … The world is undergoing disruptive change as rapid advances in data linkage and powerful digital technologies converge. For Indigenous peoples, these innovations are a double-edged sword, creating vast potential for improved well-being as well as major risks of group exploitation and harm. The current narrow focus on individual data rights and protection is failing us. We need a profoundly different approach—one that recognises collective identities and allows data to be understood through a wider set of ontological realities.”


Even in our society, identification is not a completely individualistic activity. One common example is how an individual’s DNA can be used to identify a relative who may have engaged in criminal activity, or who may have been a victim of an untimely death (criminal or otherwise). We as a society are struggling with the ramifications of this, and trying to balance the need to satisfy a public good with the need for privacy, including how I can inadvertently (or purposely) reveal something that may violate the privacy of another person.

Another example is when the needs of a biometric modality such as facial recognition are affected by religious or societal needs that cause people to shield that particular biometric. Religious mandates in certain groups to veil one’s face have recently been joined by medical mandates in certain groups to mask one’s face, causing uproars and changes in the biometric world.

Sometimes, the biometric rules adjust, such as Apple’s allowance to use a different identification method (such as something you know) when a face is obscured.

Sometimes, the biometric rules don’t adjust, and your local driver’s license bureau declares, “if you shield your face, you can’t get an identification card.”

The Maori are taking this concern with the collective (vs. the individual) a step further, with their concern about “group exploitation and harm.”

So how do these views of the collective impact people such as myself, who toss out phrases such as “identification of individuals” from decades of habit?

connect:ID 2021 is coming

I have not been to an identity trade show in years, and sadly I won’t be in Washington DC next week for connect:ID…although I’ll be thinking about it.

I’ve only been to connect:ID once, in 2015. Back in those days I was a strategic marketer with MorphoTrak, and we were demonstrating the MorphoWay. No, not the Morpho Way; the MorphoWay.

At connect:ID 2015.

Perhaps you’ve seen the video.

Video by Biometric Update.

As an aside, you’ll notice how big MorphoWay is…which renders it impractical for use in U.S. airports, since space is valuable and therefore security features need a minimum footprint. MorphoWay has a maximum footprint…just ask the tradespeople who were responsible for getting it on and off the trade show floor.

I still remember several other things from this conference. For example, in those days one of Safran’s biometric competitors was 3M. Of course both Safran and 3M have exited the biometric industry, but at the time they were competing against each other. Companies always make a point of checking out the other companies at these conferences, but when I went to 3M’s booth, the one person I knew best (Teresa Wu) was not at the booth. Later that year, Teresa would leave 3M and (re)join Safran, where she remains to this day.

Yes, there is a lot of movement of people between firms. Looking over the companies in the connect:ID 2021 Exhibitor Directory, I know people at a number of these firms. Obviously people from IDEMIA, of course (IDEMIA was the company that bought Safran’s identity business), but I also know people at other companies, all of whom who were former coworkers at IDEMIA or one of its predecessor companies:

  • Aware.
  • Clearview AI.
  • GET Group North America.
  • HID Global.
  • Integrated Biometrics.
  • iProov.
  • NEC.
  • Paravision.
  • Rank One Computing.
  • SAFR/RealNetworks.
  • Thales.
  • Probably some others that I missed.

And I know people at some of the other companies, organizations, and governmental entities that are at connect:ID this year.

Some of these entities didn’t even exist when I was at connect:ID six years ago, and some of these entities (such as Thales) have entered the identity market due to acquisitions (in Thales’ case, the acquisition of Gemalto, which had acquired 3M’s biometric business).

So while I’m not crossing the country next week, I’m obviously thinking of everything that will be going on there.

Incidentally, this is one of the last events of the trade show season, which is starting to wind down for the year. But it will ramp up again next spring (for you Northern Hemisphere folks).

Bredemarket remembers the Southern Hemisphere, even though Bredemarket only does business in the United States.

Regardless of where you are, hopefully the upcoming trade show season will not be adversely impacted by the pandemic.

A view of 9/11 from the 9/11 Commission’s border counsel

There are different ways to look at 9/11. I’m familiar with the reconstructions of Vice President Cheney’s actions in Washington on that day, and of President Bush as he flew around the country on that day (the only plane in the sky).

But what about the activities of the hijackers on that day, and in the months preceding that day?

All of this was examined by the 9/11 Commission. As a result of its investigation, this body made significant recommendations, some of which have only taken nearly two decades to implement, assuming they ARE implemented as (re) scheduled.

By Cleanup by Andrew_pmk (talk · contribs); straightened and cropped by Holek (talk · contribs) –, Public Domain,

Janice Kephart was border counsel to the 9/11 Commission, and has been involved in homeland security ever since that time. She is currently CEO and Owner of Identity Strategy Partners.

As the 20th anniversary of 9/11 approaches, Kephart has released a documentary. As she explains, the documentary contains a wealth of information from the 9/11 Commission’s investigation of the hijackers, much of which was never officially released. Her hope:

If we are never to forget, we must educate. That is the purpose of this documentary. It is history, it is legacy, from the person who knows the details of the hijacker’s border story and has continued to live it for the past 20 years. I hope it resonates and educates.

When listening to Kephart’s documentary, keep in mind how much our world has changed since 9/11. Yes, you went through a security screening before you boarded a plane, but it was nothing like the security screenings that we’ve gotten used to in the last 20 years. Before 9/11, you could walk all the way up to the gate to send off departing passengers or greet arriving ones. And identity documents were not usually cross-checked against biometric databases to make sure that applicants were telling the truth.

I personally was not as familiar with the stories of the hijackers as I was with the stories of Bush and Cheney. The documentary provides a wealth of detail on the hijackers. (Helpful hint: don’t be afraid to pause the video when necessary. There’s a lot of visual information to absorb.)

Toward the end of the documentary, Kephart concentrates on Mohamed Atta’s return to the U.S. in January 2001, when his tourist visa had already expired and his student visa application was still pending. Kephart notes that Atta shouldn’t have been allowed back into the country, but that he was let in anyway. The details regarding Atta’s January 2001 entry are discussed in detail in a separate report (see section III.B).

(Incidentally, Atta’s student visa application wasn’t approved until July 2001, and his flight school wasn’t notified until 2002.)

Kephart wonders what might have happened if Mohamed Atta had been denied re-entry into the United States in January 2001 because of the visa irregularities. Since Atta was the ringleader and the driving force behind the attack, would the denial of entry have delayed or even terminated the 9/11 attack plans?

If you want to view the documentary, it is hosted on YouTube.

IATA endorses the EUDCC. But will it matter?

In a Bredemarket blog post in February 2021, I quoted something that I wrote in 2013 in one of my personal blogs, Empoprise-BI.

I’m sure that many people imagine that standards are developed by a group of reasonable people, sitting in a room, who are pursuing things for the good of the world.

You can stop laughing now.

As I noted back in 2013, and again in February, there are many instances in which standards do not evolve from a well-designed process. In reality, standards emerge via that process that I referred to in February as “brute force.”

By イーストプレス – 「ゴング格闘技」=1951年のブラジル地元新聞からの転載, Public Domain,

For those who are not familiar with the “brute force” process, I’ll provide two illustrations.

  • If a lot of people like something, it’s a standard.
  • If a trillion dollar company likes something, and I like something different, then the thing that the trillion dollar company likes is a standard.

If two trillion dollar companies like two different things…it can get messy.

Back in February, I was just beginning to talk about something that I called “health passports” at the time. Later, I personally decided that “health passports” is a poor choice of words, and have instead gravitated to using the phrase “vaccine certificate.”

Regardless, my concern back in February was that there were all sorts of these things floating around. Even back then, Clear had its own solution, IATA had one, IBM had one, iProov had one, Daon had one, and there were many, many more.

So what happens if I have a Clear vaccine certificate but the airline or building that I’m approaching supports the iProov certificate? Can the iProov certificate read the Clear certificate? Or do I have to get multiple certificates?

This post looks at a new development in the vaccine certificate brouhaha. I’m not talking about what vaccines are honored by the vaccine certificate, but about acceptability of the vaccine certificates themselves. In particular, I’m talking about acceptance of one certificate, the EU Digital COVID Certificate (EUDCC).

Because one big player is getting behind it.

How do international air transport folks feel about the EUDCC?

While the EUDCC can conceivably be used for a number of use cases, such as entering a private business like a restaurant, one of the most popular use cases for the EUDCC is to board an airplane that is crossing an international border.

So if there was an organization that was dedicated to the business of flying airplanes across international borders, and if that organization thought that the EUDCC was pretty cool, then that endorsement would have as much pull as Google (and Facebook) endorsing a web image format.

Enter the (drumroll) International Air Transport Association, which issued a press release on 26 August.

The title?

“IATA Backs European Digital Covid Certificate as Global Standard.”

Now those who read my February post will recall that IATA was one of those groups that was already developing its own vaccination certificate. So how does the EUDCC compare with the the IATA Travel Pass?

The DCC…is fully supported by IATA Travel Pass.

But in addition to mere self-interest, there is another reason why IATA is endorsing the EUDCC: it’s supported by a lot of countries inside the EU, and other countries are looking at the EUDCC as a model.

The EU DCC is implemented in the 27 EU Member states and a number of reciprocal agreements have been agreed with other states’ own vaccination certificates, including Switzerland, Turkey, and Ukraine. In the absence of a single global standard for digital vaccination certificates, up to 60 other countries are looking to use the DCC specification for their own certification. 

Oh no, I’m just looking

However, it’s one thing to be “looking” at something, and another thing entirely to actually “do” something.

Before assuming that the EUDCC will become the de facto DCC, consider how two countries in particular will approach it.

This image or media was taken or created by Matt H. Wade. To see his entire portfolio, click here. @thatmattwade This image is protected by copyright! If you would like to use it, please read this first. – Own work, CC BY-SA 3.0,

One of those countries is my own, the United States of America. While one can argue whether or not the U.S. enjoys the same level of power that it enjoyed immediately after the end of the Cold War, it is still a major player in world economic and travel affairs. And regardless of who the President of the United States is at any given time, the U.S. has often decided to go its own way. Couple this with the power of individual U.S. states in my country’s federal system, and it’s quite possible that even if the U.S. goes along with IATA, and some form of the EUDCC is adopted by our Transportation Security Administration, that does not necessarily mean that the same certificate can be used as it is in Europe to grant access to museums, sporting events, and concerts.

The other country that may have an issue with the EUDCC is China. If the United States is potentially a waning world power, China is potentially a gaining world power. The relationship between China and the rest of the world varies from time to time and from issue to issue. China may decide that it’s not in its best interest to adhere to an international standard for certifications of COVID vaccination, testing, or contraction. And if it’s not in China’s best interest, China won’t do it.

So before declaring that IATA endorsement of the EUDCC settles the issue…we’ll see.