Tag Archives: mobile driver's license

About THAT Reuters article

I intentionally chose an obscure title for this post.

I could have entitled the post “Ricardo Montalban.” Just because.

In a more relevant way, I could have entitled the post “Former IDEMIA employee weighs in on Advent’s possible sale of the company.” That would have got some clicks, to be sure.

But it would have misled the reader, because the reader would have gotten the idea that I have some expertise in corporate acquisitions, and an abillity to predict them.

And as past history has shown, I do not have any such expertise.

  • In 2000, I was completely and totally surprised when I learned that Printrak wanted to sell itself to Motorola. I didn’t have a clue that any such thing was going to happen.
  • In 2008, I was reading online late one evening and was completely and totally surprised when I learned that Motorola wanted to sell off half of Printrak to the French company Safran, the Sagem Morpho folks. Yes, Motorola was in trouble, but I didn’t have any idea that we would be sold off.
  • Years later, I was kinda sorta surprised when Safran decided that it wanted to get rid of its entire identity and security business, and was completely and totally surprised when the buyer was an American investment firm that owned Oberthur Technologies.

So my record on really understanding these acquisitions is pretty low.

With that caveat, I’ll go ahead and use a really eye-catching SUBtitle. Better late than never.

Former IDEMIA employee weighs in on Advent’s possible sale of the company

Impressive, isn’t it?

But before proceeding, I should let you know about THAT Reuters article that I referenced in the real post title.

On Friday, Reuters published an exclusive article entitled “Advent gears up for $4.6 bln sale of French biometrics firm IDEMIA – sources.”

So who is Advent?

Advent (actually, Advent International) is the American investment firm that I mentioned earlier. As an investment firm, its purpose in life is to buy businesses, improve them, and sell them for a profit.

Back in 2011, Advent bought Oberthur Technologies with this intent. To that end, Advent announced in 2015 that Oberthur Technologies planned an Initial Public Offering. Within a month, those plans were shelved. Advent determined that an Oberthur IPO wouldn’t do so well.

So Advent began thinking about ways to make Oberthur more attractive.

At the same time, Safran was trying to decide what to do with its identity and security business. The purchase of Printrak was just a blip in Safran’s plans, as it acquired L-1 Identity Solutions (renamed MorphoTrust) and other businesses. But Safran is not an identity and security company. It’s a “de plane” company.

By ABC Television – eBay itemphoto frontphoto back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=20143137

And Safran is also a defense company to protect France and other countries from evil forces.

By TrekCore: [1], Fair use, https://en.wikipedia.org/w/index.php?curid=24107020

The identity part of the business was clearly the odd one out. Heck, rich Corinthian leather would have fit better into the Safran product line.

By dave_7 – originally posted to Flickr as Chrysler Cordoba, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=6890171

OK, I’ll stop now.

Anyway, in the end Advent announced in 2016 that it had entered into an agreement to negotiate the purchase of Safran’s identity and security business. The purchase was completed on May 31, 2017, and Advent combined Oberthur (OT) and the portion of Safran (Morpho) into OT-Morpho, which was quickly renamed IDEMIA.

I was an employee of IDEMIA at the time, and I don’t think I’m spilling any company secrets if I reveal that Advent wanted IDEMIA to do really really well, so that it could make a profit on the two acquisitions. I wasn’t at the highest executive level that was setting the high-level strategy, but I was often working on initiatives to help realize Advent’s profitability goal.

The possibility of an IDEMIA IPO or sale receded somewhat in early 2020. Among other things, COVID adversely affected two of IDEMIA’s core businesses in the United States, TSA PreCheck (nobody was flying) and driver’s licenses (the DMV offices were all closed).

Back to THAT Reuters article

Fast forward to 2022 and Reuters’ exclusive revelations.

Advent International is looking to sell its French biometrics and fingerprint identification firm IDEMIA in a deal worth up to $4.6 billion as it seeks to capitalise on growing demand for cybersecurity assets in Europe, two sources told Reuters.

The U.S. buyout fund is reviewing a series of options to sell IDEMIA, including a possible break-up of the company which was formed in 2016 by combining Safran’s identity and security business with Oberthur Technologies, the sources said.

From https://www.reuters.com/business/exclusive-advent-gears-up-46-bln-sale-french-biometrics-firm-idemia-sources-2022-02-04/

As you, the wise reader, know, Reuters goofed here.

IDEMIA was NOT formed in 2016. The formation of IDEMIA was ANNOUNCED in 2016, but the deal wasn’t actually COMPLETED until 2017. Hey, at least Biometric Update got it right.

Anyway, if you read either Reuters or Biometric Update, you’ll learn that nothing is going to happen immediately (France is holding an election in April, and the composition of the new government could impact any sale), and that the possible split-up may separate the part of the business that sells to governments from the part that sells to commercial firms.

Of course, the big question about any sale of IDEMIA would be the identity of the buyer. Would Advent try (again) to issue an IPO, or would Advent look for one or more existing companies to purchase IDEMIA?

Both Reuters and Biometric Updare speculate that Thales could be a potential buyer. While Safran was slimming down to concentrate on its aircraft business, Thales has been beefing to to diversify its business, most notably in its purchase of Gemalto. (As people in my industry know, that purchase provided Thales with the technology of the old Cogent Systems.)

However, there are two possible issues with a Thales purchase of all or part of IDEMIA.

  • Antitrust issues. Automated fingerprint identification systems isn’t the only product that Thales and IDEMIA have in common. For example, both companies provide driver’s licenses in the United States. As any Thales purchase of IDEMIA is considered by the United States, France, and dozens of other countries, the deal could be opposed on antitrust grounds. This can be mitigated by limiting what Thales can buy, but it could complicate matters.
  • Thales is French. Some of the driver’s license and biometric technology that IDEMIA sells was developed in the United States, and is used by many government agencies, including the Federal Bureau of Investigation and the Department of Homeland Security. At present, while IDEMIA is headquartered in France, it is primarily owned by Americans, so there’s a teeny bit of comfort in that. But what if a French firm were to own IDEMIA? The horror! (Many years ago, when Cogent Systems first sold itself, it intentionally chose a U.S. buyer, 3M, for this very reason.) Never mind that the U.S. government has been using French (and Japanese) technology for years, and that some very specific arrangements have been set up to mitigate the risks of foreign ownership. Some Senator or another is guaranteed to raise a big stink if U.S. government institutions are dependent upon a French company.

So perhaps Thales could buy all or part of IDEMIA, or perhaps it may pass. But if Thales passes, are there any U.S.-owned companies that may have an interest in IDEMIA’s technology?

Because of my biometric bias, the first thing that I would consider would be American companies that are active in the biometric market. However, many of the U.S. companies are small, and don’t have a few billion dollars lying around to buy IDEMIA. So don’t look for Aware, Clearview AI, Paravision, Rank One Computing, or the like to be a buyer.

There are of course much bigger U.S. firms in high tech that have dipped their fingers into the biometrics market. Amazon, Apple, Facebook, Google, and Microsoft all come to mind. However, those same customers that are of prime concern to U.S. Senators are also or prime concern to the employees of some of those firms, who don’t want their employers to do business with the “evil” Department of Homeland Security or even the “evil” local police departments that should all be defunded. (Amazon quit selling Rekognition to police agencies, for example.) Even Apple, which is developing its own digital driver’s license technology, is probably reluctant to own IDEMIA.

But there’s one tech company that intrigues me as possibly having an interest in IDEMIA.

Oracle.

It’s big enough to make the purchase, certainly likes to make acquisitions, and has no hesitation about working with government agencies.

ANY government agency.

After all, the name “Oracle” came from a database project that Ellison worked on before founding the company with the same name.

His client was the Central Intelligence Agency.

If you’ve paid attention to this article, then you already know that since I have speculated that Oracle could purchase IDEMIA, that puts the chances of Oracle actually purchasing IDEMIA at zero.

And for all we know, Reuters’ two sources might be unreliable, or something else might happen (another COVID variant?) that could cause Advent to hold on to IDEMIA for a few more years.

So we’ll have to see what happens.

(Bredemarket Premium) Another mobile driver’s license pilot…but this one may move forward and become the real thing

When looking at U.S. state implementations of mobile driver’s licenses, there are various gradations of these implementations.

  • Some states have only performed pilots.
  • Some states have implemented production versions of mobile driver’s license, but their acceptance is limited and you still have to carry your physical driver’s license with you.
  • I don’t think any state has reached the level where the mDL is acceptable for ALL state purposes, and you DON’T have to carry your physical license with you any more.
  • NO state has reached the level where the mDL is acceptable for state AND federal purposes (such as boarding planes). That is still in process.
Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

This post looks at what is going on in one state, what may happen in the future, and what resistance the state may (or may not) meet from its own residents.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.
Subscribe

You will soon deal with privacy stakeholders (and they won’t care about the GYRO method)

I’ve written about the various stakeholders at government agencies who have an interest in biometrics procurements- not only in this post, but also in a post that is available to Bredemarket Premium subscribers. One of the stakeholders that appeared on my list was this one.

The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.

Broken Liberty: Istanbul Archaeology Museum. By © Nevit Dilmen, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1115936

If you haven’t encountered a privacy advocate in your marketing or proposal efforts…you will.

Utah Gov. Spencer Cox has appointed Christopher Bramwell as the Department of Government Operations’ first privacy officer….As privacy officer, Bramwell will be responsible for surveying and compiling information about state agencies’ privacy practices to discern which poses a risk to individual privacy. He will also work with the personal privacy oversight commission and state privacy officer to provide government privacy practice reports and recommendations.

Obviously this affects companies that work with government agencies on projects such as digital identity platforms. After all, mobile driver’s licenses contain a wealth of personally identifiable information (PII), and a privacy advocate will naturally be concerned about who has access to this PII.

But what about law enforcement? Do subjects in law enforcement databases have privacy rights that need to be respected? After all, law enforcement agencies legally share PII all the time.

From https://www.facebook.com/UplandPolice/photos/pcb.5828261687245780/5828261513912464/

However, there are limitations on what law enforcement agencies can share.

  • First off, remember that not everyone in a law enforcement database is an arrested individual. For example, agencies may maintain exclusion databases of police officers and crime victims. When biometric evidence is found at a crime scene, agencies may compare the evidence against the exclusion database to ensure that the evidence does not belong to someone who is NOT a suspect. (This can become an issue in DNA mixtures, by the way.)
  • Second off, even arrested individuals have rights that need to be respected. While arrested individuals lose some privacy rights (for example, prisoners’ cells can be searched and prisoners’ mail can be opened), a privacy advocate should ensure that any system does not deny prisoners protections to which they are entitled.

So expect to see a raised concern about privacy rights when dealing with law enforcement agencies. This concern will vary from jurisdiction to jurisdiction based upon the privacy (and biometric) laws that apply in each jurisdiction, but vendors that do business with government agencies need to stay abreast of privacy issues.

A little more about stakeholders, or actors, or whoever

Whether you’re talking about stakeholders in a government agency, stakeholders at a vendor, or external stakeholders, it’s important to identify all of the relevant stakeholders.

Or whatever you call them. I’ve been using the term “stakeholders” to refer to these people in this post and the prior posts, but there are other common terms that could be used. People who construct use cases refer to “actors.” Marketers will refer to “personas.”

Whatever term you use, it’s important to distinguish between these stakeholders/actors/personas/whatever. They have different motivations and need to be addressed in different ways.

When talking with Bredemarket clients, I often need to distinguish between the various stakeholders, because this can influence my messaging significantly. For example, if a key decision-maker is a privacy officer, and I’m communicating about a fingerprint identification system, I’m not going to waste a lot of time talking about the GYRO method.

My time wouldn’t be wasted effort if I were talking to a forensic examiner, but a privacy advocate just wouldn’t care. They would just sit in silence, internally musing about the chances that a single latent examiner’s “green” determination could somehow expose a private citizen to fraud or doxxing or something.

This is why I work with my clients to make sure that the messaging is appropriate for the stakeholder…and when necessary, the client and I jointly develop multiple messages for multiple stakeholders.

If you need such messaging help, please contact Bredemarket for advice and assistance. I can collaborate with you to ensure that the right messages go to the right stakeholders.

Are unified digital IDs a thing?

I’ve been busy helping a client who needed summer fill-in help, but I’m finally making the time to catch up on my reading. And this article from Government Technology was on my reading list.

From https://www.govtech.com/products/mobile-drivers-licenses-pave-the-way-for-unified-digital-ids

When I read the title “Mobile Driver’s Licenses Pave the Way for Unified Digital IDs,” I was intrigued by the last three words. I mean, there are more and more states releasing (non-pilot) mobile driver’s licenses, and the standard is coming along, and work is being done to prepare for federal acceptance.

But what about the “unified” part? How did David Raths address that?

Government uses of digital ID

Well, he listened to Eric Jorgensen, director of Arizona’s Department of Transportation.

“I actually hate the term ‘mDL’ because it doesn’t recognize the power of what we’re doing here….The whole concept is that we’re providing a way to remotely authenticate a person, to provide a trusted digital identity that doesn’t exist today. Once we provide that, we’re opening doors to enhanced government services. Also, the government can play a key role in facilitating commerce, providing a better citizen experience and providing for the security of that citizen — that goes way beyond what a driver’s license is about.”

Although all that Jorgensen is discussing is providing a trusted digital identity that is equivalent to a trusted physical identity. If you have to show your driver’s license when visiting a government office’s physical location, conceivably you can show your digital driver’s license when visiting a government office’s website.

Enterprise uses of digital ID

And there are applications beyond government. Delaware and other states are persuading private businesses to accept mobile driver’s licenses as valid forms of identification. There’s a powerful use case for age-restricted products, of course; since all that an alcohol-selling business needs to know is whether you are over the age of 21, the mobile driver’s license ONLY shows that you are over the age of 21. It doesn’t show your address, your weight, or even your birthdate.

But what about a true UNIFIED digital ID?

However, I semantically question whether this is truly a “unified” ID. This is just digitization of an existing government-endorsed ID. A “unified” ID would be one that would not only let me drive, vote, and buy alcohol, but would also serve as my ID to log into Facebook or buy Bitcoin. (Yes, I realize that use of a government ID to buy Bitcoin violates the space-time continuum in some way.)

And for that to happen, work may need to be done to make mobile IDs compatible with existing authentication/authorization methods such as OAuth and OpenID Connect.

And the whole “but what if I don’t have a digital ID?” question must be addressed.

And the whole “but what if I want to use a self-sovereign ID that is NOT government endorsed?” question must be addressed.

And presumably a myriad of other questions would need to be addressed also.

But for me, I can’t address unified digital IDs today. Just got a message from my summer-challenged client…

DHS TSA mDL Public Meeting general observations

As I previously noted, today (June 30, 2021) was the day for the Department of Homeland Security’s Transportation Security Administration to hold its public meeting on its Request for Comment on “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.” (See PDF or text version. The second link contains the method for providing comments.)

I will not provide a recap of the comments made by participants during the meeting, but will instead provide some general observations.

Incidentally, the list of all meeting participants will be made public at some point, and it’s possible that the chat transcript from the meeting will also be made public at some point.

Agreement and disagreement among the participants

As can be expected, there were a variety of views expressed at the meeting, ranging from industry comments about the items that should be in the DHS standard, to privacy advocates who questioned why DHS was implementing a standard at all. One example:

  • Industry participants, such as myself, were enthusiastic about the ability of a mobile driver’s license (mDL) to automatically update itself when new information became available at the DMV. For example, if I move to a new address, the DMV can automatically update the mDL on my smartphone to reflect the new address.
  • Privacy participants were, to put it mildly, a bit less enthusiastic about this feature. Physical driver’s licenses are updated as infrequently as every ten years; why should digital driver’s licenses be any different?

But there was apparent agreement between the industry and privacy participants about one possible feature on mDLs – the ability to control the data that leaves the smartphone and is sent to the verifying official. Everyone seemed to agree that this information should be granular, and that the mDL should not automatically send ALL available information on the mDL.

Let me provide an example. When I go to a bar and use my physical driver’s license to prove my age, the verifier (Jane Bartender) is provided access to my name, my address, my date of birth, my height, my (claimed) weight, and all sorts of personal information that would freak out your average privacy advocate. NONE of this information is needed to prove my age, not even my date of birth. All that the verifier needs to know is whether I am over the age of 21. An mDL can be designed to specifically state ONLY that I am over the age of 21 without revealing my birthdate, my address, or my (claimed) weight.

(You’d think that the privacy advocates would be thrilled about this granularity and would urge people to use mDLs because of this privacy benefit, but privacy and security folks are naturally suspicious and have a hunch that all of the information is being provided in the background anyway through double-secret means.)

But are the participants ready to respond to the RFC?

I had one other observation from the meeting. Before sharing it, I should explain that the meeting allowed the participants to ORALLY share the views that they will subsequently express in WRITTEN comments on or before the July 30 deadline.

And based upon the oral comments that I heard, some of the participants are ready to share their written comments…and others are not.

There were participants who spoke to the DHS about their items of interest, not only briefly stating these items, but WHY these items should be important to the DHS and to the general public.

And then there were participants who concentrated on unimportant details that were NOT of interest to the DHS or the general public. I won’t provide specific examples, but let’s just say that some participants talked about themselves rather than about DHS’ needs.

If these participants’ written comments are of the same tone as their oral comments, I can assure you that their comments will not influence the DHS in any way. Although I guess they can go back to their organizations and proudly proclaim, “We told the DHS how important we are!”

The DHS doesn’t care how important you are. In the DHS’ mind, you are not important. Only the DHS is important. (Oh, and the Congresspeople who fund the DHS are important, I guess.)

Perhaps in the next 30 days these other participants will take a look back at their message drafts and ask themselves the “So what?” question. What will motivate the DHS to incorporate desired features into the standard? And why should they?

And, as always, I can help. If nothing else, I can confidentially review your draft comments before submission and provide some suggestions. (Yes, it’s shameless plug time.)

If I can help you with your RFC response:

Or perhaps you are ready to respond now. I guess we’ll all find out when the DHS publishes its final standards, which may or may not reflect your priorities.

The DHS RFI “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses” is NOT due on June 18 (it’s now due July 30)

Back in April I wrote about a Request for Information that was issued by the Department of Homeland Security. Its title: “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.”

The information was due to DHS on June 18 (tomorrow), and my post included a “shameless plug” offering to help companies with their responses.

No company requested my assistance.

But all is not lost, because you can STILL request Bredemarket’s assistance in composing your responses, because, according to Jason Lim, the due date has been extended.

DHS will hold a virtual public meeting on June 30, 2021 on mDL REAL ID RFI to answer questions regarding the RFI and to provide an additional forum for comments by stakeholders and other interested persons regarding the issues identified in the RFI.

DHS is also extending the comment period for the RFI by 42 calendar days to provide an additional period for comments to be submitted after the public meeting. New deadline is July 30, 2021.

If you want to register for the public meeting, click on the link at the bottom of Jason Lim’s LinkedIn post. I’ve already registered myself (the meeting starts at 7:00 am PDT, but at least I don’t have to commute to go to the meeting).

And the shameless plug still applies: if you need assistance in managing, organizing, writing, or checking your response, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail). As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

Are you responding to the DHS RFI, “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses”?

I already posted about this Request for Information (RFI) on LinkedIn and Facebook, but I wanted to highlight the details of the Department of Homeland Security’s recent request (see PDF or text version).

https://www.govinfo.gov/content/pkg/FR-2021-04-19/pdf/2021-07957.pdf

The RFI delves into a number of questions about treating mobile (i.e. smartphone) driver’s licenses as REAL ID-compliant. The RFI itself states:

DHS invites comments on any aspect of this RFI, and welcomes any additional comments and information that would promote an understanding of the broader implications of acceptance of mobile or digital driver’s licenses by Federal agencies for official purposes. This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a future rulemaking based on input received as a result of this RFI. In addition, DHS includes specific questions in this RFI immediately following the discussion of the relevant issues.

The RFI can be responded to by any member of the general public, although it is expected that the majority of responses will come from mobile driver’s license vendors and various interest groups. And trust me, there is a wide range of interest groups that are interested in this topic, and in the broader topic of REAL ID in general. Federalism itself is a popular topic when discussing REAL ID.

(Although personally, I believe that if the Federal Government is controlling air travel, and if the Federal Government is…obviously…controlling Federal facilities, then the Federal Government can implement rule-making regarding access. Needless to say, since all 50 states and several territories have adopted REAL ID, the decision has been made.)

While respondents can conceivably talk about anything in their responses, DHS (as noted above) has 15 specific questions to which it is seeking information (see section IV beginning on page 20325). Some are general, such as general questions about security, and some are more specific, such as question 4, which specifically focuses on DHS adoption of requirements derived from “Industry Standard ISO/IEC 18013–5: Communication Interfaces Between mDL Device and Federal Agency, and Federal Agency and DMV.”

Responses to the RFI must be submitted by June 18, and are submitted electronically. (Read the Commenter’s Checklist, and note that DHS prefers that respondents address all 15 questions.) I’m sure that a number of companies and organizations are already starting to think about their responses.

Shameless plug: if you need assistance in managing, organizing, writing, or checking your response, contact me. As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

The infancy of mobile driver’s licenses

More and more states are adopting mobile driver’s licenses that can be stored on a smartphone. Mobile driver’s licenses (mDLs) are available from Colorado, Delaware, Louisiana, and Oklahoma, and may be available from additional states by the time you read this.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

For me, the two key benefits of mDLs are the following:

  • If you have your smartphone, you have your mDL. Since smartphones are becoming more of a necessary must-have item – and wallets are not – the presence of a driver’s license on a smartphone is beneficial. (Unless, of course, you’re the type of person who misplaces your smartphone.)
  • mDLs can be designed to show only the information that is necessary. If I want to enter a bar or other facility for people over 21, I don’t have to show the bouncer my weight, my address, or even my birthdate. I just have to show the bouncer that I’m over 21.

While mDLs are becoming available in more states, they are not fully mature yet.

  • They are only valid in the state where they were issued. You can’t show your Oklahoma mDL in California. (Well, I guess you CAN show it, but a Californian isn’t obligated to do anything.)
  • Even within the state of issue, they’re still not always valid. At least some states require you to carry your physical driver’s license while driving, even if you have an mDL. And you can’t present an mDL to airport security in Denver or any other city. (See the LA Wallet image above, which clearly states “NOT FOR FEDERAL IDENTIFICATION.” So even if Louisiana’s physical driver’s license is REAL ID compliant, its mDL isn’t.)

Part of the issue regarding acceptance of mDLs is that the standards are still evolving. One key standard, ISO/IEC FDIS 18013-5 (Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application), is still under development.

But these four states, and others, didn’t want to wait until the standards were fully approved, and their solutions were fully certified, before issuing mDLs. Louisiana’s LA Wallet solution was introduced back in July 2018. While none of the solutions by definition can claim compliance with ISO/IEC FDIS 18013-5, they are already providing benefits to the license holders in these four states.

How long will it be until all states, provinces, and territories support mDLs?