Tag Archives: privacy

Know Your Law Enforcement Officer (or ICE Agent)

People can use forged government identities to scare you, rob you, or kill you. How can you protect yourself from fake law enforcement officers, or fake ICE agents? And how can police agencies and ICE protect THEMSELVES from these fakes?

I’ve already shared the story of the person driving around Delaware with flashing lights. Nothing terrible happened in that encounter, but similar impersonation encounters have been more critical.

That was not ICE in Philadelphia

A little over a week ago, an auto repair shop in Philadelphia, Pennsylvania received a surprise visitor.

The visitor, wearing an American flag-adorned baseball cap and a tactical vest with the words “Security Enforcement Agent,” announced the single word “Immigration,” implying that he was from Immigration and Customs Enforcement (ICE).

Several employees fled the scene, but the cashier did not and was immediately zip-tied.

So what happened next?

The so-called ICE agent took $1,000 and was gone 30 seconds later.

That was not police in Minnesota

As I write this, details of an incident in Minnesota are unfolding.

Vance Boelter is alleged to have shot Minnesota State Senator John Hoffman and his wife Yvette at their home, then shot and killed State Representative Melissa Hortman and her husband.

In both cases Boelter presented himself as a police officer.

How do you know if it IS police?

In terms of an encounter from a local law enforcement agency, Colorado State University has provided some tips on verifying the identity of police. While the tips are specifically written for people driving in a car, they can be generalized for cases in which the police officer shows up at a residence or business.

“[C]all 911 from your cell phone. Tell the 911 dispatcher that you are concerned that someone…may not be a police officer.”

Of course a person in a car is generally safer than a person at the front door of a home or business, but in any case you can call 911 and ask for confirmation.

“Do not flee.”

This appears to be sound advice if the person is a real police officer. But if the employees hadn’t fled from the fake ICE officer in Philadelphia, perhaps they would have been robbed also.

“If the dispatcher cannot confirm that you are being [visited] by a police officer, stay on the line with the dispatcher, and ask for police assistance.”

Wise to get the real cops on the scene.

“Do not provide personal documents – driver’s license, insurance information or other documents – to someone who you suspect of being a police impersonator.”

No need to add identity fraud on top of everything else.

How do you know if it IS ICE?

Unfortunately, telling true ICE agents from fake ones is a little more difficult. Your local 911 dispatcher isn’t going to know if that’s a real ICE agent at your door.

5NBCDFW published some tips for those who receive an email, call, or visit from ICE. In regards to personal visits, the station offered this advice:

“ICE agents carry official badges and credentials. They may have identification cards with their name, photo and the department logo. You can ask them to show you their badge or ID.”

The American Civil Liberties Union reminds us that the ICE agent can show their identification (or a warrant signed by a judge) through a window or peephole before you open the door. And according to Motion Law:

“If they refuse to show their identification, you are under no obligation to open the door.”

This of course is not foolproof, since anyone can print a fake business card (perhaps on their own printer, avoiding a commercial business such as the UPS Store), create a fake ID, or create a fake badge.

At least Justin didn’t claim to be with ICE.

And how can you tell whether that ID is real? Remember that in the Leonardo Garcia Venegas episode, ICE agents themselves couldn’t identify an authentic REAL ID.

Challenges of identifying police officers or ICE agents

It’s a challenging identity problem. Especially since police officers may NOT be required to identify themselves. Uniformed officers are required to identify themselves in California (California Penal Code Section 830.10), but plainclothes officers obviously don’t wear badges, and California identification laws don’t apply in other states.

“Hey,” someone suggests. “Why not create a database of all the police officers and ICE agents so that can immediately prove their authenticity?” Unfortunately, that runs into a huge privacy problem, because what happens when (not if) that database is hacked? Or if the data is intentionally leaked?

(And before you say “not my problem, those people need to be in a database,” what if it WAS your problem? In my case, what if all marketing/writing sole proprietors were required to be in a database managed by the Department of Commerce? You’d be worried if it affected YOU.)

The only way that this will change universally is when the police officers, ICE, and other agencies have to deal with impersonators. For example, if fake ICE agents cause problems for the real ones, then ICE itself will insist on positive identification of real ICE agents.

Is Your Organization (Not) Managing Your Identity Proofing Vendors?

Today I’m doing something different.

  • Normally these blog posts are addressed to Bredemarket’s PROSPECTS, the vendors who provide solutions that use biometrics or other technology. Such as identity proofing solutions.
  • But I’ve targeted this post for another audience, the organizations that BUY biometrics and technology solutions such as identity proofing solutions. Who knows? Perhaps they can use Bredemarket’s content-proposal-analysis services also. Later I will explain why you should use Bredemarket, and how you can use Bredemarket.

So if you are with an organization that SELLS identity proofing solutions, you can stop reading now. You don’t want to know what I am about to tell your prospects…or do you?

But if you BUY identity proofing, read on for some helpful expert advice from the biometric product marketing expert.

Managing an identity proofing solution

When you buy an identity proofing solution, you take on many responsibilities. While your vendor may be able to help, the ultimate responsibility remains with you.

Here are some questions you must answer:

  • What are your business goals for the project? Do you want to confirm 99.9% of all identities? Do you want to reduce fraudulent charges below $10 million? How will you measure this?
  • What are your technology goals for the project? What is your desired balance between false positives and false negatives? How will you measure this?
  • How will the project achieve legal compliance? What privacy requirements apply to your end users—even if they live outside your legal jurisdiction? Are you obtaining the required consents? Can you delete end user data upon request? Are you prepared if an Illinois lawyer sues you? Do you like prison food?
  • What about artificial intelligence? Your vendor probably uses some form of artificial intelligence. What form? What does this mean for you? Again, do you like prison food?

Again…are you ready?

GAO, IRS, and DOA

So how do other organizations manage identity proofing solutions? According to Biometric Update, not well.

A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program…

As many of you know, the IRS’ identity proofing vendor is ID.me. The GAO didn’t find any fault with ID.me. And frankly, it couldn’t…because according to the GAO, the IRS’ management of ID.me was found to be deficient.

“IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.

“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”

So while ID.me meets the IRS’ key requirement of Identity Assurance Level 2 (IAL 2) compliance, is it performing well? The IRS needs to define what “performing well” means.

You would think the IRS had a process for this…but apparently it doesn’t.

Dead on arrival (DOA).

But I’m not the IRS!

I’ll grant that you’re not the IRS. But is your identity proofing program management better…or worse?

Do you know what questions to ask?

Let Bredemarket ask you some questions. Perhaps these can help you create relevant external and internal content (I’ve created over 22 types of content), manage an RFP proposal process, or analyze your industry, company, or competitors.

Let’s set up a free 30-minute consultation to assess your needs.

CPA

Will There Be FEWER States with Mobile Driver’s Licenses in the Future?

(Imagen 3)

Normally when states adopt a new technology, one state will first adopt it, followed by other states, until eventually all states adopt it. (Take REAL ID.)

It’s rare that a state adopts an emerging technology and then trashes it.

Last year

But that’s exactly what happened in Florida last summer, when the state withdrew support for its Thales mobile driver’s license (mDL) pending the creation of a new mDL from a new vendor.

Update as of June 2025…there isn’t one.

“The Florida Smart ID applications will be updated and improved by a new vendor. At this time, the Florida Department of Highway Safety and Motor Vehicles is removing the current Florida Smart ID application from the app store. Please email FloridaSmartID@flhsmv.gov to receive notification of future availability.”

This year

But hey, I’m sure Florida is working behind the scenes to develop a new mDL. After all, digital identity remains a federal priority.

Um…check Biometric Update.

“At the forefront of the Trump administration’s cybersecurity shift is the categorical removal of Biden-era digital identity initiatives which had encouraged federal agencies to accept digital identity documents to access public benefit programs and promoted federal grants to help states develop secure mobile driver’s licenses.”

Biometric Update is specifically referring to President Donald Trump’s Executive Order issued last Friday, which affects cybersecurity efforts in general. Lots of use of the Q word.

Next year?

But if states aren’t receiving federal funding to develop mDLs, and if states decide that only physical driver’s licenses are in their interest, then will mDL adoption slow?

Or may other states follow Florida’s lead and let their contracts with mDL vendors expire?

SWOT analysis advocates…this is a threat.

Oh, and by the way…don’t forget that moving from mDLs back to physical driver’s licenses leads to a certain loss of privacy

Privacy.

The Most Shocking News of the Week: A Free ISO Standard!

I have observed that we are living in a time of uncertainty, in which surprises happen every day.

This week has been no exception. As I type this, Donald Trump and Elon Musk are feuding, with accusations of pedophilia leveled against Trump, threats to yank the government contracts of Musk, and who knows what all. Just a typical week in Washington.

But that’s nothing compared to the shocking news I learned Friday morning.

Sit down and don’t bother to bring out your CHF wallet

Biometric Update just published an article that discusses a particular International Organization for Standardization (with the zeds) standard, ISO/IEC-TEC TS 27560:2023, Privacy technologies — Consent record information structure.

  • It’s not shocking that ISO has published a standard. It does this all the time.
  • It’s also not shocking that ISO published a standard on consent. Consent is required by many privacy regulations, and therefore a standard information structure for consent requests is beneficial throughout the European Union, California, Illinois, and elsewhere.

“This document builds upon ISO/IEC 29184 by addressing the concept of giving the PII principal a record for their own recordkeeping, which includes information about the PII processing agreement and interaction. We call this record the “consent receipt”.

“This document specifies a structure that is used by both principals in consent management: namely a specification for data to be held by the organization to allow record-keeping with good integrity (subject to the defined controls), and an artefact (the “consent receipt”) that is given to the individual whose PII is being processed.”

  • No, none of this is the shocking part. I’ll let Chris Burt reveal the surprise, but please sit down before you read this. Emphasis mine.

“The International Standards Organization has published a standard for obtaining and recording consent, as is necessary to legally use people’s biometric data in a number of jurisdictions, and is making it available for free.”

Yes, you read that correctly. FREE. As in ZERO CHF.

ISO doesn’t normally give standards away, but there’s an exception for this one.

As a result, I have “purchased” this ISO standard—the first one that Bredemarket has ever owned.

But I can’t share it with you. Get your own.

Razor and Blades as a Service: HP Instant Ink

You know the razor and blades business model, where you can buy the razor very cheaply, and then you spend a lot of money over the years buying the blades.

Of course, this business model also applies to other complementary products, such as game consoles and video games, and printers and ink.

Ink as a Service

And companies can extend the business model. Rather than buying individual razor blades, video games, and ink cartridges, you can obtain the complementary products “as a Service.”

For example, HP Instant Ink:

“HP Instant Ink is the hassle-free, money-saving ink subscription service that automatically delivers ink only when you’re running low. Plans start at $1.79 a month.”

Of course that price assumes you only print 10 pages a month, but whatever.

I won’t dwell on the specifics on the plan (charging by the page rather than the ink used, reducing your privacy by letting HP and whoever else know when you print 900 pages, etc.). 

Vendor benefits from as a Service

But I will note that HP instant Ink has the same vendor advantage as any other “as a Service” offering:

Increased customer lock-in.

I will speak from my own experience. 

  • When my company sold on-premise solutions to government agencies, they paid from their capital budget and the contract was for a fixed term. After 5 or 7 years or whatever when the contract term expired, the agency’s hardware would be antiquated and it would have to go out to bid again.
  • Later, when my company sold cloud solutions, there was more budgetary flexibility. Some agencies didn’t have to use capital funds; this was a service, after all. And if the vendor was really fortunate, there was no contract term limit either, so the agency could stay with the vendor forever. Obsolescence wasn’t an issue because Amazon or Microsoft took care of that behind the scenes.

HP Instant Ink isn’t a perfect parallel, since it doesn’t include obsolete printer replacement. (But it could.) But the Ink as a Service (IaaS) offering certainly helps lock you in to HP…and to using HP ink rather than third-party ink.

And it’s yet another move from people owning things to people licensing things.

But if it provides a benefit (HP Instant Ink claims “up to” 50% cost savings), then it may be worthwhile.

(Imagen 3)

What is Protected Health Information?

Many laws and regulations impact health information—not just the Health Information Portability and Accountability Act (HIPAA).

But what IS Protected Health Information?

Kirk Nahra and Daniel Solove shared this example in a webinar:

Is “I drink Diet Coke” health information?

  • Maybe it’s not health information at all.
  • Maybe it indicates healthy practices (no sugar).
  • Maybe it indicates unhealthy practices (artificial sweetener use).

The answer isn’t simple.

Comply with Privacy Requirements (4/7)

This is the fourth of seven vendor suggestions I made in my Biometric Update guest post.

“Comply with all privacy laws and regulations. This should be a given, but sometimes vendors are lax in this area. If your firm violates the law, and you are caught, you will literally pay the price.”

Ask companies doing business in the GDPR region, Illinois, Texas, and elsewhere how hefty those fines could be. Meta alone has received billions of dollars of fines in Ireland (EU) and over a billion dollars in Texas.

(Imagen 3)

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.

TSA Photo Requests: “The Current U.S. Government” Can Already Obtain Your Facial Image

There have been many recent stories about Transportation Security Administration (TSA) capture of the facial images of travelers, an outgrowth of the same post-9/11 concerns that resulted in REAL IDs in 2008…I mean 2025. (Maybe.)

One story from HuffPost clearly states its view on the matter. The title of the story? “Why You Can (And Should) Opt Out Of TSA Facial Recognition Right Now.”

I guess we know where HuffPost stands.

As to the “why” of its stance, here’s a succinct statement:

“Do you really want to be submitting a face scan to the current U.S. government?”

And perhaps there are good reasons to distrust the Trump Administration, or any administration. 

After all, the TSA says it only retains the picture for a limited time: “Photos are not stored or saved after a positive ID match has been made, except in a limited testing environment for evaluation of the effectiveness of the technology,”

But maybe…something happens. Someone accidentally forgot to delete the files. Oops.

And if something happens, the federal government has just captured an image of your face!

Guess what? The federal government can probably already get an image of your face, even if you don’t allow TSA to take your photo.

After all, you had to show some sort of identification when you arrived at that TSA checkpoint. Maybe you showed a passport, with a picture that the U.S. State Department received at one point. No, they don’t retain them either. But maybe…something happens.

But who does retain an image of your face?

Your state driver’s license agency. And as of 2019:

“Twenty-one states currently allow federal agencies such as the FBI to run searches of driver’s license and identification photo databases.”

So if a federal agency wants your facial image, it can probably obtain it even if you decline the TSA photo request.

Unless you strictly follow Amish practices. But in that case you probably wouldn’t be going through a TSA checkpoint anyway.

But if you are with a facial recognition company, and you want your prospects and their prospects to understand how your solution protects their privacy…

Bredemarket can help:

  • compelling content creation
  • winning proposal development
  • actionable analysis

Book a call: https://bredemarket.com/cpa/ 

(Security checkpoint picture generated by Imagen 3)

Is Milwaukee Selling PII for Free Facial Recognition Software Access?

(Part of the biometric product marketing expert series)

Perhaps facial recognition product marketers have heard of stories like this. Or perhaps they haven’t.

Tight budgets. Demands that government agencies save money. Is this the solution?

“Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology.

“Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes.”

Read the article at https://www.jsonline.com/story/news/crime/2025/04/25/milwaukee-police-considering-trading-mugshots-for-facial-recognition-tech/83084223007/

As expected, activists raised all sorts of other concerns about facial recognition in general. But there’s an outstanding question:

What will Biometrica do with the 2.5 million images?

  • Use them for algorithmic training? 
  • Allow other agencies to search them?
  • Something else?
  • And what happens to the images if another company acquires Biometrica and/or its data? (See 23andMe.)

Biometrica didn’t respond to a request for comment.

And other facial recognition vendors operate differently.

How does your company treat customer data?

And how do you tell your story?

Do you have the resources to market your product, or are your resources already stretched thin?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Wheelbarrows from Imagen 3)