Tag Archives: real id

California Voter Proof of Identity AND Citizenship: How?

(Imagen 4)

This post provides an update on election integrity, which I haven’t discussed since March.

The update? Assemblymember Carl DeMaio wants to put a proposition on the 2026 California ballot that achieves three purposes:

  • “[R]equire the state to verify proof of citizenship when a person registers to vote.”
  • Require voters to “provide identifications at the polls.”
  • “Those who vote through mail-in ballots would have to give the last four digits of a government-issued ID such as a Social Security number.”

Let’s go through these…backwards.

Mail-in ballots

The third proposal about authenticating mail-in ballots is silly. 

The mere fact that someone knows the last four digits of a Social Security Number does NOT prove that the person is the valid holder of the Social Security Number in question. 

Frankly, I’m surprised that DHS released Leonardo Garcia Venegas just because he knew a Social Security Number. Of course, I’m also surprised that they determined his REAL ID was fake.

In-person ballots

Which brings us to the second proposal about requiring a government ID for in-person voting. 

I’ve already addressed why this is silly. The short version? Election precinct workers have neither the equipment nor the training to tell whether a government ID is real or fake.

Not an official government-issued ID. From https://www.al.com/news/2022/10/alabama-gop-chairman-made-the-photo-id-he-used-to-vote.html.

Voter registration…and re-registration

That only leaves the first one, proving citizenship at voter registration. This one is technically feasible; the feds do it all the time. The California Secretary of State could merely adapt the federal I-9 process to the state level; I’m sure Janice Kephart and her company ZipID would love to help the state with that.

Especially since the requirement for election integrity dictates that all of California’s existing voters would need to re-register to prove their citizenship.

All 22+ million of them.

Because if you DO NOT require all California voters to re-register, the whole exercise is pointless.

You Can START the REAL ID Application Process Online

The Federal Trade Commission sort of got it wrong.

“If you want to use your driver’s license to fly, you’ll need a REAL ID. If you don’t have one yet, your state’s Department of Motor Vehicles (DMV) is the place to go, and they’re only taking in-person appointments.”

The FTC is attempting to warn against scammers who claim to offer REAL ID services and then defraud you.

But at least in California, you can START the REAL ID application process online. At the California DMV website, of course.

“During the online REAL ID application process, you will be prompted to upload documents that prove identity (e.g., valid passport or birth certificate) and residency (e.g., utility bill, bank statement).”

But you can’t do EVERYTHING online.

“Uploading images of these documents online will save you time when you visit the DMV office to complete your application so don’t skip this step. Bring the original documents submitted online to your REAL ID appointment.”

But whatever you do, don’t upload your documents to “the-real-id dot cn.”

Enhanced Driver’s License (EDL) vs. REAL ID

Unlike a REAL ID, which merely proves lawful presence in the United States, an Enhanced Driver’s License (EDL) also proves citizenship.

The catch? Only certain states bordering Canada offer them.

Originally developed for both U.S. and Canadian use as part of the Western Hemisphere Travel Initiative, as of May 2025 EDLs are only offered by the states of Michigan, Minnesota, New York, Vermont, and Washington. California considered issuing EDLs, but rejected the idea because of privacy concerns surrounding the underlying RFID technology.

No Canadian province offers EDLs any more. The last province, Manitoba, discontinued them in 2022.

Leonardo Garcia Venegas is a U.S. Citizen…but REAL ID Holders Don’t Have to Be

The Parnas Perspective offered its take on Garcia’s story. From Parnas’ post:

“Authorities allegedly dismissed the ID as fake and used force to detain him, with bystanders shouting that he was a citizen.”

Also listen to the accompanying video (which states that Garcia was born in Florida), and see my prior post.

Non-citizen REAL IDs? Sure.

One important clarification: non-citizens CAN obtain a REAL ID…provided that they are lawfully in the country and hold certain documents.

Here are California’s non-citizen REAL ID requirements, which are federally acceptable:

“This includes all U.S. citizens, permanent residents who are not U.S. citizens (Green Card holders), and those with temporary legal status, such as recipients of Deferred Action for Childhood Arrivals (DACA) or Temporary Protected Status (TPS) and holders of a valid student or employment visa. For Californians with temporary legal status, their REAL ID DL/ID card will expire on the same date as their U.S. legal presence document, and they can receive a new card with a documented extension of their legal status.”

(Imagen 4)

Leonardo Don’t Lose That Number

You know that I’ve railed against solely relying on knowledge-based authentication: for example, by relying on a person’s knowledge of a name and a birthdate to gain access to protected health information.

What when knowledge-based authentication receives HIGHER trust than other proofs of identity?

There is a story about Leonardo Garcia Venegas, who was working in Foley, Alabama. Apparently he was caught up in an immigration raid. So Garcia, who is a U.S. citizen, did the intelligent thing: he brought out his REAL ID, a document that can only be issued to someone after they prove they are a U.S. citizen.

Except…

“Garcia told Noticias Telemundo that authorities took his ID from his wallet and told him it was fake before handcuffing him.”

So how did he finally get released?

“Garcia said he was released from the vehicle where he was held after he gave the arresting officials his Social Security number, which showed he is a U.S. citizen.”

So apparently having a REAL ID counts for nothing, while being able to rattle off a Social Security Number counts as proof?

Frequent fliers and voters take note.

(Imagen 4)

Proposals and “Weasel Words”

Have you ever used the phrase “weasel word”? Here’s how Merriam-Webster defines it:

“a word used in order to evade or retreat from a direct or forthright statement or position”

I don’t know how weasels became the subject of a negative phrase like this, but here we are.

I learned the phrase “weasel word” when I started working in proposals. I’ve been writing proposals for nearly 15 years, and I’ve run into many cases where I don’t comply with the written word of a mandatory requirement, and I end up having to…evade or retreat.

I’ve adopted my share of favorite weasel words over the years. I’m not going to give away any of my secrets in this public forum, but you’ve probably heard me rant about the government weasel wording regarding REAL ID “enforcement”:

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

As I have ranted repeatedly, the REAL ID enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027. There are enough weasel words to distract from the fact that full enforcement is not taking place on May 7, 2025.

“Flexibility,” “implement in phases”…I’m taking notes. The next time I respond to a DHS RFI, I may use some of these.

Because Bredemarket does respond to Requests for Information, Requests for Proposal, and similar documents. One of Bredemarket’s clients recently received an award, with possible lucrative add-on work in the future.

Does your identity/biometric or technology conpany want the government to give you money? I can help. Talk to me: https://bredemarket.com/cpa/

Bredemarket’s “CPA.” The P stands for Proposal.

(Weasel picture Keven Law • CC BY-SA 2.0; https://commons.wikimedia.org/wiki/File:Mustela_nivalis_-British_Wildlife_Centre-4.jpg)

This is What REAL ID “Enforcement” Looks Like: Not Compelling at All

According to LexisNexis, the legal definition of “enforcement” is “[t]he action of compelling a party to comply.”

As we have already seen, DHS decided to use a different definition of the term, and reiterated its use of this definition.

What does enforcement mean at JFK, LaGuardia, and Newark as of May 8?

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They are then escorted away from the security line and asked to leave the airport or they will be arrested and sent to Gitmo as terrorists and waterboarded.”

Whoops, I appear to have made a typo and misquoted North Jersey. Here is what is ACTUALLY happening:

“Passengers presenting identification that does not conform to Real ID standards ‘are being notified of their non-compliance,’ [Transportation Security Administration spokesperson Lisa] Farbstein said. They may then be directed to a separate area for additional screening.”

That ain’t “compelling” at all. And the non-compliant people will probably get a cookie and fruit juice so they feel better.

Also note the use of the word “may,” which indicates that non-compliant travelers may NOT go to a separate area and undergo additional screening. They may just get waved on through without robust identity confirmation. And still get the cookie and fruit juice.

I will admit that this is probably unavoidable. You could tell people for years that they needed a REAL ID to fly and they would still…oh wait, we did that.

My guess is that we will continue the “you are naughty, but come on through anyway” non-enforcement until the REAL enforcement date of May 5, 2027.

Subject to extension….again.

Unless someone without a REAL ID slips through and does bad things. Then the flying public will complain that the government is ineffective.

But I have an even bigger question: what does enforcement look like at YOUR company?

(Imagen 3)

As We Predicted, REAL ID Won’t Be Fully Enforced

So much for my 15 seconds of fame with my Biometric Update guest post. Let’s move on to more important things.

Like the (finally!) enforcement of REAL ID at midnight EDT Wednesday May 7.

Not really.

We already knew that REAL ID enforcement wouldn’t be fully enforced.

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

And Secretary of Homeland Security Kristi Noem just confirmed this.

“’If it’s not compliant, they may be diverted to a different line, have an extra step, but people will be allowed to fly,’ Noem said at a U.S. House hearing on Tuesday. ‘This is a security issue.’”

So when WILL it be enforced? Memorial Day? Thanksgiving? May 5, 2027? Ever?

Of course, it’s not going to be easy for those without a passport, REAL ID, or other acceptable form of identification. They will undergo a little investigation, humiliation, and if they cross their fingers rehabilitation.

(Imagen 3)

Driver’s License Data and Third Party Risk Management

It gets real tomorrow, with the enforcement date (sort of) for REAL ID at federal installations and airports. But what about the privacy of the data behind REAL IDs?

Bela Kumar of Jumio Corporation was recently interviewed by CNBC for an article about REAL ID and the data sharing behind it.

As can be expected, some people are very concerned about what this means.

“[C]oncerns persist among privacy professionals that the next step will be a federal database of driver’s license information, which is bad from a privacy and cybersecurity standpoint, said Jay Stanley, a senior policy analyst with the American Civil Liberties Union.

“‘The more information the government has, the more the government might use that information,’ said Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting company. ‘But that’s not what’s happening now,’ she added.”

Kumar addressed what IS happening now, and whether our personally identifiable information (PII) is protected.

“States have been issuing driver’s licenses for many years, and personal information is already being stored. The expectation is that the same controls apply to Real ID, said Bala Kumar, chief product and technology officer at Jumio, an online mobile payment and identity verification company. ‘States have already been managing this for many years,’ Kumar said.”

If you continue to read the article, you’ll also see a statement from the American Association of Motor Vehicle Administrators that echoes what Jumio said.

But as a former IDEMIA employee, my curiosity was piqued.

Has anyone ever gained unauthorized access to a state driver’s license database?

So I checked, and could not find an example of unauthorized access to a state driver’s license database.

But I DID find an example of unauthorized access to driver’s license DATA that was processed by a third party. The State of Louisiana issued a notice that included the following:

“On May 31, 2023, Progress Software Corporation, which developed and supports the MOVEIt managed file transfer platform, notified all customers across the globe, including [Louisiana Office of Motor Vehicles], of a zero-day vulnerability that an unauthorized party leveraged to access and acquire data without authorization. Upon learning of the incident, immediate measures were taken to secure the MOVEIt environment utilized to transfer files. A thorough investigation was conducted, and it was determined that there was unauthorized acquisition of and access to OMV files in the MOVEIt environment….

“The information varied by individual but included name and one or more of the following: address, date of birth, Social Security number, driver’s license, learner’s permit, or identification card number, height, eye color, vehicle registration information, and handicap placard information.”

Well, at least the hacked data didn’t include weight. Or claimed weight.

Cybersecurity professionals know that you cannot completely prevent these hacks. Which explains the “risk” in third party risk management. Progress Software has been around for a long time; I worked with Progress Software BEFORE I began my biometric career. But these hacks (in this case, CVE-2023-34362 as documented by CISA) can happen to anyone.

Be cautious, and remember that others with good intentions might not be cautious enough.

The Present Reality of REAL ID Federal-State Tensions

Driver’s license vendors already know about the states’ decades-long resistance to REAL ID, and I bet you do too.

Anthony Kimery of Biometric Update put a fundamental truth succinctly:

“The saga of the REAL ID pushback reveals a deep and ongoing tension at the heart of American governance: the friction between national imperatives and state autonomy.”

Kimery’s article, “Twenty years later the REAL ID debate refuses to go away,” captures the history of this federal-state tension over the years. 

Beginning with some states telling the federal government to get out of their affairs, as well as expressing budgetary concerns about federal mandates that the federal government wouldn’t fund, Anthony Kimery’s REAL ID tale concludes with all the states and territories achieving technical compliance with REAL ID…two decades later.

(Why did the states surrender to the federal REAL ID mandates? Because as much as the states complained about federal overreach…in the end the federal government controlled the airports. If you wanted to fly, you had to get a federal passport…or bend your state driver’s license to the federal rules. And you might recall that airport security was the whole reason for REAL IDs in the first place.)

At the end of Kimery’s story, concerns have come full circle. States that maintained that they have the right to determine how they issue their own driver’s licenses are angry at how OTHER states exercise the right to issue THEIR own driver’s licenses.

“Early this year,…Wyoming passed legislation invalidating out-of-state driver’s licenses issued to undocumented immigrants.”

Maybe we need a national ID?

If you’re curious about what Bredemarket has said about REAL ID over the years, I’ve collected a few samples:

And if your company sells driver’s license services, but your staff is too swamped to tell your story, you can obtain the services of a consultant who can create 22 (or more) types of internal and external content. Contact Bredemarket: https://bredemarket.com/cpa/

(Image: Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000.)