real id – Page 3 – Bredemarket

Know Your Political Influencer

In an article with a clickbait title, Newsweek reported on the indictment of Massachusetts state Representative Christopher Flanagan on various fraud charges. One of the allegations:

“Beyond the five wire fraud counts, the grand jury also indicted him on one count of falsifying documents related to a campaign flier. The mailer from “Conservatives for Dennis” endorsed Flanagan….[He attributed] “the source of the Mailer to a false persona, ‘Jeanne Louise,'” whom he created for the endorsement….In October 2023, he admitted to OCPF that Jeanne Louise “was fake” and he was the source of the mailer.”

There is so much effort to identify voters. What about identifying the sources of political endorsements?

Does your company have a solution to this? I can help you tell your story. Go to https://bredemarket.com/cpa/.

(Picture from Imagen 3)

Looking at One Voter ID State

Back in 2023, I wrote “How to Vote Fraudulently in a Voter ID State.” But that only works if the voter ID state fails to protect its precincts from fake IDs.

Here is an example of voter ID legislation, this one from South Dakota.

12-18-6.1. Voters required to provide identification before voting.

When the voter is requesting a ballot, the voter shall present a valid form of personal identification. The personal identification that may be presented shall be either:

(1) A South Dakota driver’s license or nondriver identification card;

(2) A passport or an identification card, including a picture, issued by an agency of the United States government;

(3) A tribal identification card, including a picture; or

(4) A current student identification card, including a picture, issued by a high school or an accredited institution of higher education, including a university, college, or technical school, located within the State of South Dakota.

Source: SL 2003, ch 82, § 1; SL 2004, ch 108, § 3; SL 2006, ch 71, § 1.

As most people know, legislators only define the law in broad strokes. It is up to the executive to figure out the details of how to implement the law.

So how does the South Dakota Board of Elections determine that the presented identification is valid?

Does every precinct worker in South Dakota possess a copy of a guide (such as this one) that includes, among other items:

“Explanation of what the proper alphanumeric sequencing of a South Dakota ID or Driver’s License should be (how many letters, numbers, etc.).”

In addition, does every precinct worker in South Dakota have access to software and equipment (such as this one that uses “white, infrared, ultraviolet and coaxial lights”) that detects deepfake IDs? This one has a $1,600 list price. You can get cheaper ones that only support white light and can’t detect the other security features, but such readers would violate the law.

If the state can negotiate a discount of $1,000 per reader, then you can equip almost 700 precincts for less than $1 million (excluding training and maintenance, and assuming only 1 reader per precinct). A small price to pay for democracy.

Unfortunately, I could not find Regula in the list of certified South Dakota voting equipment. Perhaps South Dakota uses a competitor.

Of course voter ID fraud doesn’t just affect South Dakota, as I previously noted. But even if South Dakota doesn’t equip its precinct workers to reject voters with fake IDs, I’m sure the other states do.

Well, maybe not Alabama.

REAL ID: When Enforcement Isn’t Enforcement

Follow up to the long-standing history of REAL ID enforcement delays.

Lots of delays.

When then-President George W. Bush signed into law the “Real ID Act of 2005,” American adults initially had a May 11, 2008 deadline to ensure their identification documents met federal standards.

For those who didn’t notice, we didn’t all adopt REAL IDs in 2008.

In fact, a few years later I was working on a driver’s license proposal for a state I won’t identify, and the RFP clearly and emphatically stated that REAL ID compliance for the new driver’s license was not…um…OK.

Even during the short history of the Bredemarket blog, the REAL ID enforcement date of May 5, 2023 has been adopted and superseded. And more recently there was a report that that new date of May 7, 2025 would slip.

Well, that won’t happen.

Or will it?

The (so-called) “final” rule

The Transportation Security Administration has published a final rule which clearly states that the REAL ID enforcement date of May 7, 2025 still stands and has not been delayed.

Or perhaps it’s not so clear.

This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases. Under this rule, agencies may implement the card-based enforcement provisions through a phased enforcement plan if they determine it is appropriate upon consideration of relevant factors including security, operational feasibility, and public impact. The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.

So the enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027.

Date subject to change.

It’s not only the U.S.

But at least these decades of delays give me an excuse to share a Geico commercial.

And Europe (the continent, not the band) has its own problems with delays to its Entry/Exit System (EES)…and a graduated rollout is proposed.

From https://www.youtube.com/watch?v=1H9FI87HK-s.

Temporary REAL-ity?

Your driver’s license isn’t real forever.

When talking about the validity periods for U.S. driver’s licenses (which vary from state to state) in a February 2024 post, Veriff points out one oft-overlooked part of the REAL ID Act:

“If a document bears the typical Real ID star symbol (or some accepted adaptation of it), meaning it is a Real ID-compliant document, it cannot be valid for longer than 8 years (Section 202(d)(10) of the Real ID Act).”

At the time of Veriff’s post, the REAL ID deadline was due for enforcement on May 7, 2025 after numerous delays. Several months later, in September 2024, the Transportation Security Administration started planning to be flexible about that deadline…

Someday the REAL ID Act will be real…

How to Vote Fraudulently in a Voter ID State

No, I shouldn’t be revealing this information, but if it helps to illustrate how weak so-called “voter ID” law enforcement is, so be it.

Voter ID States

The National Conference of State Legislatures (NCSL) has identified 36 states that presently have some type of “voter ID” requirement, in which the strictest states require a government-issued photo ID.

And this number is increasing. In June, Nebraska approved Legislative Bill 514 which implements voter ID requirements for Nebraska elections beginning in May 2024. Nebraska will be a “strict” voter ID state.

As the NCSL states:

Proponents argue increasing identification requirements can prevent in-person voter impersonation and increase public confidence in the election process.
From https://www.ncsl.org/elections-and-campaigns/voter-id

The exact IDs that are required vary from state to state, but all states accept a state-issued driver’s license or other state ID (REAL ID or not) as an acceptable form of identification for voting.

Sounds great, right?

But there’s a problem.

Making and detecting fake IDs

I hope you’re sitting down for this.

People create fake driver’s licenses.

This wouldn’t be mistaken for a real driver’s license. At least I hope not. But other fake driver’s licenses are more sophisticated. From https://www.etsy.com/listing/1511398513/editable-little-drivers-license

These range from the novelty types of driver’s licenses pictured above to ones that are more sophisticated.

From https://www.youtube.com/watch?v=pYciy7UL2Cc

Of course, there are ways to detect fake driver’s licenses.

Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

When you present your ID to a Transportation Security Agency official, they place the ID in a specialized machine which, among other things, can detect forgeries.
And if you win money at a Las Vegas casino, they will check your ID also before paying out (as an underage friend of mine learned the hard way).

How can YOU detect a fake ID? Well, you can buy a book such as the “I.D. Checking Guide” or similar reference and compare the presented ID to the examples in the book.

There are more robust ways to detect a fake ID. Nametag has five suggestions:

Check the hologram. You can do this without using any special tools, so it’s an easy way to spot a fake ID…unless the fraudster has placed a hologram on their document.
Check for tampering. Sometimes this is obvious to the naked eye, sometimes not so obvious. For example, a fraudster may have clumsily pasted another photo on top of the real photo. But maybe the tampering isn’t so obvious.
Inspect the microprint. You’ll need a magnifying glass for this, but if you know what to look for, you can spot fraudulent IDs…unless the fraudster also added the appropriate microprinting to their document.
Look for ultraviolet (UV) features. You’ll need a UV light for this, but again this can reveal forgeries…unless the fraudster also incorporated UV features into their document.
Use Nametag products. These (and similar products from other companies such as Regula) can check for fraud that the untrained eye cannot detect.

These fraud detection techniques are great if you work for the TSA or a casino full-time and have the appropriate training and equipment to detect fake IDs.

Enter the untrained, unequipped fraud guardians

But what about precinct workers?

They work one or maybe a few days a year, and it’s very doubtful that the elections authorities:

Train and test precinct workers in the detection of fraudulent IDs.
Provide precinct workers with reference materials, magnifiying glasses, ultraviolet lights, or automated hardware and software to detect fraudulent IDs.

If the precinct workers don’t have the training, equipment, and software, Phineas T. Bailey could walk up to a local precinct, show a fake ID saying that he is Joe Real, and if Joe Real is registered to vote in that precinct, Phineas can go ahead and vote.

From https://www.nist.gov/news-events/news/2023/09/whats-wrong-picture-nist-face-analysis-program-helps-find-answers

Some security.

But no one would ever vote with a fake ID…would they?

“But John,” you say. “No one would ever create a fake ID and use it to vote.”

Well, let’s look at this ID.

John Wahl’s Regional Press Secretary identification. From https://www.al.com/news/2022/10/alabama-gop-chairman-made-the-photo-id-he-used-to-vote.html

On at least two occasions, John Wahl presented the ID above when voting.

When poll workers asked Alabama GOP Chairman John Wahl for his voter ID, he gave them a card they’d never seen before. He texted this picture of it to the Limestone County Probate judge, who then approved him to vote.
From https://www.al.com/news/2022/10/alabama-gop-chairman-made-the-photo-id-he-used-to-vote.html

However, it was subsequently discovered that Wahl made the ID himself.

(Why? Because Wahl and other members of his family object to biometric identification for religious reasons. Rather than submitting to the standard biometric identification processes used to create driver’s licenses and other government forms of identification, Wahl simply had an unnamed third party create his own ID, with the knowledge of the State Auditor.)

This incident ended up being a little embarrassing…because John Wahl happens to head the Alabama Republican Party (as of December 2023).

So how do you fix it?

If you’re going to insist that people present legitimate IDs for voting, then you need to enforce it, both for people who present IDs in person and for people who present IDs remotely. There are a number of companies that provide hardware and software to verify the legitimacy of driver’s licenses and other government-issued documents.

Of course, that costs money. Depending upon the solution you choose, it could cost tens or hundreds of millions of dollars to protect the more than 230,000 polling places from identity fraud.

And some argue that there’s no need to spend a lot of money on this, because voting fraud isn’t a real problem. Even the Heritage Foundation’s 2020 report of “1,285 proven cases of voter fraud” looks a little less dramatic when you consider that there were 161,420,000 registered voters in the United States in 2022. So even if there were, let’s say, 11,000 proven cases of voter fraud, that’s only 0.007% of the total electorate.

But for now, if you want to vote fraudulently, vote away.

The Imperfect Way to Enforce New York’s Child Data Protection Act

It’s often good to use emotion in your marketing.

For example, when biometric companies want to justify the use of their technology, they have found that it is very effective to position biometrics as a way to combat sex trafficking.

Similarly, moves to rein in social media are positioned as a way to preserve mental health.

By Marc NL at English Wikipedia – Transferred from en.wikipedia to Commons., Public Domain, https://commons.wikimedia.org/w/index.php?curid=2747237

Now that’s a not-so-pretty picture, but it effectively speaks to emotions.

“If poor vulnerable children are exposed to addictive, uncontrolled social media, YOUR child may end up in a straitjacket!”

In New York state, four government officials have declared that the ONLY way to preserve the mental health of underage social media users is via two bills, one of which is the “New York Child Data Protection Act.”

But there is a challenge to enforce ALL of the bill’s provisions…and only one way to solve it. An imperfect way—age estimation.

This post only briefly addresses the alleged mental health issues of social media before plunging into one of the two proposed bills to solve the problem. It then examines a potentially unenforceable part of the bill and a possible solution.

Does social media make children sick?

Letitia “Tish” James is the 67th Attorney General for the state of New York. From https://ag.ny.gov/about/meet-letitia-james

On October 11, a host of New York State government officials, led by New York State Attorney General Letitia James, jointly issued a release with the title “Attorney General James, Governor Hochul, Senator Gounardes, and Assemblymember Rozic Take Action to Protect Children Online.”

Because they want to protect the poor vulnerable children.

By Paolo Monti – Available in the BEIC digital library and uploaded in partnership with BEIC Foundation.The image comes from the Fondo Paolo Monti, owned by BEIC and located in the Civico Archivio Fotografico of Milan., CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=48057924

And because the major U.S. social media companies are headquartered in California. But I digress.

So why do they say that children need protection?

Recent research has shown devastating mental health effects associated with children and young adults’ social media use, including increased rates of depression, anxiety, suicidal ideation, and self-harm. The advent of dangerous, viral ‘challenges’ being promoted through social media has further endangered children and young adults.
From https://ag.ny.gov/child-online-safety

Of course one can also argue that social media is harmful to adults, but the New Yorkers aren’t going to go that far.

So they are just going to protect the poor vulnerable children.

This post isn’t going to deeply analyze one of the two bills the quartet have championed, but I will briefly mention that bill now.

The “Stop Addictive Feeds Exploitation (SAFE) for Kids Act” (S7694/A8148) defines “addictive feeds” as those that are arranged by a social media platform’s algorithm to maximize the platform’s use.
Those of us who are flat-out elderly vaguely recall that this replaced the former “chronological feed” in which the most recent content appeared first, and you had to scroll down to see that really cool post from two days ago. New York wants the chronological feed to be the default for social media users under 18.
The bill also proposes to limit under 18 access to social media without parental consent, especially between midnight and 6:00 am.
And those who love Illinois BIPA will be pleased to know that the bill allows parents (and their lawyers) to sue for damages.

Previous efforts to control underage use of social media have faced legal scrutinity, but since Attorney General James has sworn to uphold the U.S. Constitution, presumably she has thought about all this.

Enough about SAFE for Kids. Let’s look at the other bill.

The New York Child Data Protection Act

The second bill, and the one that concerns me, is the “New York Child Data Protection Act” (S7695/A8149). Here is how the quartet describes how this bill will protect the poor vulnerable children.

With few privacy protections in place for minors online, children are vulnerable to having their location and other personal data tracked and shared with third parties. To protect children’s privacy, the New York Child Data Protection Act will prohibit all online sites from collecting, using, sharing, or selling personal data of anyone under the age of 18 for the purposes of advertising, unless they receive informed consent or unless doing so is strictly necessary for the purpose of the website. For users under 13, this informed consent must come from a parent.
From https://ag.ny.gov/child-online-safety

And again, this bill provides a BIPA-like mechanism for parents or guardians (and their lawyers) to sue for damages.

But let’s dig into the details. With apologies to the New York State Assembly, I’m going to dig into the Senate version of the bill (S7695). Bear in mind that this bill could be amended after I post this, and some of the portions that I cite could change.

From https://www.nysenate.gov/legislation/bills/2023/S7695

The “definitions” section of the bill includes the following:

“MINOR” SHALL MEAN A NATURAL PERSON UNDER THE AGE OF EIGHTEEN.
From https://www.nysenate.gov/legislation/bills/2023/S7695, § 899-EE, 2.

This only applies to natural persons. So the bots are safe, regardless of age.

Speaking of age, the age of 18 isn’t the only age referenced in the bill. Here’s a part of the “privacy protection by default” section:

§ 899-FF. PRIVACY PROTECTION BY DEFAULT.

1. EXCEPT AS PROVIDED FOR IN SUBDIVISION SIX OF THIS SECTION AND SECTION EIGHT HUNDRED NINETY-NINE-JJ OF THIS ARTICLE, AN OPERATOR SHALL NOT PROCESS, OR ALLOW A THIRD PARTY TO PROCESS, THE PERSONAL DATA OF A COVERED USER COLLECTED THROUGH THE USE OF A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICA- TION, OR CONNECTED DEVICE UNLESS AND TO THE EXTENT:

(A) THE COVERED USER IS TWELVE YEARS OF AGE OR YOUNGER AND PROCESSING IS PERMITTED UNDER 15 U.S.C. § 6502 AND ITS IMPLEMENTING REGULATIONS; OR

(B) THE COVERED USER IS THIRTEEN YEARS OF AGE OR OLDER AND PROCESSING IS STRICTLY NECESSARY FOR AN ACTIVITY SET FORTH IN SUBDIVISION TWO OF THIS SECTION, OR INFORMED CONSENT HAS BEEN OBTAINED AS SET FORTH IN SUBDIVISION THREE OF THIS SECTION.
From https://www.nysenate.gov/legislation/bills/2023/S7695

So a lot of this bill depends upon whether a person is over or under the age of eighteen, or over or under the age of thirteen.

And that’s a problem.

How old are you?

The bill needs to know whether or not a person is 18 years old. And I don’t think the quartet will be satisfied with the way that alcohol websites determine whether someone is 21 years old.

This age verification method is…not that robust.

Attorney General James and the others would presumably prefer that the social media companies verify ages with a government-issued ID such as a state driver’s license, a state identification card, or a national passport. This is how most entities verify ages when they have to satisfy legal requirements.

For some people, even some minors, this is not that much of a problem. Anyone who wants to drive in New York State must have a driver’s license, and you have to be at least 16 years old to get a driver’s license. Admittedly some people in the city never bother to get a driver’s license, but at some point these people will probably get a state ID card.

You don’t need a driver’s license to ride the New York City subway, but if the guitarist wants to open a bank account for his cash it would help him prove his financial identity. By David Shankbone – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=2639495

However, there are going to be some 17 year olds who don’t have a driver’s license, government ID or passport.
And some 16 year olds.
And once you look at younger people—15 year olds, 14 year olds, 13 year olds, 12 year olds—the chances of them having a government-issued identification document are much less.

What are these people supposed to do? Provide a birth certificate? And how will the social media companies know if the birth certificate is legitimate?

Birth certificate of a B.H. Obama II. From https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/birth-certificate-long-form.pdf

But there’s another way to determine ages—age estimation.

How old are you, part 2

As long-time readers of the Bredemarket blog know, I have struggled with the issue of age verification, especially for people who do not have driver’s licenses or other government identification. Age estimation in the absence of a government ID is still an inexact science, as even Yoti has stated.

Our technology is accurate for 6 to 12 year olds, with a mean absolute error (MAE) of 1.3 years, and of 1.4 years for 13 to 17 year olds. These are the two age ranges regulators focus upon to ensure that under 13s and 18s do not have access to age restricted goods and services.
From https://www.yoti.com/wp-content/uploads/Yoti-Age-Estimation-White-Paper-March-2023.pdf

So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:

An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.
A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.

Is age estimation “good enough for government work”?

I Changed My Mind on Age Estimation

(Part of the biometric product marketing expert series)

I’ll admit that I previously thought that age estimation was worthless, but I’ve since changed my mind about the necessity for it. Which is a good thing, because the U.S. National Institute of Standards and Technology (NIST) is about to add age estimation to its Face Recognition Vendor Test suite.

What is age estimation?

Before continuing, I should note that age estimation is not a way to identify people, but a way to classify people. For once, I’m stepping out of my preferred identity environment and looking at a classification question. Not “gender shades,” but “get off my lawn” (or my tricycle).

Age estimation uses facial features to estimate how old a person is, in the absence of any other information such as a birth certificate. In a Yoti white paper that I’ll discuss in a minute, the Western world has two primary use cases for age estimation:

First, to estimate whether a person is over or under the age of 18 years. In many Western countries, the age of 18 is a significant age that grants many privileges. In my own state of California, you have to be 18 years old to vote, join the military without parental consent, marry (and legally have sex), get a tattoo, play the lottery, enter into binding contracts, sue or be sued, or take on a number of other responsibilities. Therefore, there is a pressing interest to know whether the person at the U.S. Army Recruiting Center, a tattoo parlor, or the lottery window is entitled to use the service.
Second, to estimate whether a person is over or under the age of 13 years. Although age 13 is not as great a milestone as age 18, this is usually the age at which social media companies allow people to open accounts. Thus the social media companies and other companies that cater to teens have a pressing interest to know the teen’s age.

Why was I against age estimation?

Because I felt it was better to know an age, rather than estimate it.

My opinion was obviously influenced by my professional background. When IDEMIA was formed in 2017, I became part of a company that produced government-issued driver’s licenses for the majority of states in the United States. (OK, MorphoTrak was previously contracted to produce driver’s licenses for North Carolina, but…that didn’t last.)

With a driver’s license, you know the age of the person and don’t have to estimate anything.

And estimation is not an exact science. Here’s what Yoti’s March 2023 white paper says about age estimation accuracy:

Our True Positive Rate (TPR) for 13-17 year olds being correctly estimated as under 25 is 99.93% and there is no discernible bias across gender or skin tone. The TPRs for female and male 13-17 year olds are 99.90% and 99.94% respectively. The TPRs for skin tone 1, 2 and 3 are 99.93%, 99.89% and 99.92% respectively. This gives regulators globally a very high level of confidence that children will not be able to access adult content.

Our TPR for 6-11 year olds being correctly estimated as under 13 is 98.35%. The TPRs for female and male 6-11 year olds are 98.00% and 98.71% respectively. The TPRs for skin tone 1, 2 and 3 are 97.88%, 99.24% and 98.18% respectively so there is no material bias in this age group either.

Yoti’s facial age estimation is performed by a ‘neural network’, trained to be able to estimate human age by analysing a person’s face. Our technology is accurate for 6 to 12 year olds, with a mean absolute error (MAE) of 1.3 years, and of 1.4 years for 13 to 17 year olds. These are the two age ranges regulators focus upon to ensure that under 13s and 18s do not have access to age restricted goods and services.
From https://www.yoti.com/wp-content/uploads/Yoti-Age-Estimation-White-Paper-March-2023.pdf

While this is admirable, is it precise enough to comply with government regulations? Mean absolute errors of over a year don’t mean a hill of beans. By the letter of the law, if you are 17 years and 364 days old and you try to vote, you are breaking the law.

Why did I change my mind?

Over the last couple of months I’ve thought about this a bit more and have experienced a Jim Bakker “I was wrong” moment.

I was wrong for two reasons.

Kids don’t have government IDs

I asked myself some questions.

How many 13 year olds do you know that have driver’s licenses? Probably none.
How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.
How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.

Even at age 18, there is no guarantee that a person will have a government-issued REAL ID.

So how are 18 year olds, or 13 year olds, supposed to prove that they are old enough for services? Carry their birth certificate around?

You’ll note that Yoti didn’t target a use case for 21 year olds. This is partially because Yoti is a UK firm and therefore may not focus on the strict U.S. laws regarding alcohol, tobacco, and casino gambling. But it’s also because it’s much, much more likely that a 21 year old will have a government-issued ID, eliminating the need for age estimation.

Sometimes.

In some parts of the world, no one has government IDs

Over the past several years, I’ve analyzed a variety of identity firms. Earlier this year I took a look at Worldcoin. While Worldcoin’s World ID emphasizes privacy so much that it does not conclusively prove a person’s identity (it only proves a person’s uniqueness), and makes no attempt to provide the age of the person with the World ID, Worldcoin does have something to say about government issued IDs.

Online services often request proof of ID (usually a passport or driver’s license) to comply with Know your Customer (KYC) regulations. In theory, this could be used to deduplicate individuals globally, but it fails in practice for several reasons.

KYC services are simply not inclusive on a global scale; more than 50% of the global population does not have an ID that can be verified digitally.
From https://worldcoin.org/blog/engineering/humanness-in-the-age-of-ai

But wait. There’s more:

IDs are issued by states and national governments, with no global system for verification or accountability. Many verification services (i.e. KYC providers) rely on data from credit bureaus that is accumulated over time, hence stale, without the means to verify its authenticity with the issuing authority (i.e. governments), as there are often no APIs available. Fake IDs, as well as real data to create them, are easily available on the black market. Additionally, due to their centralized nature, corruption at the level of the issuing and verification organizations cannot be eliminated.
Same source as above.

Now this (in my opinion) doesn’t make the case for Worldcoin, but it certainly casts some doubt on a universal way to document ages.

So we’d better start measuring the accuracy of age estimation.

If only there were an independent organization that could measure age estimation, in the same way that NIST measures the accuracy of fingerprint, face, and iris identification.

You know where this is going.

How will NIST test age estimation?

Yes, NIST is in the process of incorporating an age estimation test in its battery of Face Recognition Vendor Tests.

NIST’S FRVT Age Estimation page explains why.

Facial age verification has recently been mandated in legislation in a number of jurisdictions. These laws are typically intended to protect minors from various harms by verifying that the individual is above a certain age. Less commonly some applications extend benefits to groups below a certain age. Further use-cases seek only to determine actual age. The mechanism for estimating age is usually not specified in legislation. Face analysis using software is one approach, and is attractive when a photograph is available or can be captured.

In 2014, NIST published a NISTIR 7995 on Performance of Automated Age Estimation. The report showed using a database with 6 million images, the most accurate age estimation algorithm have accurately estimated 67% of the age of a person in the images within five years of their actual age, with a mean absolute error (MAE) of 4.3 years. Since then, more research has dedicated to further improve the accuracy in facial age verification.
From https://pages.nist.gov/frvt/html/frvt_age_estimation.html

Note that this was in 2014. As we have seen above, Yoti asserts a dramatically lower error rate in 2023.

NIST is just ramping up the testing right now, but once it moves forward, it will be possible to compare age estimation accuracy of various algorithms, presumably in multiple scenarios.

Well, for those algorithm providers who choose to participate.

Does your firm need to promote its age estimation solution?

Does your company have an age estimation solution that is superior to all others?

Do you need an experienced identity professional to help you spread the word about your solution?

Why not consider Bredemarket? If your identity business needs a written content creator, look no further.

Alaska HB389 does NOT repeal REAL ID. But it has a “foreign ownership” clause.

The title of Alaska HB389, introduced last month, sounds grandiose:

“An Act repealing the implementation of the federal REAL ID Act of 2005; relating to identification cards; relating to drivers’ licenses; and providing for an effective date.”

Does HB389 prevent Alaska from issuing REAL IDs?

When you read the title of the bill, alarms go off in your head.

If the title is true, it’s a true setback. After many years, the entire country (perhaps minus a territory or two) has finally gotten on board with REAL ID in advance of the due date, and now one of the states is pulling out.

Except that when you read the detail of the bill (at least as originally written; it could change in committee), it doesn’t repeal Alaska’s compliance of REAL ID.

As Chris Burt notes in a Biometric Updatre post, it only provides an option for the Alaska Division of Motor Vehicles to issue an identification card that is non-REAL ID compliant. This is not different from any other state (for example, California) that issues non-REAL ID cards that are “not for federal purposes” or “not for federal identification” or “federal limits apply.”

From https://www.dmv.ca.gov/portal/driver-licenses-identification-cards/real-id/what-is-real-id/

So Alaskans, don’t panic. If you want to get a REAL ID to board a plane, you can still do this. Note the [BRACKETED ALL CAPS] text in Section 1 of HB389 as originally written, illustrated below.

From https://legiscan.com/AK/text/HB389/id/2525192

So Alaska can still issue “federally compliant” (i.e., REAL ID) driver’s licenses.

But what about foreign ownership?

But as long as I was reading the text of the bill, I thought I’d see what else it proposed to change, and ran across this text in Section 4.

Now THAT caught my eye. (Alaska Statutes Chapter 15 is the portion of the statutes that governs driver’s licenses in general, so this clause affects EVERYTHING.)

If your company is 94% U.S.-owned, that’s not good enough in Alaska.

(Well, at least until Putin decides that Edouard de Stoeckl’s 1867 sale of Alaska was illegal…)

The signing of the Alaska Treaty of Cessation on March 30, 1867. Left to right: Robert S. Chew, William H. Seward, William Hunter, Mr. Bodisco, Eduard de Stoeckl, Charles Sumner, and Frederick W. Seward. By Emanuel Leutze (d. 1868) – http://www.akhistorycourse.org/articles/article.php?artID=202, Public Domain, https://commons.wikimedia.org/w/index.php?curid=4246381

Most if not all U.S. state agencies do not produce driver’s licenses themselves, but instead contract with private companies to do the work. These private companies either produce the licenses at state agency offices, or produce them as a service (DLaaS) at a secure production center (which may produce licenses for multiple states). To my knowledge, all of the production centers for U.S. driver’s licenses are located within the United States.

But who are the “private entities” that provide driver’s license manufacturing services? Let’s look at the major ones and see if they’re affected by Section 4 of the draft of Alaska HB389.

IDEMIA

It is a matter of public record that the majority of U.S. states use IDEMIA to produce their driver’s licenses, either within agency offices or in secure IDEMIA production centers. When I was an employee of IDEMIA, I did not have the necessary security clearance to enter any of these production centers. Employees should only have the security permissions that they need, and my job had no need for me to access the PII of IDEMIA’s driver’s license customers, or to enter the facilities in which these secure documents are manufactured. There are security requirements governing this.

…our state-of-the-art central issuance facilities…are highly secure and meet North American Security Products Organization (NASPO) Level I security requirements.
From https://na.idemia.com/dmv/physical-drivers-licenses-and-id-cards/

We’ll return to NASPO later in this post.

As I’ve noted before, IDEMIA is (currently) majority owned by Advent International, a U.S. based investment firm. IDEMIA entered the U.S. driver’s license market by acquiring Morpho (French), which had previously acquired MorphoTrust/L-1 Identity Solutions (U.S.), which had previously acquired Digimarc’s ID Systems business (also U.S.).

And, as I’ve noted, Advent International will probably choose to sell IDEMIA at some point in the future.

However, Advent International is not the exclusive owner of IDEMIA, because part of the company is owned by Bpifrance, which is (drumroll) French.

From https://www.bpifrance.com/why-france

Alaska’s HB389, if passed in its original form, would prohibit the state from “communicating” personally identifying information (PII) to a private entity with more than five percent foreign ownership. I do not know the percentage that Bpifrance owns (all of the press releases failed to include that little tidbit), so I don’t know if IDEMIA would run afoul of the law or not.

HB389, if unmodified, is just one thing that any company that purchases IDEMIA must keep in mind.

IDEMIA doesn’t produce Alaska driver’s licenses. Who does?

But that doesn’t matter, because IDEMIA isn’t the Alaska driver’s license vendor anyway. That contract is controlled by another company.

Austin, TX – October 31, 2018 – Gemalto (Euronext NL0000400653 GTO), and Alaska’s Division of Motor Vehicles will continue their work of providing credentials to citizens with the additional goal of helping the state become Real ID compliant by increasing security of the state’s driver’s license and identification cards.
From https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/press-release/alaska-extends-contract-with-gemalto-to-enhance-drivers-license-security

Gemalto (a Dutch company) was subsequently acquired by Thales, which is a French company. Gemalto entered the U.S. driver’s license market when it acquired Marquis ID Systems.

Now I do not know the details of Alaska’s contract with Thales, but it stands to reason that if Thales is “providing credentials to citizens” (implying a service bureau relationship), then at some point the state is going to have to “convey, distribute, or communicate” PII to Thales.

Other vendors

But don’t worry. IDEMIA and Thales are not the only driver’s license manufacturers out there, so you don’t have to worry about foreigners getting your data. Just select an American company!

For example, Veridos can provide driver’s licenses. Veridos is a joint venture between Giesecke+Devrient and Bundesdruckerei…whoops, that’s not a U.S. company.

And there’s another driver’s license manufacturer out there. It’s called…Canadian Bank Note.

There’s also Valid, which is…Brazilian.

Let’s look at NASPO

Despite the fact that these entities are foreign-owned, all of them (either on their own, or through parents or acquired companies) are members of NASPO, and many of them have NASPO certification.

So what?

NASPO international was formed as the North American Security Products Organization. The non-profit organization was founded in 2002 by companies and individuals in industry that recognized the need for security focused standards to prevent fraudulent acts that support criminal and terrorist activity….

NASPO INTERNATIONAL was formed to combat the ever increasing amount of fraud within the areas of brand protection, document security, and identity. Our focus is to produce credible, structured, and, when appropriate, certifiable standards. NASPO INTERNATIONAL has created a risk reduction standard and auditing process to certify security focused organizations. This structure also provides the end user with the ability to create a secure supply chain from supplier to end users.
From https://naspo.info/about-us/faq/

From my point of view, NASPO tries to achieve what HB389 clumsily tries to achieve by its “minimal foreign ownership” clause. 100% U.S. ownership does not guarantee the security of your data, and 94% U.S. ownership does not guarantee that your data will wind up in a foreign capital.

So what happens next?

I have no idea whether HB389 will get passed, but unless it is substantially amended, Alaskans can still get REAL ID driver’s licenses so that they can board planes, enter secure federal facilities, and the like without getting a passport or other authorized document.

But I’m not sure what’s going to happen regarding the foreign ownership clause. Maybe people at some of the firms listed above are already looking into this.

But if my assumptions on HB389 are correct, and it passes with Section 4 intact, perhaps Alaska may not be able to rely on a private entity to provide driver’s licenses as a service (DLaaS). In that case, the state will have to produce its own driver’s licenses, free from foreign influence.

By Jerome Svigals, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=20149452

A view of 9/11 from the 9/11 Commission’s border counsel

There are different ways to look at 9/11. I’m familiar with the reconstructions of Vice President Cheney’s actions in Washington on that day, and of President Bush as he flew around the country on that day (the only plane in the sky).

But what about the activities of the hijackers on that day, and in the months preceding that day?

All of this was examined by the 9/11 Commission. As a result of its investigation, this body made significant recommendations, some of which have only taken nearly two decades to implement, assuming they ARE implemented as (re) scheduled.

By Cleanup by Andrew_pmk (talk · contribs); straightened and cropped by Holek (talk · contribs) – http://www.9-11commission.gov/press/911report_cover_HIGHRES.jpg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=2376314

Janice Kephart was border counsel to the 9/11 Commission, and has been involved in homeland security ever since that time. She is currently CEO and Owner of Identity Strategy Partners.

As the 20th anniversary of 9/11 approaches, Kephart has released a documentary. As she explains, the documentary contains a wealth of information from the 9/11 Commission’s investigation of the hijackers, much of which was never officially released. Her hope:

If we are never to forget, we must educate. That is the purpose of this documentary. It is history, it is legacy, from the person who knows the details of the hijacker’s border story and has continued to live it for the past 20 years. I hope it resonates and educates.

When listening to Kephart’s documentary, keep in mind how much our world has changed since 9/11. Yes, you went through a security screening before you boarded a plane, but it was nothing like the security screenings that we’ve gotten used to in the last 20 years. Before 9/11, you could walk all the way up to the gate to send off departing passengers or greet arriving ones. And identity documents were not usually cross-checked against biometric databases to make sure that applicants were telling the truth.

I personally was not as familiar with the stories of the hijackers as I was with the stories of Bush and Cheney. The documentary provides a wealth of detail on the hijackers. (Helpful hint: don’t be afraid to pause the video when necessary. There’s a lot of visual information to absorb.)

Toward the end of the documentary, Kephart concentrates on Mohamed Atta’s return to the U.S. in January 2001, when his tourist visa had already expired and his student visa application was still pending. Kephart notes that Atta shouldn’t have been allowed back into the country, but that he was let in anyway. The details regarding Atta’s January 2001 entry are discussed in detail in a separate report (see section III.B).

(Incidentally, Atta’s student visa application wasn’t approved until July 2001, and his flight school wasn’t notified until 2002.)

Kephart wonders what might have happened if Mohamed Atta had been denied re-entry into the United States in January 2001 because of the visa irregularities. Since Atta was the ringleader and the driving force behind the attack, would the denial of entry have delayed or even terminated the 9/11 attack plans?

If you want to view the documentary, it is hosted on YouTube.

In this post, “NGI” stands for Non-Governmental Identity

I admit to my biases.

As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.

Because the government is always here to help.

From World War II. By Packer, poster artist, Artist (NARA record: 8467744) – U.S. National Archives and Records Administration, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16929857

What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.

Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.

However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.

Use of DNA for humanitarian efforts

Take an example that I recently tweeted about.

I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.

One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.

By Nofx221984 – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7429871

Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.

Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.

As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUs, University of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).

As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.

And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.

Reluctance to set national standards for mobile driver’s licenses

Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.

Some people are not especially wowed with this use case.

The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.

We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…

You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.

Is a Non-Governmental Identity (NGI) feasible and reliable?

Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).

…others are animated by a vision of “self-sovereign
identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….
DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.

For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.

Who issues Verifiable Credentials?

As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:

From https://www.evernym.com/blog/gentle-introduction-verifiable-credentials/. Fair use.

There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.

In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)

Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.

Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)

But NGIs are not a cure-all

Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.

Here’s what McKinsey has said:

…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.
Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.

In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several years AFTER 9/11.

And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:

At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.

1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)

Which identiy(ies) will prevail?

Back to governmental recognition of NGI.

Don’t count on it.

Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.

So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.

But frankly, I’m still not sure that I want Facebook to know how much I weigh.

(Although, now that I think about it, Apple already knows.)