U.S. Identification System Run by Foreigners

The Nightmare Called The Real ID

Are we safer today than before 9/11? It was the 9/11 Commission that said we must know a person is who they say they are before issuing the person a driver's license or other ID credentials. Almost 17 years after 9/11, states are still not performing the fundamental task of verifying birth certificates, nor are they ensuring that driver's licenses do not get issued to people who are using the birth certificates of deceased people.

Recently, the Cybersecurity Director for Oklahoma acknowledged as a fact that Oklahoma has unwittingly utilized software or code of Russian origin for fingerprinting. Other states and the federal government have also used the software/algorithm that originated with a Russian biometrics company.

This admission came as a result of the Legislative Data Security Working Group, spearheaded by Oklahoma State Representative Lewis Moore, which was formed to look into the allegations that Russian software/source code has been incorporated into our biometric technology and also the fact that birth certificates are still not being verified by the state.

Former Oklahoma State Representative Charles Key was asked by Representative Moore to attend the meeting and ask questions. Former Representative Key and Representative Moore both opposed the Real ID Act 2005. Representative Key's knowledge of what Oklahoma has done with regard to Real ID and biometrics was instrumental during the questioning of witnesses.

The inadvertent use of such sensitive technology derived from a foreign adversary is not a unique story limited to the State of Oklahoma. Any State Department of Motor Vehicles (DMV) that has contracts with the vendor known formerly as MorphoTrust USA or MorphoTrust, now Idemia, face the same potential cybersecurity threat. Oklahoma is unique, however, in its level of legislative inquisitiveness into the matter and also the degree of transparency demonstrated by its Cybersecurity Director.

This issue is not limited to the states either. Important agencies and departments of our federal government, including the FBI used this very same biometric and credential company as the DMV.

This particular biometric corporation, one that is contracted by many state’s DMV, as well as top agencies and departments of the federal government, has merged with other companies and changed names so many times over the years that it is difficult to keep up with them. Here are a few names to know; Safran, a French defense technology conglomerate, sold the (biometric) identity portion of their business over a year ago to Advent. Advent used one of its subsidiaries, Oberthur, to merge with Safran's previously owned biometric and credential companies, which included MorphoTrust USA. The new company is called Idemia. Idemia is the current incarnation of the biometric corporation that is doing business with all levels of our government providing biometric identification technology and services

Here is another name to know, Papillon. Papillon (Papillon Software and Technology) is the Russian company who sold their fingerprinting software/algorithm to the French defense company, Safran.  According to multiple whistleblowers, Papillon is intimately (if not officially) connected to the Russian military and the Federal Security Service (FSB). Two of the whistleblowers willingly placed themselves under penalty of law by provided affidavits attesting to the fact.

According to these whistleblowers, the Russian technology for fingerprinting was and possibly, is, being used in other countries as well.

The Constitutional Alliance first wrote about the allegations by whistleblowers who worked in some capacity with Safran, Sagem and/or subsidiaries of Safran and/or Sagem, in August 2017. Our first goal was determining the truthfulness of the allegation that Safran had in fact made a secret deal with the Russian biometric company Papillon. Our second goal was to be able to confirm that Safran used the Russian software/algorithm in the United States thru its U.S. subsidiary MorphoTrust USA.

The whistleblowers traveled to the United States to provide testimony to the Oklahoma Legislative Data Security Working Group where the state's Cybersecurity Director confirmed what their assertions regarding Safran's secret deal with the Russian company and that, at the least, the Russian algorithm did find its way into use in the United States provided by MorphoTrust USA.

Now the big question is whether or not the Russian software passed on to Safran and subsequently sold by its subsidiary, MorphoTrust, to the states and the federal government of the United States is infected with some type of malicious coding or a backdoor.

The Constitutional Alliance acknowledges that we have neither the resources nor the expertise to properly evaluate this potential threat. We do not believe individual states have the resources to make a determination either. We have been told by multiple experts that MorphoTrust USA/Idemia would need to hand over the source code to the federal government for examination in order for a determination to be made.

The federal government is the only entity that has the resources, and the leverage necessary, to compel MorphoTrust USA/Idemia to open up the coding for inspection.

But we harbor doubt that this will happen as our federal government has invested billions of dollars in Safran/MorphoTrust/Idemia. Furthermore, the State Department, our intelligence agencies, the FBI, DHS, the Department of Defense, and other federal entities all have used and are using MorphoTrust USA/Idemia biometric technology.

Should our government change vendors because MorphoTrust USA/Safran did not disclose years ago when it applied to do business in the United States that it was using a Russian software and/or a Russian algorithm? It could take many months for a new vendor to be chosen to provide biometrics. What would happen in the meantime? Would our government stop issuing ID credentials that currently require a person to submit to fingerprint collection?

The discovery of malicious code in this technology that is so widely used and interconnected with our nation's most sensitive security infrastructure would lead to considerable disruption.

Questions are being asked but nobody in the government seems to want to talk about the threat or risk the public losing confidence in biometrics. Not now. Short of congressional hearings about how the situation could have happened in the first place, we are left with whatever we are told by whichever federal agency does respond to media inquiries, if any do respond.

If there is malicious coding in the Russian software/algorithm, how would state and local government go about removing it? How would our government know that the coding has not been changed during the last ten years? Is it possible coding used up to three years ago did have malicious coding, but was changed after the vendor knew its secret deal with the Russian biometric company was going to be exposed?

It is critical for our government to know when any company is using software of any type that originated with one of our country's adversaries. Obviously, the Oklahoma Director of Cybersecurity agreed, or he would not have contacted other state cybersecurity directors to help determine how much of a threat was the software/algorithm that originated with the Russian biometric company Papillon. If, or when, the federal government confronts MorphoTrust USA/Idemia, it will be further evidence that MorphoTrust USA/Safran should have been completely honest when contracting with our government about using the Russian company's software/algorithm.

According to the whistleblowers and the evidence we have reviewed, it appears that Safran was concerned that if they were forthright about the deal with the Russian biometric company, it would not have received contracts from our government.

We have learned one thing for sure, and that is The Committee on Foreign Investment in the United States (CFIUS) must do a better job of vetting foreign companies before allowing those companies to do business in the United States. Perhaps the protocol for allowing companies to do business in the United States needs to be changed.

It is our position that there must be congressional hearings specifically about how the CFIUS approves foreign companies to do business in the United States. The CFIUS is under the Treasury Department and comprised of cabinet members of the administration in power. This is not a Democrat, Republican, or Independent issue. This is an issue of national security. CFIUS approved Safran in 2011 to do business in the United States.

These same congressional hearings should assure the public that if, and when some agency or department of the federal government does respond to the question of whether there is malicious coding, that federal entity must appear before Congress and make their findings public. It is one thing for a federal agency or department to make a statement to the media, but it is totally another thing to provide testimony to Congress under oath. Congress must also answer why we are using foreign companies to provide technology that allows those companies access to our government's most sensitive databases.

Confirmation that the government is indeed aware of the Russian origin biometric software was eye opening but this was not the only concerning issue to emerge from the Legislative Data Security Working Group. What was learned about states not verifying birth certificates was equally disturbing.

Program Manager Anthony Stout of the Electronic Verification of Vital Events (EVVE), and State Registrar and Oklahoma representative for the National Association of Public Health and Information Systems (NAPHSIS), and Ms. Kelly Baker, provided oral testimony similar to what the Constitutional Alliance has been warning people about for over ten years. Program Manager Anthony Stout also provided written testimony.

Here is what was revealed: the states are not verifying birth certificates, nor are they conducting what is called a Fact of Death (FOD) query. The result is that states cannot say they know a person is who they say they are before issuing driver's licenses, whether those licenses are Real ID compliant licenses or not. In addition, states currently cannot ensure the same birth certificate is not being used by multiple people in multiple states. Finally, states cannot guarantee that they are not issuing driver's licenses to people who provide the birth certificates of deceased people.

The Commissioner of the Department of Public Safety, a department that oversees the issuance of driver's licenses in Oklahoma, has previously acknowledged Oklahoma was not verifying birth certificates. Oklahoma is not alone. No other states are verifying all birth certificates. States understand this is a serious issue. A few states are verifying what birth certificates they can but attention to this fundamental step in identification is conspicuously absent across our nation.

Program Manager Anthony Stout of EVVE also stated that biometrics do not, in and of themselves, establish identity. Biometrics must be connected/linked to breeder and/or source documents such as a birth certificate to establish identity. Program Manager Stout also stated that biometrics are not needed to establish identity, or to know if a person has more than one driver's license in their own name, or the names of others.

EVVE and NAPHSIS do not require that copies of the birth certificate or death certificates be transmitted between states in order for verification to take place. The verification process is extensive, but is done by queries and cross checking.

Forty-nine states and a number of territories have already completed centralizing and digitizing their birth certificates and death certificates. Of the 49 states, a few states have not digitized their birth certificates and death certificates. In these few states, the paper copies of the birth certificates and death certificates are in the process of being digitized; a process expected to be completed within one year.

Each state has control of the birth certificates and death certificates issued in their respective states; there is no federal database of birth certificates and death certificates nor does there need to be one. This is what EVVE was designed for - Electronic Verification of Vital Events, birth certificates, and death records, FOD queries. With funding of $6 million EVVE/NAPHSIS can be fully operational in less than one year with all fifty states. Everyone should be calling their members of Congress demanding that NAPHSIS and EVVE be funded with the $6 million needed. Every day that goes by that NAPHSIS and EVVE are not funded with the money they need is another day that our national security is at great risk.

The truth is the Real ID Act 2005 was never needed to verify our identity. States could have strengthened the integrity of their driver's licenses and the procedures for issuing driver's licenses without the federal government. What Real ID has done is given the federal government, for all intents and purposes, control over state driver's licenses.

The cost of the Real ID Act has been well over $10 billion. States have spent millions of dollars, with some state states already spending well over $10 million to comply with the Real ID Act. Even today, nobody can say what Real ID's final cost will be to the federal government or to states. So much money is being wasted on something that gives too much power and control to the government, which was never intended by our founding fathers.

People should know that even today people can fly on a commercial airliner with no identification credentials. The Constitutional Alliance is not suggesting people do not take their ID's to airports, but we do want you to know that citizens as well as state and federal elected officials were told that starting in January 2018, people would not be able to fly on a commercial airliner without a Real ID compliant driver's license, a passport, or other federally issued accepted ID. Now, that date has been amended until 2020. Who knows if even then, people will need a Real ID compliant driver's license, a passport, or other federally issued accepted ID. To date no regulations have been changed to require ID to fly despite the constant media hype saying otherwise.

If you look at the Constitutional Alliance's State-to-State Identity Verification System (SSIVS) we proposed over 10 years ago, you will find they proposed a solution that is very close to what EVVE and NAPHSIS can do with just $6 million in funding.

Perceived security is worse than no security. When perceived security does exist, the measures that are needed for real security are not pursued. We are not safer today than we were before 9/11 because of the simple lack of verifying birth certificates and failing to cross reference by Fact of Death queries.

NAPHSIS's Fact of Death queries are much more accurate than checking the Social Security Administration's database which can take weeks for the Social Security Administration's database to be updated with information about recent deaths. Fact of Death queries are done based on information states make accessible to NAPHSIS and are updated daily. Normally, a Fact of Death query provides information within just a few days of a person's death. It is also more accurate than the Social Security Administration's database because the Social Security Administration's database is riddled with errors, over 13 million errors by many accounts. To further illustrate what we are saying about the birth certificates of deceased people being used to obtain driver's licenses.

The 9/11 Commission released a report stating we must know a person is who they say they are before a state issues the person a driver's license. The commission also stated that people getting multiple license under one name or different names in different states was a major problem.

Acknowledgements

America Restored has identified the foremost expert on Real Id, it is Constitutional Alliance we have has come alongside them to assist in stopping this attack our freedoms. They have been warning in and out of government about the use of Russian technology by our DMV officials, other agencies and departments of state and the federal government. They have reported on birth certificates not being verified and Fact of Death queries must be done whenever a person presents a birth certificate to acquire a driver's license. Please consider assisting us with a generous donation marked Real ID so we can financially support this effort and this organization. We will never stop informing others of the truth, but we need your help to continue to provide information you will not get anywhere else. Please share this article with everyone you are in contact with, and ask them to do the same.

God Bless these United States of America!