By Susan Fenimore Dworak and Cristina Jerney[1]
ID Checking Regulations
Most jurisdictions have no set standard for checking ID, making legal compliance complex and confusing. It does not have to be this way. Well-thought-out and carefully drafted compliance plans can serve to protect businesses, workers, and communities from a number of dangers and also ensure workers have the information needed to make informed choices when it comes to confirming identity. We must collectively adopt and enforce policies that support a new industry standard and legal standard for checking ID and confirming identity.
Government agencies regulate products and services across many industries to protect people. Access to those products and services requires confirmation of age or identity. Millions of workers are required to check IDs as a daily part of their job duties, but many, if not most, have never been properly trained to check IDs to confirm identity. For example, when it comes to the sale and service of alcohol in the US, those who do seek training typically attend a 2- to 4-hour responsible beverage service class, and during that time hear an average of 10 short minutes on ID checking. Given the risks caused by fake IDs, that is unacceptable.
There are hundreds of versions of real IDs in circulation in the US, and there are large numbers (millions, in fact) of sophisticated fake IDs on the market. Those fake IDs are built to fool devices like ID scanners, leaving the ID-checking process up to the humans who have not been adequately trained. Properly checking IDs is effective, but current solutions are inadequate. This makes compliance with checking ID and confirming identity very difficult.
The cost of noncompliance is high, and there are large, costly, and increasing problems with fake IDs. One fake ID used once can cause massive legal and financial damage to businesses and government agencies and also untold heartache for society. According to law enforcement, the Las Vegas shooter reportedly checked into the hotel with a fake ID, the Oklahoma City bomber rented a truck with a fake ID, and the 9/11 terrorists used a series of fake IDs to carry out their acts (the federal government responded in part by enacting the Real ID Act).[2] Fake IDs are also used in human trafficking, trading exotic animals, financial fraud, identity theft, and countless other crimes. As fake IDs become more sophisticated, they not only threaten businesses and people who check IDs, but also communities and society as a whole.
The answer to mitigating risk in person-to-person transactions is mandating specific ID training for frontline gatekeepers. These gatekeepers are critical to the ID checking process because they cannot only see and feel security features on government-issued IDs, but they can observe and assess behavioral nuances often associated with the use of a fake ID. They also have the innate ability to conduct human facial recognition to confirm identity, matching the person presenting the ID to the photo on the ID. These are tasks no device can collectively perform.
Understanding Real and Fake IDs
To understand the importance of mandating training, it’s important to understand IDs. To understand fake IDs, it helps to first understand real IDs. In the US, there are 59 jurisdictions that issue government driver’s licenses and ID cards: 50 states, one district (Washington, DC), five US territories, and three freely associated states. At any given time, each jurisdiction has a number of valid ID versions—and variations of those versions—in circulation, resulting in hundreds of currently valid IDs in the US. These versions are updated periodically, and new versions are released over time, making it impossible to memorize every ID.
All of those IDs contain three kinds of security features: overt, covert, and forensic. Overt features can be easily seen with the eyes and felt with the hands. Covert features can be revealed with a simple tool, such as a flashlight, UV light, or magnifier. Forensic features require special equipment—typically available to law enforcement or government—with the exception of simple machine readable technology, such as barcodes and magnetic stripes, both of which can be read by simple scanners or scanning apps because they are both half a century old and easily forged.
The American Association of Motor Vehicle Administrators (AAMVA) creates standards for the design of driver’s licenses and ID cards to improve the security of the cards and the “interoperability among cards issued by all North American jurisdictions.”[3] States spend millions of dollars on complex security features to make it more difficult to counterfeit IDs, including visual and tactile features meant for inspection by sight and touch. If gatekeepers fail to use visual perception and manual dexterity to confirm these features, the expertise of the AAMVA and the expenditure by Departments of Motor Vehicles are squandered.
The problem is that many (in fact, most) gatekeepers don’t know what security features to look for and feel on IDs and, as noted, it is impossible to memorize hundreds of IDs with extreme variations in overt, covert, and forensic security features. When people are trained to properly and thoroughly check IDs and are given access to current ID images, they can tell the difference between real and forged security features. The human senses, and specifically sight and touch, are the best defense in detecting fake IDs in person-to-person transactions.
The Future of IDs
The plastic driver’s license card is the number one form of ID for most Americans—at least for now. There are 330 million people in the US[4] and more than 227 million licensed driver IDs in circulation.[5] With that many driver’s licenses in circulation, it will be years before the plastic driver’s license card is phased out. However, eventually, the card will meet its digital destiny and take a number of different electronic forms. We can empower gatekeepers with a new set of ID checking standards to support them in their critical gatekeeping position, and this includes keeping pace with advances in IDs in their current (tangible) and future (digital) states.
Mobile IDs. Mobile IDs, such as mobile driver’s licenses, are driver’s licenses in digital format viewed on cell phones. Because they are digital, they are very easy to forge with simple photo-editing software. Bad actors are already forging visual effects for security features that, for example, articulate and morph into wave patterns. These features are easily replicated to appear real. Only when gatekeepers are provided resources to tell the difference can they spot fake IDs.
Biometrics. Biometrics are human physical characteristics such as fingerprints, irises, and DNA unique to each individual. It will be some time before systems using biometrics are affordable and effective enough for broad commercial use. The systems used in controlled environments such as airports guarded by uniformed, highly trained, armed guards is far different than using them at a retail outlet. Without proper safeguards, using these systems involves giving up biometric data, creating costly personal and identity security risks.
Blockchain. Blockchain is simply a process of storing data, including identity data. As a form of identification, blockchain provides a digital identity, and like any other digital identity, it cannot guarantee the security of personally identifiable information—or even physical identity of the person using the technology. Humans are still required to verify and confirm identity.
In short, blockchain offers peer-to-peer identification, which results in a change in authority, shifting identification control away from governments. This challenges compliance officials to protect citizens from risk and unintended consequence of this new technology. Businesses involved in blockchain identity must accept the risk of liability. If this responsibility is not shifted to businesses to confirm physical identity, the burden is placed on government agencies, and consequently, the cost is placed on taxpayers. Blockchain allows for collaboration and connectivity but also represents a grand opportunity for fraud—trillions of dollars worldwide.
Current Methods of Checking ID
There is no consistency, and often little guidance, in regulations concerning in-person ID checking and identity confirmation, leaving many businesses and workers at a loss when it comes to properly checking ID. Complicating matters, technology companies market ID scanners as solutions that “verify identity” or “authenticate ID” when the devices are doing nothing of the sort. The fake IDs flooding the market today are built to fool scanners, and they are so sophisticated that they are fooling high-tech scanners—even police and airport scanners. Consequently, it has become challenging for those who check IDs to verify an identity or confirm age, which poses compliance risks.
Currently there are three methods available for checking ID: books, training, and ID scanners. None are fully adequate for learning the variety of real IDs or catching the sophisticated fake IDs currently on the market.
ID Checking Books. ID checking books are small paperbacks that contain indistinct photos of one or two IDs together with short, undetailed descriptions of security features. The books are updated annually, so the images and information are often outdated by the time the books go to print. The books are not comprehensive, so they do not cover all current versions of IDs. Consequently, books lack the depth and detail that enable gatekeepers to differentiate between real and fake IDs.
Online and Live Training. Given the high turnover rates of frontline staff in most industries, there is a constant and recurring need for training. For businesses that sell and serve regulated products, fewer than 20 states mandate a responsible vendor program and nearly half of those states do not mention ID checking as part of the required curriculum. This is unacceptable. A license to sell regulated products and services is a privilege that carries with it the responsibility to control access to those products and services.
States that mandate ID checking often fall short of providing the most up-to-date content required to check IDs and to spot fakes, given the speed at which real IDs change and fake IDs flood the market. It’s suggested by some states that training be renewed “every few years.” This is not frequent enough to keep up with changes to government-issued IDs, changes in technology, and changes in the level of sophistication of fake IDs. Training typically covers obvious steps in checking IDs, such as viewing the birth date and ID’s expiration date, but when it comes to security features, the training is lacking. Gatekeepers need far more updated training with far more depth and detail.
ID Scanners. Today’s sophisticated fake IDs are built to fool scanners. Years ago, a scanner may have been an effective means for checking ID, but that is no longer the case. Scanners use outdated technology—simply reading barcodes and magnetic stripes developed more than half a century ago. Both are effortlessly deciphered and forged with online resources and simple, affordable tools like reencoders. Similarly, scanners with optical character recognition and ink detection are also not effective. Detailed templates with artwork, patterning, microprint, font, color, ink, and other relevant details for all US driver’s licenses and ID cards are available online, so putting it together to create a very realistic fake ID is relatively easy. Criminals know which states are easier than others to forge and exploit vulnerabilities.
Scanning an ID is convenient, but it is not an excuse for not properly and thoroughly checking an ID. Swiping a card through a slot in a scanner or tapping a scanning app is not “training” and should not be accepted as a valid defense to an ID violation. If we allow this “easy out” as an affirmative defense, companies may buy and use scanners not to prevent the use of fake IDs but to avoid prosecution. The price of a scanner will be a “get out of jail free card” of sorts.
Further, companies, their frontline gatekeepers, and their customers don’t fully understand scanner hardware and software or scanning apps, often erroneously relying on marketing representations. The fine print contained in terms and conditions and privacy policies can reveal serious vulnerabilities, setting innocent people up for serious life-changing legal and financial risks. The disclaimers often note that the maximum recovery is likely what they paid for the system or app (e.g., $4.99), meaning the users are left with the legal and financial fallout when scanners fail to spot a fake ID.
Compliance policies must protect frontline gatekeepers. Most people who use ID scanners and scanning apps don’t understand their exposure to liability. For example, many scanners automatically scrape data to create customer contact lists or databases. Collecting personally identifiable information (PII) creates disclosure, consent, security, and other legal issues by way of access, ownership, storage, security, and licensing of data, among other things. After scanning an ID, all or some of the data on that ID can be stored indefinitely on unsecured devices or databases, meaning they are vulnerable. When data are stored or transferred (e.g., via Wi-Fi), they are also vulnerable because they can be viewed or captured. Even if the data are encrypted, they can be captured in compromised routers and switches.
Notably, free scanning apps are available to anyone, meaning anyone can download an app and use it to scan an ID. When companies use scanning apps to confirm age, any bouncer, bartender, clerk, or temporary worker—literally anyone—could potentially view, capture, extract, store, or transfer PII from every scanned ID on and from their personal cell phone. This means that an unknowing consumer’s ID is now in the hands of countless parties, some with nefarious intent.
Some jurisdictions mandate the use of scanners to check IDs, which may mean entire communities are relying on machines to confirm age and identity. By mandating the use of scanners without proper disclosures, knowledge, and training, we’re requiring people to put themselves at risk for financial and legal liability. Also, regulations that require the use of expensive scanners may discriminate against those who cannot afford them. It’s a digital divide that may punish and put at risk those with limited resources.
Ultimately, scanners are not infallible, and they are not a panacea for spotting fake IDs. A human gatekeeper must be empowered with proper training and held liable for the ultimate decision to provide access to a regulated product or service.
Data Privacy Concerns
Scanners often read and store data, including PII, heightening the potential for data breaches and data protection issues, resulting in greater risk for companies and victims. Data protection is falling under greater legal scrutiny in many jurisdictions. Government agencies are increasing accountability when it comes to the use of scanners and the enforcement of laws related to PII. Using scanners or apps to swipe, view, capture, extract, store, transfer, and secure PII involves tremendous risk of violating privacy, cybersecurity, identity theft, and other laws.
An ID holder may believe that their PII, including name, address, signature, license number, photo, biometric data, and more, is safe, when in many cases it is not. Similarly, gatekeepers and companies may not fully understand their exposure to liability in regard to strict privacy laws when swiping, viewing, capturing, and securing PII.
Convenience Over Compliance?
In our drive to be more automated and more high tech, scanners are sometimes the sole method used to check ID, replacing people in crucial gatekeeping positions. By using scanners or scanning apps, individuals are often mistakenly relying on machines to confirm age and identity. Devices like scanners can create a false sense of security for the person scanning the ID and also for the ID holder. We must consider the extent to which we allow convenience to play a role in regulation or enforcement in the protection of society.
To put this in context, changes in retail are bringing about increasingly creative and convenient ways to shop, including self-identification, self-checkout, cashierless stores, online ordering, and nearly instant delivery. With progress come unintended consequences, including easier access to controlled products. Regulations need to address all parties involved in the ordering, selling, purchase, and delivery of these products. Properly checking ID must involve a trained gatekeeper inspecting the ID for various security features to confirm age and identity. Anything less does not constitute properly or thoroughly checking an ID.
Third Parties, Due Diligence, and Compliance
Regulated businesses often retain third parties in different capacities, including companies that sell technologies that purport to check IDs and confirm identity and companies that deliver and ship products. It is the responsibility of the regulated business to conduct due diligence on all third parties involved, but that can be a futile process where regulations are inconsistent or even contradictory.
Businesses struggle with compliance. With alcohol delivery websites and apps, there appears to be a troubling trend of noncompliance. An alarming number of deliveries are made to underage consumers who order online. In April 2020, an investigation by the California Department of Alcoholic Beverage Control found that third-party delivery services are routinely delivering alcoholic beverages to minors, often without even a cursory check of ID.[6] These third-party delivery and shipping companies are not liquor licensees, meaning they are not regulated as licensees and therefore do not share the same economic or legal risk of license revocation or suspension. Many (perhaps most) of these websites and apps allow for self-identification and are not properly or thoroughly checking uploaded IDs.
People also struggle with compliance. Delivery personnel are in a quandary—they have to deliver boxes, they cannot see what’s inside the boxes, and yet they may be held responsible for mistakenly delivering controlled product. Delivery personnel and other workers often do not realize they’re responsible until a violation occurs. Similarly, when it comes to the use of ID scanner in a violation, it is unfair to people when local city ordinances mandate the use of a scanner and/or company policy requires the use of a scanner, only to have a judge say that scanning an ID is not considered properly or thoroughly checking ID under state code. Even if the worker follows the rules provided by authorities, they may be ultimately penalized with a criminal charge and a fine.
Each party in the order-to-delivery chain must be able to comply with regulations, and those rules must be clearly communicated. Regardless of advancement in technologies, regulations must be drafted to withstand change with universal principles that are clear, fair, understandable, and supported by the community.
Conclusion
A lack of a standardized method of checking IDs can lead to decreased compliance, and decreased compliance with ID-checking regulations creates great risk. Managing risk is a perpetual compliance concern, and awareness of the legal, financial, and social consequences of fake IDs must be a priority.
Expectations for the ID-checking process exceed gatekeepers’ capabilities because the solutions available do not always contain the information or technology needed to do the job. This can lead a business to be noncompliant with the requirements of verifying age and identity, inviting potentially severe consequences.
Effective compliance programs can help governments and businesses manage the risks. Trained gatekeepers are critical to the ID-checking process. Human gatekeepers can not only see and feel security features, but they can observe and assess behavioral nuances often associated with the use of a fake ID. Changes in compliance programs must also be accompanied by an increase in effective resources for people who check ID, giving them the best tools so that they can succeed in their critical role as gatekeepers. Catching fake IDs does not only protect a business or a person, but also the community at large.
We must collectively adopt and enforce a new industry standard and legal standard for checking IDs and confirming identity. Both the private and public sectors support and embrace ID checking and identity confirmation compliance efforts. Collaborative solutions can give rise to greater compliance, and that ultimately will result in reducing consequences caused by fake IDs, saving lives and livelihoods.
The following are key takeaways for use in adopting and enforcing compliance programs that ensure standards for checking IDs and confirming identity.
-
Assess risk
-
Identify risk associated with unauthorized access to products and services by assessing potential legal, financial, and social consequences.
-
Reevaluate risk and update compliance programs.
-
Review and analyze relevant compliance data and seek business, worker, third-party, and other stakeholder input.
-
-
Perform due diligence on third parties
-
Conduct due diligence on all third parties, including successors and assigns, at the initial onboarding and over the duration of the relationship.
-
Vet new players and new technologies, especially in terms of potential data breaches and data privacy violations.
-
Maintain a centralized list of any third-party offenders to prevent future violations and monitor for patterns or repetitiveness in actions.
-
Monitor third parties and ensure they regularly update compliance policies as needed.
-
-
Draft clear policy
-
Draft a compliance program with clear policies and specific procedures for checking IDs and confirming identity in person.
-
Ensure policies and procedures consider legal, regulatory, and ethical compliance that fosters healthy cultures within organizations.
-
Increase collaboration with internal and external stakeholders for program development to increase knowledge of technology effectiveness and vulnerability.
-
Conduct periodic reviews for lessons learned with current legal, economic, and technological changes.
-
-
Communicate clearly
-
Train all persons, businesses, workers, and third parties and ensure access to information needed to comply.
-
Provide adequate resources to ensure stakeholders have timely, relevant data to make informed decisions.
-
-
Manage and support
-
Conduct periodic risk assessments to manage vulnerabilities discovered.
-
Provide adequate resources and empower appropriate parties to ensure compliance programs can function efficiently and effectively.
-
-
Monitor and update
-
Continually monitor risk, including training, which is critical to mitigating consequences. Increase monitoring as accountability increases.
-
Update policy and communicate updates in writing. Make information accessible on websites so all parties have 24/7 access.
-
-
Measure impact and enforce
-
Measure impact with relevant data. Memorialize and incorporate impact into compliance strategy.
-
Establish policies and procedures for fair and consistent disciplinary actions on all levels.
-