5 things to consider before implementing iris scanning technology
The eyes have it – or do they? Make sure your iris scanning is up-to-date and spoof proof
In the 2002 sci-fi movie "Minority Report," Tom Cruise plays a futuristic police officer on the run who has eye transplants to conceal his identity from iris scanning. He also keeps his old eyes with him so he can log into the police network when needed. (This could actually work for a few days.)
Today, police have access to handheld devices that can attach to a cellphone and collect and interface iris scans, facial recognition, fingerprints and identifying information.
This has largely occurred with little public debate or oversight. A look into these developments can help law enforcement plan its use of the evolving technology so as not to lose in the public arenas. This article addresses concerns about the technology’s reliability. Another article addresses privacy concerns.
UNDERSTANDING IRIS SCANNING TECHNOLOGY
An iris scan takes a detailed image of the ridges in the colored part of the eye, usually through infrared photography. These genetically determined ridges are complex and unique. Here are the top reasons iris scans are better than fingerprints:
- Detailed and accurate.
- More sanitary.
- Not going to change from wear and tear.
- Fast to scan and quick to retrieve.
When someone’s iris is scanned, a binary code of the image is created. It is this iris code of about 5,000 bits of data that is stored in a database. When that person later goes before an iris-recognition scanner, the iris is scanned and measured against the code in the database to authenticate identity.
One such scanner developed by Biometric Intelligence & Identification Technologies (BI2) is called IRIS (Inmate Recognition & Identification System). Sheriffs and correctional facilities are using IRIS for purposes such as arrest, intake and booking, visitation, work release, etc.
BI2 says its iris recognition technology requires conscious participation. The subject must present their eye to the camera within a designated capture zone approximately 10 to 18 inches away.
But iris scanning technology is fast evolving. Carnegie Mellon engineering professor Marios Savvides says he's invented the first long-range iris scanner, which can identify someone as they glance at their rear-view mirror before a police officer even gets out of the car, or while the person is moving. He demonstrates it in this video.
Technology to defeat iris scanners is also advancing. Hackers have been able to fool scanners using Google Images photos. Researchers have been able to create synthetic iris images not connected to real people that can fool a scanner. These images can be transposed onto contact lenses. As in “Minority Report,” irises can be used as biometric identifiers for at least a few days after death.
Dr. Leonard Flom, who shares the patent for the original iris scanning technique, is also countering the fakers. Some of the foils, he says, can be defeated by a simple pen light shone in the eyes, or a light and pupil reflex monitor in the scanner. Others are developing fake iris detection technology.
Recently, researchers have reverse-engineered iris codes to create iris images that closely match the eye images of real subjects. This creates the possibility of stealing someone’s identity through their iris code.
THE PUBLIC DEBATE ABOUT IRIS SCANNING
A 2016 Government Accountability Office’s (GAO) report threw a critical spotlight on the FBI’s Next Generation Identification (NGI) program which is amassing multimodal biometric identifiers such as iris scans, palm prints, face-recognition-ready photos and voice data, and making that data available to other agencies at the state and federal levels.
One of the report’s criticism was NGI’s absence of reliability testing. Concerns include:
- False matches can lead to serious problems, from mere inconvenience to wrongful detention or conviction.
- Biometric identifiers, like SSNs, can be compromised by a data breach. Unlike other identifiers, however, biometrics can’t be changed. Once they’re compromised a person has no recourse, which can lead to identity theft, impersonation, or worse.
- Data sharing exacerbates these harms – once faulty or wrongfully obtained biometrics are in a system, they spread everywhere the information in that system is shared.
CONSIDER AND PLAN
- Educate yourself about the technology. Ask potential vendors:
a. Have your scanning algorithms been accuracy tested for “false negatives” (failing to find a match when one exists) and “false positives” (an incorrect match)?
b. What were the results?
c. Do you have fake iris detection technology – including “liveness” detection such as pupil reflex monitoring?
d. What database do you use?
e. How big is it?
f. Who uses it?
g. What measures – like encryption – are in place to secure the database?
- Require vendors to demonstrate target accuracy levels and prove an algorithm’s submission to National Institute of Standards and Technology (NIST) accuracy tests.
- Final contracts should require continued internal accuracy testing in operational settings and submission to all applicable NIST tests.
- Avoid contracts where the vendor has disclaimed responsibility for the accuracy of the algorithm, even when the vendor uses a third-party algorithm. (See, recommendations by Georgetown Law Center on Privacy & Technology.)
- Be prepared to respond to public concerns about “false matches.” To put this in perspective, a 2012 report by NIST evaluated 92 different iris recognition algorithms by nine private companies and two university labs. Success rates ranged between 90 and 99 percent among the algorithms. These were false negative rates – failing to match – which don’t negatively impact an individual like false positives. The false negative rate for iris scans is 10 times less than facial recognition. I was unable to find a specific false positive rate other than a description that it was “infinitesimally low.” This might change if reverse engineering of iris codes expands beyond researchers.
Author's note: Thanks to Yavapai County Sheriff Scott Mascher and his Chief Deputy, David Rhodes. Both gentlemen are a gold standard of transparency and civic concern. With no pre-conditions, they opened their office and jail doors to answer all my questions about their use of iris scanning and to observe it during booking. Both expressed a genuine concern about indiscriminate use of iris scanning by police.