By Cartoon Peril Tue Dec 27, 2011
There's a thing called global biometrics industry. As with any "global" industry, there's good reason to be suspicious of it. Largely parasitic on governments, the industry has devised ocular (eyeball-based) ID systems, of which there are two very different methods, the iris scan and the retinal scan, with the iris scan far more prevalent, and projected to be the most common identification technology in 2020.
The iris is a muscle that forms the colored portion of the eye and it controls the amount of light that enters the eye by regulating the size of the pupil. Iris imaging requires use of a high quality digital camera that illuminates the iris using near-infrared light. The Ministry of Homeland Security (.PDF 8/12/2010) claims that these cameras can take these photographs without causing harm or discomfort to the individual.
For some time now the ministry has been conducting its "Iris and Face Technology Demonstration and Evaluation (IFTDE)" project. Current testing is being done on two basic scenarios, first, fixed subjects (standing in front of a fixed or hand-held camera) and second, and perhaps more ominously, walking near a camera while walking through a portal.
While one might expect a kind of Minority Report scenario, in fact the technology for implementing iris scanning is highly vulnerable to attack through numerous means. Of course, this has not prevented the various parasitical contractors pushing the technology from selling it like Professor Harold Hill's band instruments to the good citizens of River City, Iowa.
Of course, all of this is concealed in a smoke screen of jargon, which I will hope to unravel below the Squiggle of Doom.
Basic features of all ID systems
All identification systems depend on two phases: enrollment and authentication.
Enrollment is the process of gathering identifying information, and linking it in a reliable way to a particular individual. Enrollment can be done by any means, and it is as old as the Roman Empire, as it will be recalled that Joseph and Mary were required to travel to Bethlehem to be enrolled for the purposes of the Roman census.
In modern times a birth certificate is proof that one's birth was enrolled on the official state registry, necessary to establish eligibility for citizenship, social security, etc. Most people as they grow older enroll themselves in other identification databases, for school, driver's licenses, passports, etc., with the birth certificate being required for enrollment into these registries, and as a practical matter, the credentials issued as a result of these enrollments (driver's license, passport, etc.) take the place of the birth certificate for practical purposes.
Authentication determines whether there's match between the credentials presented with a record within the enrolled registry. Biometrics is simply a means of bypassing the credentials step of the authentication process. Person A may forge credentials in the name of person B. However, as a general matter, A will have difficulty imitating the fingerprints of B.
If B's fingerprints are in an enrolled database, and A's prints can be captured and compared to the enrolled prints, the verifying authority is no longer dependent on credentials during the authentication phase. A's imposture of B can be detected by direct biometric comparison.
Iris scans are biometrics as well. Assuming accurate image capture the captured image must be compared to an "enrolled database" of iris scan images. See here for a demonstration. Without the database, the iris scans, even if accurate, are useless for government operations.
Deployment scenarios
Iris scanning technology has been deployed in numerous environments, such as:
* At an elementary school in New Jersey, with the excuse that it is necessary to prevent the children from being abducted. This was funded, of course, by a federal grant of $369,000.
* In Iraq by the U.S. military to assemble a database of 3 million people.
* in about 20 U.S. airports from 2005 to 2008 to identify passengers in the Registered Traveler program, who could skip to the front of security lines.
* In Leon, Mexico, a city of 1 million people, Global Rainmakers (now Hoyos Corp.) claims it will provide iris technology for the "secure city initiative". The system is to be used on ATM transactions, ordinary purchases in stories, or boarding a bus. Persons charged or convicted of offenses will apparently constitute the enrolled database against which persons engaging in ordinary activities are to be compared.
Iris scanning at a distance
According to an article (9/13/2010) in USA Today, the Ministry of Homeland Security intended then to "test cameras that take photos from 3 or 4 feet away, including one that works on people as they walk by." The great advantage of this system to the authority collecting the information would be that the fact the persons scanned would not readily perceive that they were being scanned. Widespread scanning of this nature, called "scanning of local populations" has never been perfected. So far, the best that has been done is that tests have been done on people going through designated portals. Weaknesses in the system
There are numerous problems with the system, this article (09/10/2010) provides a good summary. Notable among the defects is the fact that iris matching, unlike fingerprinting, cannot be done by human beings; that is, outside of the obvious question of eye color, no human has been shown to be able to determine whether a particular image of an iris matches another iris image. Even the computers are not able to do this, and they express only a probability, not a certainty.
Unattended authentication systems can be overcome by presentation of a high quality photograph of a person previously enrolled in the database. This is called the "live-tissue" problem. (Source: Meghanathan, 14-15). This mechanism of attack is called a "spoof attack." While there are supposedly means (at least theory) by which an unattended system can detect a spoof attack, if these are effective, this has not been reported.
More dangerous than a spoof attack is the possible compromise of the collection media or database. It must be recalled that the iris scan is stored in electronic digital media, and if this electronic media can be compromised, the system could be overcome via false authentication on a one-time basis, and perhaps the entire system could be reverse-engineered.
For a true nation-wide system to be constructed would require an enrollment database of over 300 million persons and would take many years to construct. Widespread enrollment and authentication points would open the system up to attack at multiple points, and no iris-scanning system has ever involved protection on such a scale. This would require an electronic Maginot line.
Social acceptance
Social acceptance of the enrollment process is critical to success. Meghanathan (reference below) assigns the following levels of social acceptability to the collection of five biometric identifiers: face: best; fingerprint: average; hand geometry: average; Iris scan: poor; signature: best; voice: best. Curiously, the Environmental Protection Agency however claims that the enrollment photography phase for the iris scan "generally has a high level of user acceptance". (source).
Deployments of iris scanning have generally been limited to circumstances where there was a high degree of shared interest (employees, for example) among the persons enrolled in the database, as well as a strong discrete benefit to be derived from the provision of an accurate enrollment image. Under these circumstances, acceptance of the iris scan would be readily given.
Outside of wartime conditions, iris scanning has not yet been deployed on a nation-wide basis (other than the U.A.E.), and social acceptance here has never been tested.
Limits of the technological "solutions"
In the deployment at the elementary school, social acceptance was overcome by the threat of strangers obtaining access to the school and abducting children. But social acceptance could also be overcome by deploying the enrollment on young children -- you'll notice on the linked video that the scanner is at a child's height. The danger of course here is that the technological panacea does not and cannot address the fact that children are much more likely to be hurt or abducted by someone known to the child than a stranger. For $369,000, the cost of the system, one could quite likely design a child safety program run by actual human beings which would have a much greater impact upon the most likely threats against children. As we see with much of the technological devices ballyhoe'd as a solution to "security" issues, this is in fact a solution in search of a problem. For example, is it a problem in Leon, Mexico (or any other country) in the world, that the government does not positively know the identity of every person boarding a bus? Admittedly there have been bombings on buses, but would such bombings have been prevented? Even on 9/11 itself, all the hijackers boarded the airplanes under their own names.
Because of the various weaknesses of the iris scan, outside of some very irresponsible manufacturer demonstration videos, it is never thought of as sufficient by itself to be used as an electronic identification, and it is always seen in combination with fingerprints and facial recognition technology. Hence, construction of any national system would depend to a great degree on developments in these other areas as well.
Given all of this, the only reason I can see for the current faddish emphasis on the iris scan is the get rich quick gold rush atmosphere of the contractor-dominated security state.
Additional sources:
* Meghanathan, Natarajan, Biometric Systems for User Authentication, International Journal of Information Processing and Management(IJIPM) Volume2,Number4,October 2011. (.pdf)
* U.S. Environmental Protection Agency, Security Products Guide, including in particular Biometrics Recognition. (The EPA has been one of the principal floggers of electronic security measures, for example, as security measures for water systems -- one senses the hand of the contractor-captured government here.)
Originally posted to Cartoon Peril on Tue Dec 27, 2011