Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person’s iris. It is a form of biometric technology in the same category as face recognition and fingerprinting.
Advocates of iris scanning technology claim it allows law enforcement officers to compare iris images of suspects with an existing database of images in order to determine or confirm the subject’s identity. They also state that iris scans are quicker and more reliable than fingerprint scans since it is easier for an individual to obscure or alter their fingers than it is to alter their eyes.
Iris scanning raises significant civil liberties and privacy concerns. It may be possible to scan irises from a distance or even on the move, which means that data could be collected surreptitiously, without individuals’ knowledge, let alone consent. There are security concerns as well: if a database of biometric information is stolen or compromised, it is not possible to get a new set of eyes like one would get a reissued credit card number. And iris biometrics are often collected and stored by third-party vendors, which greatly expands this security problem.
How Iris Recognition Works
Iris scanning measures the unique patterns in irises, the colored circles in people’s eyes. Biometric iris recognition scanners work by illuminating the iris with invisible infrared light to pick up unique patterns that are not visible to the naked eye. Iris scanners detect and exclude eyelashes, eyelids, and specular reflections that typically block parts of the iris. The final result is a set of pixels containing only the iris. Next, the pattern of the eye’s lines and colors are analyzed to extract a bit pattern that encodes the information in the iris. This bit pattern is digitized and compared to stored templates in a database for verification (one-to-one template matching) or identification (one-to-many template matching).
Iris scanning cameras may be mounted on a wall or other fixed location, or they may be handheld and portable. Researchers at Carnegie Mellon University are developing long-range scanners that could even be used to capture images surreptitiously from up to 40-feet away.
What Kinds of Data Are Collected for Iris Recognition
Iris scanners collect around 240 biometric features, the amalgamation of which are unique to every eye. The scanners then create a digital representation of that data. That numeric representation of information extracted from the iris image is stored in a computer database.
Iris scanning is sometimes used in conjunction with other biometrics, such as fingerprints and face recognition.
Who Sells Iris Recognition Technology
Companies selling iris recognition technology include Aware, BioID, Biometric Intelligence and Identification Technologies, Crossmatch, EyeLock, Gemalto, Idemia, Iridian Technologies, Iris Guard, Iris ID, IriTech, Neurotechnology, Panasonic, Tascent, SRI International, and Unisys. Many of these companies offer multiple forms of biometric identification technology.
How Law Enforcement Uses Iris Recognition
The U.S. military has used iris scanning devices to identify detainees in Iraq and Afghanistan. For example, the handheld biometrics recorder SEEK II allows military personnel to take iris scans, fingerprints, and face scans and port the data back to an FBI database in West Virginia in seconds, even in areas with low connectivity. As is often the case with cutting-edge surveillance technologies developed for use in foreign battlefields, similar iris scanning technology has since been deployed by police departments across the U.S.
The New York City Police Department was among the first police departments to begin using iris recognition. The department installed BI2 Technologies’ mobile MORIS (Mobile Offender Recognition and Information System) in the fall of 2010. Although New York City’s use of iris scanning in jails was supposed to be voluntary, there have been reports of arrestees being held longer for declining iris photographs. Prisons, such as the Rhode Island Department of Corrections, have also begun using the technology. An EFF survey of California law enforcement agencies in 2015 found that sheriff offices in Orange County and Los Angeles County had plans to implement iris scanning technology.
Iris recognition devices are currently being installed in every sheriff’s department along the U.S.-Mexico border. The vendor BI2 offered these sheriffs free three-year trials of its stationary iris capture devices to be used in inmate intake facilities, and it has said it would eventually provide mobile versions as well. The iris templates generated with the mobile app can be compared against hundreds of thousands of other iris templates in less than 20 seconds. The scans will be added to BI2’s private database, which already has close to a million iris scans collected from over 180 law enforcement jurisdictions across the country.
The B12 database is housed by a third-party vendor in an undisclosed location in San Antonio, Texas, and in three other disaster backup facilities. A BI2 executive told The Intercept that it is the largest database of its kind in North America.
Threats Posed by Iris Recognition
Perhaps the biggest threat of iris scanning is the danger of a national database that can track people covertly, at a distance or in motion, without their knowledge or consent. This raises significant civil liberties and privacy concerns which increase as iris data are collected from more and more people. It may be possible for law enforcement officers to use long-range iris scanners on people simply glancing in their rear view mirror after being pulled over. At some point, it’s possible that every person could be identified at any place, even if they are not suspected of committing a crime.
There also are grave concerns with local law enforcement sharing biometric data to help federal immigration agencies such as the U.S. Immigration and Customs Enforcement (ICE), which has direct access to many law enforcement databases.
No biometric is foolproof. A 2009 research study showed that patients with acute iris inflammation (also known as iritis or anterior uveitis) caused current iris recognition systems to fail. A 2012 report from the National Institute of Standards & Technology (NIST) showed that iris recognition technology used to identify an individual in a crowd was inaccurate 1 to 10% of the time. Quality problems were due to poor subject presentation (e.g., a closed eye, rotated iris or off-axis gaze), problems with the capture environment (such as motion or defocus blur, reflections due to excessive ambient lighting or broken LEDs), image processing or storage (such as image compression or corruption), and unusual characteristics inherent in the individual (such as an abnormal pupil shapes). The miss rates (or false negative error rates) for single irises ranged from 2.5% to 20% or higher.
It is also possible to trick or bypass iris scanners. In 2012, security researchers at the Universidad Autonoma de Madrid were able to recreate images of irises from digital codes stored in security databases. More recently, hackers with the Chaos Computer Club in Germany were able to bypass the iris-based authentication in Samsung’s Galaxy S8 smartphone (despite the company’s claims of “airtight security,”) by simply taking a digital photograph of the owner’s face in night shot mode, printing it out, superimposing a contact lens on the image, and holding the image in front of the locked phone.
And then there is the issue of data security. It’s unclear what steps, if any, law enforcement agencies are taking to secure the sensitive biometric data they collect. Databases of iris biometric are a honeypot of sensitive, highly personal data that will be targeted by criminals. Data breaches and hacks are at an all-time high. Biometric information is a special risk because it’s not possible to revoke, cancel, or reissue an eyeball if digital biometric information is stolen or compromised. Making the risk of data breach even greater, law enforcement often stores its iris biometrics on databases operated by vendors and other private third parties. This also gives companies access to and control over criminal justice data, which many of their employees can access remotely.
For More Information
How Iris Recognition Works (Cambridge University)
Five Minutes Primers: Iris Recognition (Policing Project)
Most recently updated October 25, 2019