Cry To Beat Iris Scanners

Ant writes "The Register has an article on how crying beats iris scanners. An MP who volunteered to take part in the UK ID card trials says the iris scanner used is uncomfortable and made his eyes water... The water in his eyes actually stopped the scanner from working, and it seems long eyelashes and hard contact lenses could fox it too... So we're going to have a system that is derailed by a few tears and fluttering eyelashes?"

There is no such thing

[0xC0FFEE]

There ain't no such thing as a technology that gets worst or doesn't improve. So in due time things will be perversely efficient and operate in a wide range of conditions. Yeah it takes time, but in this particular case, the more the better in my view.

Anyway, when I go get my eyes examined, there's this machine taking a picture of my retina and blowing air into it so as to remove water. Oh and they ask me to remove my lens first, imagine!

Re:Please.. Mr Blunket/Random authority.. Get a cl

[Ralph Wiggam]

All of the 9/11 hijackers had valid state IDs. I think about that while I'm showing my ID to the sixth person in the airport. Speaking of those guys, there was big report released last month showing that the federal TSA baggage screeners were just as incompetent as the private employees they replaced. It's all window dressing to make you feel safe enough to go out and spend your money. Meanwhile, our ports are wide open to someone slapping a stamp on a bomb.

-B

Re:How to fool an eye scan

[Anonymous Coward]

You're right. But you may also be one of people within the population born with pupils of different sizes.

Also, some stroke patients presents with asymmetric pupils sizes - which can narrow down what type it is. A number of brain malfunctions can cause prominent physical abnormalities.

Re:What's the big deal...

[16K Ram Pack]

A trial?

How many government trials with political backing don't get implemented?

If it goes bad, Blunkett will just say that there were issues to iron out. I can't imagine for 1 minute that he'll cancel it.

Re:There is no such thing

[prockcore]

There ain't no such thing as a technology that gets worst or doesn't improve.

True, but there is such a think as a technology that has been proven to be inherently flawed.

Just google for "Bertillonage" for an example of a failed biometrics concept, which no amount of technology could save.

Is iris scanning inherently flawed? I don't know, but if they're just now finding out crying gives a false negative, I don't think anyone has really done any real tests to prove one way or another.

accuracy

[noelo]

While people may joke about this technology and the whole id verification process/big brother, the fact is that its here to stay and I'd rather that flaws like this one are discovered in the initial test stages than having to spend hours proving who I am at an airport.

Re:Please.. Mr Blunket/Random authority.. Get a cl

[Ckwop]

Furthermore, even if the biometric identifiers are not reliable enough to be able to distinguish between hundreds of millions of people in centralized databases, governments are also assuming that they can make id cards that are sufficiently forgery-proof to make "just getting a *real* id in a fake name" rather difficult.

A UK reporter was able to obtain a *real* fake ID for just over a grand. Through a network of bribes.. It's not as hard as you think..

Ask yourself this: How much do you recon they pay their staff at the passport issuing office? Now ask yourself how much that passport could be worth to someone! The math does itself.

ID cards are flawed because you can't secure a system that large. Criminals have cash to 'invest' in perverting your system.

Simon

Astigmatism

[groupthink]

Where I work we use these iris scanners [lgiris.com]. I wear glasses for my astigmatism [m-w.com] and the system reads just fine through my glasses, unless I turn them perpendicular to my face. Other people who work here have to remove their glasses regardless.

Re:Please.. Mr Blunket/Random authority.. Get a cl

[16K Ram Pack]

Particularly as visitors here for less than 3 months will be exempt.

Also, people will rely on the DNA database as evidence, and not do the proper police/intelligence work. Fakers will escape the net. I always remember a maths teacher telling us to apply "sanity tests". Like roughly do the maths in your head and then check against the detailed calculations. The problem with systems over humans is that this is often not done (A bit like "why didn't Saddam fire those WMDs if he had them?")

Failure rates.

[rew]

... fails to correctly identify people in just 4 percent of cases ...

If you do a test run with 1000 individuals,and find that 4% of the subjects are identified as someone else, then you really have a problem.

If you then scale up to 1 million people, you will find that a MUCH larger percentage of people will be misidentified: There is a much larger database of people who might have an iris that to the computer looks almost the same. That's when the shit hits the fan.

Re:There is no such thing

[0xC0FFEE]

This is going OT, but we're not talking inter-operability or performance here where "flawedness" is caused by the infrastructure in place. We're talking basic stuff like data acquisition and data analysis algorithms.

Now if the data acquisition is flawed, there's nothing you can do and there's no algorithm to correct the flaws. Now following my suggestions previously it is not really _hard_. If the algorithms are flawed then its no big problem because 1) You've acquired data through a proper acquisition process and thus have a good dataset 2) you can use another algorithm and use the dataset to rapidly see if it works.

I looked at your "example" of 19th century biometrics. Interesting historical value. Your point was?

Re:Please.. Mr Blunket/Random authority.. Get a cl

[Anonymous Coward]

What's stopping them getting a *real* passport with the correct Biometerics on a different name?
Nothing. It will only get matchs for people already in the database. Any terrorist worth his salt won't be in the database in the first place.
Yes, it will be inspected on arrival, but will get also the benefit of the doubt, or the US will have to close all the frontiers permanently...

Immigration: Anyone who wants to immigrate enough will get the *real* id in a fake name!
Things aren't white/black in the world... You can get barred from entrering in US because you wanted to work and had only a turist visa... When you get a work visa you will be granted access. Same happens for students all over the world that get sponsorships to study in US.

In the end, biometric will lock people inside/outside, but will leave terrorists walking around freely. You can't change your biometrics once it's taken... a terrorist won't give a damm... as it doesn't expect survival.

In the end, the Joe Does loose the battle...

Failure rates are the problem

[Raindeer]

The pain with biometrics is, that it is so sexy and so hyped up, that people aren't willing to look at the numbers behind it. Contrary with what privacy and security people always shout, the biggest problem isn't that it doesn't stop criminals and terrorists. The single biggest problem of biometrics is its failure rate.

If you want to roll out biometrics on a massive scale, an accuracy of 0.1 percent chance for falsely rejecting a person means that at an average large airport, like JFK, Atlanta, Heathrow means that 1 in a thousand scans fails. Now this might not sound as a big chance, but since you need to go through the biometric scanner twice, when you get on or when you get off. So this reduces the amount of people nescessary for failure to 500. Result is that with the hundreds of millions flying on a yearly basis in Europe and the US over 100.000 people might not get on or off a plane.

You might be one of them!

Nervous != guilty - does scanner obey this logic?

[thesp]

This seems a worrying trend with biometric systems - even innocent fear/nerves cause physiological changes which can cause a scanner to give a 'no match' scenario. If biometric ID were to become compulsory, there is the distinct possibility of this problem becoming a real danger to the population.

For example, if you have some nerves or phobia about the screening process (big men with guns, what-ifs about false positives), your physiology changes, and your biometrics no longer match your card. You are therefore taken in for further questioning.

Even if you are cleared, the next time it happens, you are more nervous, and eventually this becomes a common event for you.

In extreme cases, some people's reinforced phobia would then prevent them claiming benefits, travelling, anything that the ID was required for, sine they fear the accusations and questioning.

This is similar to effects seen on the now-discredited polygraph, still in use by agencies worldwide.

For example, I always get tense going through metal detectors. This is partly due to a childhood visit to Washington from the UK, when by accident I triggered the bomb detectors on a visit to the CIA buildings. (I was about 7, and didn't realise my pocket fan would set off the detectors.) I was taken away from my parents, and searched. This is a big thing when you're seven, and now these sorts of checks make me (irrationally, I know) very twitchy.

If failing these tests due to phobia were to become a pattern with me, even if it meant I was often singled out in any sort of official process, I am sure my phobia's symptoms would increase, just driving up the error rate. Positive feedback, you see.

Re:Please.. Mr Blunket/Random authority.. Get a cl

[mpe]

Once they have a database they can at least make the comparison between citizens and aliens.

Assuming that the "database" is secure against alterations. Any government using such a system will require that falsified and completely bogus identities can be created and that they be indistinguishable from real identities. It wouldn't do for someone's ID to carry metadata which equates to "undercover law enforcement". It would only require one criminal or blackmailable person with the relevent access for this assumption to be false.

I don't understand this

[Zog The Undeniable]

Nationwide Building Society [nationwide.co.uk] in the UK tried iris scanning for ATMs a few years ago, and it was 100% successful. The technology wasn't rolled out further because of (a) cost and (b) it was fairly useless as a fraud prevention measure unless all other banks did it too - you could just use a non-iris ATM if you only had a card and PIN.

Rather gruesomely, the system checked for a pulse in the iris to ensure that you hadn't got a life-size photograph...or cut off the account owner's head.

No, the iris scanner fails to identify you.

[Moderation abuser]

Iris scanners have a failure rate of around 4% -> 7%. This is a failure to identify a legitimate person against a *previously stored scan*. I.e. the scan stored in your biometric card or the scan stored in the government database.

Fingerprint scanners have a failure rate of around 2%.

Facial scanners have a failure rate of 10+%.

Re:"beats the iris scanner"

[Anonymous Coward]

Of course it beats the scanner. Can't you see?

Joe Terrorist who escaped from Guantanamo bay will just chew on some onions and present his fake ID from a non-biometric country, and he'll pass for someone who has never been iris scanned before.

Re:I don't understand this

[TheLink]

Well they're not all made the same. Just like anything there are different specs. Not sure of the ones used in the ATMs - I heard some of those can work from quite a significant distance- 1 metre? The one I played around with only could do about 10 cm to 20cm maybe 30 cm.

To register a person you'd want the best pic possible, so you normally want a cooperative subject. But after that the one I tested was pretty OK, even IDs people with scratched eyewear and even some sunglasses.

As for the danger to epileptics claims thats stupid - the stuff can work with IR light. The one I played around with had 3 red LEDs for illumination and was made by LG.

Just buy the right iris scanner for the task and it'll work OK, unless the iris is obscured - I suppose really thick/long eyelashes might cause problems.

Epileptic thing really sounds fishy, perhaps there's a hidden story/agenda somewhere. Now if they had said that fake contact lenses could cause problems I'd believe them - then you need fancy scanners that detect pulses and the usual involuntary iris size changes - I doubt the cheap scanners do that.

Whatever it is, with biometrics for real security you always need a guard there, otherwise you can bring in equipment to fool the sensors. No self respecting guard is going to let you stick some fancy gizmo into/in front of a biometric sensor...

Wonder how it will cope with cataract ops

[rpjs]

I had ops for cataracts when I was a child. As a result my pupils aren't the nice round sort the rest of you have but are sort of ragged. I wonder how Mr Blunkett's rinky-dinky little fascist scanner equipment will cope with my eyes?

Well no matter, hopefully me and the soon-to-be-missus will have emigrated to somewhere saner by the time the "voluntary" ID cards will have stopped being voluntary.

Re:Please.. Mr Blunket/Random authority.. Get a cl

[Anonymous Coward]

No. Try Google with this query:
unguarded us ports

First hit is schumer.senate.gov ..."US ports currently receive no federal funding for security infrastructure"...

Re:Please.. Mr Blunket/Random authority.. Get a cl

[Thundersnatch]

ID checkpoints are good for one thing: they offer security officers an opportunity to study the behavior of people in line. I knew a bouncer in college who could spot fake IDs without looking at the cards themselves. He had experience, trianing, and intuition about the behavior of underage people trying to get into bars, and he was very accurate.

ID checkpoints will only catch the stupid criminals based on the ID itself. But even a well-trained terrorist will have trouble not showing some nerves while being ID-checked by a uniformed officer. With proper training and experience, security officers could identify a pool of people with anamolous behavior that require further watching/screening.

Of course, the TSA probably doesn't train people in behavior observation, and the employees are low-paid and not well motivated. As Bruce Schneier said on the same subject: "We're taking smart people and replacing them with dumb technology, to the detriment of security."

Re:Please.. Mr Blunket/Random authority.. Get a cl

[TRACK-YOUR-POSITION]

Here in the US, my brother tried to replace his driver's license (the de facto US identity card) because his old one was damaged. He tried to use cash to pay the fee for this (probably something like $20), but then he discovered the driver's license center would only accept a money order because the employees of the center weren't trusted to handle cash. Seriously! Our government over here doesn't even trust the people who hand out ID cards with twenty dollars of cash!

On Security...

[Anonymous Coward]

My job, like many of yours, uses RFID tags to unlock doors. But it doesn't stop people from being nice and holding doors open. As an experiment, I attached my badge to my belt (where it's hard to be seen as real or fake) and attempted to access the building without it. I was able to get to the sixth floor (where all the chief execs are located) without having to use my badge once, or having someone question me, a total of fifteen access controlled doors in. I'd imagine that if we used iris scans or fingerprints it would be easier to infiltrate because you wouldn't even have to fake an ID.

I suppose this could be helped by creating airlock type situations that only one person at a time could go through, but the people don't want the hassle. To paraphrase Leia "The more secure you try to make a building, the more people will slip through your system."

The only way you can secure something is if it doesn't present too much of a hassle to people using it. Passwords are hard to remember, especially if they change often, so people write them down and use the same ones over and over again. ID tags make going into and out of a building less efficient, so people hold doors open out of courtesy, and don't wait to scan their tags if someone stops to hold the door open.

In addition to these problems, biometrics make the mistake of having non-revocable codes, so that when one is compromised, the only way to limit access is to revoke from the authorized user who was too unlucky/stupid to let it fall into the wrong hands. What happens when this person is a high ranking executive? Will they be fired just because someone lifted their fingerprints off of an envelope or hacked an iris scanner?

The only real solution would be RFID that is attached to the person, possibly by an implant but more probably by a card, linked to some sort of biometric recognition system. The RFID can be reprogrammed, or even used with multiple systems without interference. Coupling it with a biometric system would provide a backup in the event the card was forgotten or lost, simply to verify identity.

However, nothing could possibly stop ID theft. Systems should be designed to be secure, of course, but they should also be designed to be unobtrusive when they need to be used on large scales. If I could come into work every day and not have to touch a door, but also know that every entry is being guarded by an RFID system that knows who I am, coupled with, say, a facial recognition system that would trigger an alarm if the card carried did not match the picture on file, that would be an ideal system. Having to step up to a scanner every day would be difficult, and knowing that that is the only way people know me is scary.

Re:Am I the only one worried by all this?

[Lord Ender]

If the US hadn't spent so much on its military in the past 60 years, much of the world would be communist (in the model of the USSR) and would not have this "freedom" we now enjoy. There would still be a cold war. Countries like South Korea would be in the sad state of countries like North Korea. If we had taken that money and put it toward social services, we would curerntly have an unsustainable population because every unproductive bum in the world would come here for free health care, shelter, and food. And these bums would have a disproportinately high number of children, who inherit their freeloading attitude. But enough of thus alternate timeline.