Cry To Beat Iris Scanners 373
Ant writes "The Register has an article on how crying beats iris scanners. An MP who volunteered to take part in the UK ID card trials says the iris scanner used is uncomfortable and made his eyes water... The water in his eyes actually stopped the scanner from working, and it seems long eyelashes and hard contact lenses could fox it too... So we're going to have a system that is derailed by a few tears and fluttering eyelashes?"
There is no such thing (Score:4, Interesting)
Anyway, when I go get my eyes examined, there's this machine taking a picture of my retina and blowing air into it so as to remove water. Oh and they ask me to remove my lens first, imagine!
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:5, Interesting)
-B
Re:How to fool an eye scan (Score:1, Interesting)
Also, some stroke patients presents with asymmetric pupils sizes - which can narrow down what type it is. A number of brain malfunctions can cause prominent physical abnormalities.
Re:What's the big deal... (Score:2, Interesting)
How many government trials with political backing don't get implemented?
If it goes bad, Blunkett will just say that there were issues to iron out. I can't imagine for 1 minute that he'll cancel it.
Re:There is no such thing (Score:4, Interesting)
True, but there is such a think as a technology that has been proven to be inherently flawed.
Just google for "Bertillonage" for an example of a failed biometrics concept, which no amount of technology could save.
Is iris scanning inherently flawed? I don't know, but if they're just now finding out crying gives a false negative, I don't think anyone has really done any real tests to prove one way or another.
accuracy (Score:2, Interesting)
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:5, Interesting)
Furthermore, even if the biometric identifiers are not reliable enough to be able to distinguish between hundreds of millions of people in centralized databases, governments are also assuming that they can make id cards that are sufficiently forgery-proof to make "just getting a *real* id in a fake name" rather difficult.
A UK reporter was able to obtain a *real* fake ID for just over a grand. Through a network of bribes.. It's not as hard as you think..
Ask yourself this: How much do you recon they pay their staff at the passport issuing office? Now ask yourself how much that passport could be worth to someone! The math does itself.
ID cards are flawed because you can't secure a system that large. Criminals have cash to 'invest' in perverting your system.
Simon
Astigmatism (Score:4, Interesting)
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:2, Interesting)
Also, people will rely on the DNA database as evidence, and not do the proper police/intelligence work. Fakers will escape the net. I always remember a maths teacher telling us to apply "sanity tests". Like roughly do the maths in your head and then check against the detailed calculations. The problem with systems over humans is that this is often not done (A bit like "why didn't Saddam fire those WMDs if he had them?")
Failure rates. (Score:2, Interesting)
If you do a test run with 1000 individuals,and find that 4% of the subjects are identified as someone else, then you really have a problem.
If you then scale up to 1 million people, you will find that a MUCH larger percentage of people will be misidentified: There is a much larger database of people who might have an iris that to the computer looks almost the same. That's when the shit hits the fan.
Re:There is no such thing (Score:2, Interesting)
Now if the data acquisition is flawed, there's nothing you can do and there's no algorithm to correct the flaws. Now following my suggestions previously it is not really _hard_. If the algorithms are flawed then its no big problem because 1) You've acquired data through a proper acquisition process and thus have a good dataset 2) you can use another algorithm and use the dataset to rapidly see if it works.
I looked at your "example" of 19th century biometrics. Interesting historical value. Your point was?
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:1, Interesting)
Nothing. It will only get matchs for people already in the database. Any terrorist worth his salt won't be in the database in the first place.
Yes, it will be inspected on arrival, but will get also the benefit of the doubt, or the US will have to close all the frontiers permanently...
Immigration: Anyone who wants to immigrate enough will get the *real* id in a fake name!
Things aren't white/black in the world... You can get barred from entrering in US because you wanted to work and had only a turist visa... When you get a work visa you will be granted access. Same happens for students all over the world that get sponsorships to study in US.
In the end, biometric will lock people inside/outside, but will leave terrorists walking around freely. You can't change your biometrics once it's taken... a terrorist won't give a damm... as it doesn't expect survival.
In the end, the Joe Does loose the battle...
Failure rates are the problem (Score:3, Interesting)
If you want to roll out biometrics on a massive scale, an accuracy of 0.1 percent chance for falsely rejecting a person means that at an average large airport, like JFK, Atlanta, Heathrow means that 1 in a thousand scans fails. Now this might not sound as a big chance, but since you need to go through the biometric scanner twice, when you get on or when you get off. So this reduces the amount of people nescessary for failure to 500. Result is that with the hundreds of millions flying on a yearly basis in Europe and the US over 100.000 people might not get on or off a plane.
You might be one of them!
Nervous != guilty - does scanner obey this logic? (Score:5, Interesting)
For example, if you have some nerves or phobia about the screening process (big men with guns, what-ifs about false positives), your physiology changes, and your biometrics no longer match your card. You are therefore taken in for further questioning.
Even if you are cleared, the next time it happens, you are more nervous, and eventually this becomes a common event for you.
In extreme cases, some people's reinforced phobia would then prevent them claiming benefits, travelling, anything that the ID was required for, sine they fear the accusations and questioning.
This is similar to effects seen on the now-discredited polygraph, still in use by agencies worldwide.
For example, I always get tense going through metal detectors. This is partly due to a childhood visit to Washington from the UK, when by accident I triggered the bomb detectors on a visit to the CIA buildings. (I was about 7, and didn't realise my pocket fan would set off the detectors.) I was taken away from my parents, and searched. This is a big thing when you're seven, and now these sorts of checks make me (irrationally, I know) very twitchy.
If failing these tests due to phobia were to become a pattern with me, even if it meant I was often singled out in any sort of official process, I am sure my phobia's symptoms would increase, just driving up the error rate. Positive feedback, you see.
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:3, Interesting)
Assuming that the "database" is secure against alterations. Any government using such a system will require that falsified and completely bogus identities can be created and that they be indistinguishable from real identities. It wouldn't do for someone's ID to carry metadata which equates to "undercover law enforcement". It would only require one criminal or blackmailable person with the relevent access for this assumption to be false.
I don't understand this (Score:4, Interesting)
Rather gruesomely, the system checked for a pulse in the iris to ensure that you hadn't got a life-size photograph...or cut off the account owner's head.
No, the iris scanner fails to identify you. (Score:5, Interesting)
Fingerprint scanners have a failure rate of around 2%.
Facial scanners have a failure rate of 10+%.
Re:"beats the iris scanner" (Score:1, Interesting)
Joe Terrorist who escaped from Guantanamo bay will just chew on some onions and present his fake ID from a non-biometric country, and he'll pass for someone who has never been iris scanned before.
Re:I don't understand this (Score:4, Interesting)
To register a person you'd want the best pic possible, so you normally want a cooperative subject. But after that the one I tested was pretty OK, even IDs people with scratched eyewear and even some sunglasses.
As for the danger to epileptics claims thats stupid - the stuff can work with IR light. The one I played around with had 3 red LEDs for illumination and was made by LG.
Just buy the right iris scanner for the task and it'll work OK, unless the iris is obscured - I suppose really thick/long eyelashes might cause problems.
Epileptic thing really sounds fishy, perhaps there's a hidden story/agenda somewhere. Now if they had said that fake contact lenses could cause problems I'd believe them - then you need fancy scanners that detect pulses and the usual involuntary iris size changes - I doubt the cheap scanners do that.
Whatever it is, with biometrics for real security you always need a guard there, otherwise you can bring in equipment to fool the sensors. No self respecting guard is going to let you stick some fancy gizmo into/in front of a biometric sensor...
Wonder how it will cope with cataract ops (Score:3, Interesting)
Well no matter, hopefully me and the soon-to-be-missus will have emigrated to somewhere saner by the time the "voluntary" ID cards will have stopped being voluntary.
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:1, Interesting)
unguarded us ports
First hit is schumer.senate.gov
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:2, Interesting)
ID checkpoints will only catch the stupid criminals based on the ID itself. But even a well-trained terrorist will have trouble not showing some nerves while being ID-checked by a uniformed officer. With proper training and experience, security officers could identify a pool of people with anamolous behavior that require further watching/screening.
Of course, the TSA probably doesn't train people in behavior observation, and the employees are low-paid and not well motivated. As Bruce Schneier said on the same subject: "We're taking smart people and replacing them with dumb technology, to the detriment of security."
Re:Please.. Mr Blunket/Random authority.. Get a cl (Score:3, Interesting)
On Security... (Score:1, Interesting)
I suppose this could be helped by creating airlock type situations that only one person at a time could go through, but the people don't want the hassle. To paraphrase Leia "The more secure you try to make a building, the more people will slip through your system."
The only way you can secure something is if it doesn't present too much of a hassle to people using it. Passwords are hard to remember, especially if they change often, so people write them down and use the same ones over and over again. ID tags make going into and out of a building less efficient, so people hold doors open out of courtesy, and don't wait to scan their tags if someone stops to hold the door open.
In addition to these problems, biometrics make the mistake of having non-revocable codes, so that when one is compromised, the only way to limit access is to revoke from the authorized user who was too unlucky/stupid to let it fall into the wrong hands. What happens when this person is a high ranking executive? Will they be fired just because someone lifted their fingerprints off of an envelope or hacked an iris scanner?
The only real solution would be RFID that is attached to the person, possibly by an implant but more probably by a card, linked to some sort of biometric recognition system. The RFID can be reprogrammed, or even used with multiple systems without interference. Coupling it with a biometric system would provide a backup in the event the card was forgotten or lost, simply to verify identity.
However, nothing could possibly stop ID theft. Systems should be designed to be secure, of course, but they should also be designed to be unobtrusive when they need to be used on large scales. If I could come into work every day and not have to touch a door, but also know that every entry is being guarded by an RFID system that knows who I am, coupled with, say, a facial recognition system that would trigger an alarm if the card carried did not match the picture on file, that would be an ideal system. Having to step up to a scanner every day would be difficult, and knowing that that is the only way people know me is scary.
Re:Am I the only one worried by all this? (Score:4, Interesting)