Challenging the accepted truth about iris biometrics

Posted on June 18, 2009
I promised some more notes from the recent LSE workshop I attended on Identity in the Information Society (IDIS), and have finally got around to it.
The opening keynote of the workshop was given by Prof. Kevin Bowyer, chair of the Dept of Computer Science and Engineering at Notre Dame University, who spoke on the topic “When Accepted Truth About Iris Biometrics Turns Out To Be False”.
One of the accepted truths he examined was that iris biometrics remain constant over the life of the subject. While he didn’t cite this article specifically, it’s a good example of how the accepted truth becomes established:
“Iris scanning is the most reliable of the three biometric technologies the UK government is considering. The iris is the most distinctive part of the human body, and does not alter with age.”
[…]

“Cons:
It is possible to fool iris scanners with artificial irises made by printing monochrome patterns on to paper.”

(Maija Pesola, FT article, June 27th 2005 – quoted by International Biometric Group)
This article, though now somewhat old, reveals a couple of closely-related flaws in such a position. First, fooling the scanner with a ‘monochrome printed iris’ would not work with the industry-standard devices, as these now use “near-infrared” imaging, not visible-light imaging. This passes straight through the surface layer of the iris – which is where the visible, melanin-based coloration is found – and instead records the surface texture of the underlying iris tissue.
What they see, therefore, is not the same as what you would get if you simply printed a picture of your iris… and then, of course, you would have to address the problem of how to interpose it between your eye and the scanner without this being obvious at authentication time.
Second, there’s the claim that the iris is ‘the most reliable biometric because it doesn’t change over time’. As a professional researcher in this field, Prof Bowyer took exception to this claim on the grounds that there is no relevant body of evidence to support it. It comes back to the use of near-infrared imaging. This has only been around for about 5 years… so there is simply no archive of near-infrared iris images to indicate whether or not the underlying tissue structure is indeed life-long. In fact, Prof Bowyer’s initial research indicates that the tissue structure does indeed change over time – though he qualified this finding on grounds of small sample size and short timescale.
Sure, you can look at archives of facial portraits and see whether the visible iris coloration changes over the life of the subject, but you’re not then looking at the characteristic on which iris authentication is based. In other words, this assertion of life-long reliability is currently founded not on a basis of research evidence, but on an assumption that surface melanin coloration and underlying tissue structure are intimately and causally related.
All this may or may not affect the UK’s plans for national biometrics databases. Back in December 2006, the National Identity Scheme plans were amended to drop iris biometrics – though at the time, the stated justifications for that were not to do with reliability. Instead, they were based on a combination of (i) cost reduction arguments and (ii) the standard ploy of claiming “international obligations“.
This last phrase is a rather shabby shorthand for “we’re claiming that we have to do this because the International Civil Aviation Organization, ICAO, says we must. We’re sliding past the fact that ICAO is an international regulatory consortium which recommends what its members say it should recommend, not a global authority which can force a nation state to do something it doesn’t want to do…”.
There are 190 member states in the ICAO consortium. According to this Wikipedia list, at least 129 of them do not have biometric passports, and of those which do, several use only a facial biometric. In the UK, the ICAO card is still being played in order to support the capture of fingerprint and facial biometrics.
–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance