Forgot your password?
typodupeerror
Security Technology

A Wrinkle For Biometric Systems: Irises Change Over Time 59

Posted by timothy
from the love-the-way-your-eyes-formerly-sparkled dept.
scibri writes "The iris scanners that are used to police immigration in some countries, like the UK, are based on the premise that your irises don't change over your lifetime. But it seems that assumption is wrong. Researchers from the University of Notre Dame have found that irises do indeed change over time, enough so that the failure rate jumps by 153% over three years. While that means a rise from just 1 in 2 million to 2.5 in two million, imagine how that will affect a system like India's — which already has 200 million people enrolled — over 10 years."
This discussion has been archived. No new comments can be posted.

A Wrinkle For Biometric Systems: Irises Change Over Time

Comments Filter:
  • by retchdog (1319261) on Saturday May 26, 2012 @03:22AM (#40118843) Journal

    if you were fucking over 0.0000005 of your population already to no significant protest, why would anyone care if you are now fucking over 0.00000125 of your population?

    any statistical system should serve only as a first alert; and any positive found thereby should be carefully evaluated by more thorough and human measures.

    • by Mannfred (2543170)

      FTFA:

      “So although you might not really notice the problem after one year or two years, after five or ten years it can become a huge problem,” he explains.

      This area definitively warrants further research - if nothing else, it could mean that Iris scans will have to be re-done every 5-10 years (a bit like passport renewals). Depending on the specifics of the cumulative degradation (i.e. how exponential the effect is), you could be looking at a 2,000,000% failure rate increase in 11 years.

      • Re:uh.... (Score:5, Interesting)

        by Mashiki (184564) <mashiki.gmail@com> on Saturday May 26, 2012 @04:22AM (#40119099) Homepage

        I think they could have a much larger problem. Since a diabetics eyes can change drastically in a 2-3 month period, and depending on who's data you're using. You're looking at anywhere between 3% and as high as 25% of the average population having a problem with this system.

        • Re:uh.... (Score:4, Interesting)

          by kitezh (1442937) on Saturday May 26, 2012 @06:29AM (#40119489)
          Or with contact lenses. I found this out myself after wearing contacts for a couple of years. After wearing them longer each day than I should have, my eyes began growing extra blood vessels to bring oxygen to the cornea where it was covered by the lens. It most definitely changed the pattern in my irises.
        • by BlueStrat (756137)

          I think they could have a much larger problem. Since a diabetics eyes can change drastically in a 2-3 month period, and depending on who's data you're using. You're looking at anywhere between 3% and as high as 25% of the average population having a problem with this system.

          Pish!

          Easy to solve for a government drone. Just make it illegal/against regulations to change your irises. No more high error rates or re-testing/registering, and a significant rise in arrest/detention stats!

          A win-win for security theater!

          Strat

    • Re:uh.... (Score:4, Insightful)

      by interkin3tic (1469267) on Saturday May 26, 2012 @03:44AM (#40118943)
      I object to the notion that pointless identification by the state like iris prints for immigration only fucks over a tiny percentage of the population. The loss of privacy is a bigger concern for me, and I've never had iris scans, to my knowledge.
      • by retchdog (1319261)

        okay, but that is a problem regardless of whether the system works, right? if anything, it's more of a problem if the system works.

    • Yes. Except people didn't think of this as simply a statistical system. It is thought of as a unique identifier.
      • by jc42 (318812)

        Except people didn't think of this as simply a statistical system. It is thought of as a unique identifier.

        "Hey, we can build equipment to compare photos of people's irises. We can tell everyone that this is reliable and irises never change. They'll believe us, because who would both with a literature search to see if any research has been done or that it's true. It has worked for over a century with fingerprints, even though the textbooks contain lists of all the known problems they have, plus examples of fingerprints that aren't at all unique. So they'll accept the same uniqueness claims for iris patterns

  • You already have to update passport and drivers license photos ever few years why would it be difficult to update the iris scan to increase accuracy?

    • For the simple reason that many people might find that sort of thing stinks of Big Brother. People are used to official photographs now but generally find other forms of identification such as fingerprinting to be too associated with law enforcement to be acceptable. The appeal of Iris scans would be to do them when children are born and can't protest, meanwhile the parents are probably too overjoyed and tired to protest either.

      Also I suspect the authorities don't like biometrics which change because they l

      • by markdavis (642305) on Saturday May 26, 2012 @07:43AM (#40119773)

        And yet iris and retena scans are FAR more privacy friendly than fingerprints or DNA.

        We don't go around leaving our eye prints all over the place. And it is far more difficult to obtain them clandestinely.

        • Eventually standard surveillance cameras will be able to capture retina images. Being able to precisely locate you at any time and implicate you without appeal is "privacy friendly"? The database is the enemy of privacy.
          • by markdavis (642305)

            Sorry, that is not going to happen. Physics won't let it. You might be able to get a partial *iris* scan from a distance, but not a retinal scan.

      • by Anonymous Coward

        Fingerprints themselves are horribly flawed even though they're accepted as a means of identification. Theoretically they're pretty good, but in practice they're somewhat less good as you're not typically dealing with a small number of features being matched out of the entire print. What's more because there's a finite area and a minimum size of the features there will be duplicates from time to time.

        • by arose (644256)
          Just like cryptographic hashes are bound to have collisions without necessarily diminishing their usefulness, duplicate fingerprint detection is unlikely to cause misidentification if fingerprints are used in an appropriate context.
    • by gl4ss (559668)

      how do you force the guy in somalia to renew before he tries to immigrate again?

  • by Opportunist (166417) on Saturday May 26, 2012 @03:37AM (#40118917)

    One in a million instead of one in two millions. I guess it would still not overload the average office clerk to double check that many people. Yes, it would be a nuisance, but a minor one.

    Don't get me wrong, I'm not really a fan of biometrics, but I guess we'd have to come up with a better reason than one of statistical insignificance. Likewise you could say inoculations are bad because one in a million develops a rash so let's toss it altogether.

    The only thing that I can take from this is that officials should be informed that a negative on a biometric scan is NOT necessarily a proof that the person is not who he claims to be.

    • by Anonymous Coward on Saturday May 26, 2012 @06:30AM (#40119495)

      The tolerance is already set so loose that it only fails to approve the person 1 in 1 million times. It isn't the error rate, it's a reflection of the *wide* error tolerances set.

      They did the same trick with the facial scanners, they rejected too many people when trialed at UK airports, so they 'recalibrated' them until they rejected only an acceptable number of people. Where 'recalibrate' is really just increasing the error margin till the reject rate is low enough that the last labour government can justify the purchase price.

      Here they've set the iris scanner to only reject 1 in a million, and now it has to be set 3 times looser to reject 1/3rd of 1 in a million in order to keep the reject rate low enough so that it will still be that low after 3 years.

      Oh, and one little side effect of these biometrics is that now have to get our passports updated every 5 years instead of 10, making any cost saving at the expense of the passport holder.

    • by berzerke (319205)

      One in a million instead of one in two millions. I guess it would still not overload the average office clerk to double check that many people. Yes, it would be a nuisance, but a minor one...officials should be informed that a negative on a biometric scan is NOT necessarily a proof that the person is not who he claims to be.

      Unfortunately, the number of times this will happen legitimately is still low enough when it it happens, the person who's iris has changed will automatically be assumed to be a scammer

  • by _Shorty-dammit (555739) on Saturday May 26, 2012 @03:46AM (#40118949)

    Why not simply use a database to store the scan, and to compare the current scan, and replace with the current scan if it is considered a match? Then the issue is gone. Replaced by other IT issues, I suppose. But still...

    • by TheLink (130905)
      Which remote scanners do you trust to cause your database to be updated?

      Get an animation program to create all the necessary in-between frames between your target victim and your target final fake iris (which should not be the same as the one in your eye unless you want to get caught easily).
      • If it matches me, it's me, no? So, all of them?

        • by TheLink (130905)
          If it matches your iris it does not mean it's you, unless there is a well trained guard standing there making sure you're not doing strange things...

          So all of them means you need to secure all of the scanners to prevent your database from getting falsified data.
  • Just make sure you stop at all the checkpoints frequently enough that we can keep our records up to date.

  • by jamesh (87723) on Saturday May 26, 2012 @04:03AM (#40119005)

    Unless you are going 6 months without being scanned, and assuming these changes are fairly linearly progressive and not abrupt, it wouldn't be hard to just update the database with the changes based on an allowed variation over time if multiple scanners are registering a change.

    If there is anything wrong with biometric scanning it isn't this.

    • by Anonymous Coward

      The usual assumption is that "biometrics" do not change and that they will accurately and precisely uniquely identify an individual for as long as s/he lives, and beyond. Think about that for a minute. Then consider that this assumption is only now starting to be challenged with those who assumed they could rely on it, while lots of governments the world over are busily taking biometrics from anyone with suitable biometrics to take. The US and its border "controls" are a good example, but so are, well, Indi

  • by nogginthenog (582552) on Saturday May 26, 2012 @04:18AM (#40119079)
    Iris scanning is NOT used to police immigration in the UK. It was a failed experiment and people are no longer able to register their eyes. Any idiot passing through immigration at Heathrow or Gatwick could see it was taking the biometric people longer, even though there was no queue.
    • by Anonymous Coward

      True, but it still took less time than the hour I spent in the queue at Gatwick yesterday or the TWO FUCKING HOURS in a queue at Heathrow last month. Efficiency is not something the British do, at all.

      As a legal tax-paying (highest tax-bracket) resident (with "no recourse to public funds" I might add - despite the outright lies the Mail and the Sun print) I used to be eligible for IRIS, now I cannot use it and have to join the non-UK or EU queue instead, even though I have a big UK Resident chevron embossed

  • ...has been known for centuries. Biometric do not work like stupid politicians want it work.

  • Biometric stuff invades our privacy.
    But still: does the detected error rate increas matter?
    We do not *identify* people via the iris scan, or do we?
    If we just match a person to his/her's passport the error rate is insignificant.
  • Retina scans probably suffer from less changes and would be a better choice.

    As for privacy: Retena scans are FAR more privacy friendly than fingerprints or DNA. We don't go around leaving our eye prints all over the place. And it is far more difficult to obtain them clandestinely.

  • The company I work for uses biometric security. The readers we use know that biometrics change over time and automatically update their databases every time you use the system (using some secret time weighted algorithm) .

    You can set a threshold for the change/deviation/etc (in some people it changes more often than others). Our system only uses biometrics for authentication, not identification (that is, the biometrics confirm your ID, the biometrics are NOT your ID).

  • by nurb432 (527695)

    No kidding. Our bodies change over time, who would have ever thought?

    Even our very DNA can change due to radiation..

  • Guess our bodies are just complying with the company rules to periodically change our passwords.

  • Face changes; A picture taken over 10 years ago is significantly different that mine today.
    Fingerprints change; scars, acids, growth all cause fingerprints to change significantly.
    Signature; My signature is rarely the same twice.

    I just love it when a sensationalistics statistic is used. The article states a 153% increase in failure rate. How about you look at the pass rate; it would decrease from 99.99995% to 99.999875. That is a decrease of 0.000075%. That change is pretty insugnificant.

"Floggings will continue until morale improves." -- anonymous flyer being distributed at Exxon USA

Working...