There's a company called irisgalerie that takes high res photographs of your eye and then sells prints to you. So let's say you got one of these pics and then posted it on social media. Could someone then use that picture to fool eye-based biometrics?
Add a comment
|
1 Answer
In general: Abuse iris photographs for illegitimate identification: yes, absolutely. In earlier days, the photo did not even have to be of very high resolution: “We have managed to fool a commercial system with a print out down to an iris diameter of 75 pixels”
But it depends on the implementation, there are countermeasures described in this research paper.
Regarding irisgalery specifically, they deny on their website any "risk to your identity as it is an art photography" and state that data is processd in a safe way:
In compliance with RGPD standards, your information is kept for 2 years before being deleted. As for the photograph of your iris, this poses absolutely no risk to your identity as it is an art photograph. Moreover, our storage system is not linked to your personal data.
They do not explain, if this refers only to the risk that photo data is leaked by the company (how to guarantee? If it happens, you cannot change your eyes...), or if they apply any sort of de-identification of the photo, i.e. if they actively change the foto ("artwork") in details not likely to be recognized by humans but by computers. Even if so, IMHO it seems they
- cannot know all current and future implementations of iris/photo matching, and hence not safely prevent abuse (possible the algorithm is even not interested in the changes they made).
- cannot guarantee that a potential de-identification algorithm becomes public and can be applied in reverse by an attacker.
If they in fact could guarantee all, they should detail this on their website instead of vague statements. I find it alarming that they even suggest this service for children:
We usually recommend taking pictures from the age of 5. However, as our system is safe for children, photography before the age of 5 is possible if the child manages to stay still and stare at the camera.
Taken together, I would at least not post my iris photo, even if they are really beautiful. On the other hand, it might not be possible to prevent that a high-definition camera could take a photo of your iris unknowingly and unwanted elsewhere during your life, or even an "unlucky" selfie... It seems at least as important that one carefully selects services that are unlocked by iris scan in terms of (a) consequences of abuse and (b) implemented safety features to prevent spoofing. And be aware that there may be future "services" you cannot avoid, such as biometric data requirements by police and customs e.g. when traveling across borders.
See also similar discussions on fingerprint spoofing: also there the technique used to read the fingerprint makes a difference. Just a random (not necessarily latest) examle is here. And apply these thoughts on any biometric identification...
