Germany Begins Iris Scans at Frankfurt Airport

securitas writes "Deutsche Welle reports that at Germany's Frankfurt airport biometric iris scans of airline passengers have begun. The German government says that the six-month pilot project is part of Europe's 18-country Automated and Biometrics-based Border Checks initiative to improve 'border control routines' and domestic security, with a full-scale system to follow. The system uses an iris scan embedded in a passenger's machine-readable passport, which is compared to the passenger's iris with an onsite scan. Travelers must 'sign a data security document' and agree to be checked by border guards. The article also references the capability of an iris scan to determine drug and alcohol consumption. The European Parliament is considering replacing all of its traditional passports with a new European biometric passport by 2005. The IRISPASS system (press release) was built by Byometric systems, Iridian and Oki Electric Industry. More coverage at CNet/ZDNet, AP/USA Today and mirrors at AJC, and CNN."

Amsterdam Airport Schiphol introduced this in 2002

[Anonymous Coward]

Amsterdam Airport Schiphol introduced iris scanning in 2002

http://www.cnn.com/2002/WORLD/europe/03/27/schipho l.security/ [cnn.com]

On the one hand...

[nacturation]

This is rather invasive and doesn't bode well for privacy. Not to mention the issues of being able to get the same scan every time (eye damage, anyone?). On the other hand, it does make an attempt to solve the authentication problem -- how do you know that the person holding the passport is the person the password was issued to? Take a sample of data points from the scan at the time of application which are guaranteed to be reproducible (the signature) and sign it against a government-held private key. Barring changes in the eye structure, this should be easily reproducible.

Still, all these methods do nothing to prevent terrorism. They only validate that the person shoving their eye into the reader, terrorist or innocent, matches with the passport. Done properly, it should be incredibly difficult to forge a passport without having someone high up on the inside with access to the private encryption key. But it won't stop terrorists.

As one who's actually worked with iris scanners...

[jskiff]

I actually worked with Iridian [iridiantech.com] back when they were called "Iriscan" a few years ago. The technology was pretty cool; unlike fingerprint or voiceprints, which can only verify someone's identity after they tell you (via a username, prox card, etc) who they are, an iris scan can actually identify a user based off of their iris pattern.

A typical fingerprint has about 10 points that can be uniquely identified, and on a thumbprint scanner you're lucky to get 5 or 6 of them reliably. The iris has roughly 26 unique points that can be picked up every time. Back when I was working with Iridian's stuff they used a low light video camera to basically take a picture of your eye...no funky lasers or anything like that. Additionally, and perhaps morbidly so, they had built technology to help identify if the eye was live or not, so not only could you not just hold up a picture of an eye, but you couldn't take someone else's eye (a la Demolition Man, I believe) and hold it up to the scanner.

Additionally, the iris pattern (and thumbprint or voiceprint in other applications) is never held as an actual pattern; it's just a hash based off of what comes off the scanner, so privacy was not much of a concern.

Re:Iris changes

[Greedo]

Babies eyes don't settle down to their final colour until sometime bewteen 6 and 12 months (source [ukparents.co.uk], another [babycenter.com]).

So, their irises do change, certainly in colour. There aren't many 6-12 month-old terrorists running around, so maybe that's not an issue. But what Lockridge said is clearly wrong.

What if..

[LazyBoy]

What if I come from a country that doesn't have an iris scan embedded in a passenger's machine-readable passport?

Also, Keratoconus is a disease that causes the cornea to deform. This would cause scans of your iris to change. Also, people with this often have cornea transplants. The stitches (which are sometimes left in "forever") are right over the iris.

Re:Iris changes

[BWJones]

but the iris never changes from the eighth month of gestation until death.

This is absolutely wrong. Especially with pathological changes.

And yes, I am a vision scientist.

We tested them at work

[crimestopper]

I work for a private security company (can't give you the name) and we are looking into biometrics too.

They seem to work quite well. There is one "drawback" though: you can only use them to identify people who are already in your database. So it can only be used to authorize personel and not to identify visitors for example. This will remain like this until governements start keeping databases of biometric records.

Ofcourse this isn't very evident because the TTEI-resolution of 2001 specifically forbids practices like this on grounds of techfear I suppose.

Re:On the one hand...

[m0rph3us0]

The problem is these IDs are based on a non-biometric data source. (ie. birth certificate). As long as the root of the document chain is comprimisable the whole system is. If I am the same age and gender as another person they can become me if I can get their birth certificate.

Obtention of "lost" passport?

[SysKoll]

Did the EU countries tighten their passport renewal procedures? Because right now, anyone can obtain a renewal for a lost passport by providing extremely low-tech documents that are a breeze to forge.

In France and Belgium, for example, you can walk into a police station and declare you have lost your passports (the prevalence of muggers and pickpockets makes it an easily believable story). You have to provide a birth certificate. What is it? An ordinary piece of paper, incredibly easy to counterfeit. Once your ID has been "established" by this "proof", the authorities will issue a new set of ID documents: forgery-proof ID and biometric passport. With your supplied name and photo on it.

If at least, they keep a database of iris scans, forgers would be able to do it only once. The article doesn't say anything about such a database.

So this is a nice strong link in the othewise very weak security chain in Europe.

Big Brother State

[rock_climbing_guy]

Personally, I think that one of the most chilling police states in movies is in the movie "The 5th Element." For those of you who haven't seen it, there is actually a station in our hero's own apartment where he is required by law to go to and bend over, placing his hands on the wall while the police enter his place and arrest him.

Does having an "arresting station" in one's own dwelling-place not sound a bit more chilling that eye-scanning?

Re:Iris changes

[deadbadger]

This isn't quite right - while the passport is scanned, this isn't for iris data, merely to ascertain who you claim to be. The iris code corresponding to this identity is then retrieved from a central database and compared with the results obtained by the security terminal. From the press release:

"First, passport data is captured by a passport scanner and checked against a database. The iris recognition system then identifies the individual's iris to verify a match between the individual and the legal passport holder."

Re:Iris changes

[deadbadger]

Bugger - I could have sworn I put links in that post. John Daugman's website [cam.ac.uk], and the list of results [cam.ac.uk] from a variety of sources.

Re:Oh fer crying out loud.

[ahillen]

Ah! I was wondering why those Germans in Germany were scanning passengers in a German airport as part of a European initiative. Turns out it's to secure the United States!

No, but the whole rush towards biometric data in passports was triggered not least by the US, as pointed out in the USAtoday article linked in the story:

"Germany passed laws after Sept. 11 attacks that provide for biometric features to be added to passports and personal identity papers. Post-Sept. 11 U.S. legislation also requires 27 countries, mostly in Europe, to add biometrics to passports they issue after Oct. 26, 2004, or else have their citizens apply for visas. "

It's optional!

[kju]

As it seems, most of you might have missed the fact, that the system is optional. You don't have to use it, you don't have to own a special passport if you don't want to use it.

It's setup as a convenience for frequent travellers. Its opt-in, if you would like to call it that way.

Re:Colored contact lenses

[morcheeba]

There are two types of colored contact lenses - opaque and non-opaque.

I've got the non-opaque ones, which is basically a colored transparent circle in the middle of the lens. It does tint my vision a little, but the brain gets used to it. I don't use them for photography. This type does not lighten dark eyes. I'm pretty sure you could easily get an iris print through these.

The opaque kind has a printed fake iris-like pattern on them, and are clear in the middle (and they don't tint your vision) I didn't like this kind because they use a half-tone dot pattern that I noticed very easily and looked especially fake. I doubt you could get an actual iris print with these. These are newer and are being pushed harder (example: the non-opaque kind are not available for astigmatic lenses). Manufacturers claim they look better, but for light-colored eyes, I disagree. For dark colored eyes, they are the only solution.

"Der Grosse Bruder"

[Wastl]

At the moment, the system is completely voluntarily. If I read the press release correctly, it should ease identity control for travelers. You no longer have to go through manual control but can instead simply look into a camera. Of course, you'll need to be registered first.

The German authorities will not be able to enforce this system for a long time, as it is impossible to force all other countries to provide such data.

Besides, did you ever notice that Europeans have to provide biometric information when applying for a US visa?

Sebastian

Re:Obtention of "lost" passport?

[SysKoll]

Good example, Hektor.

Looking up "security" and "stolen passport" in Google leads to interesting stories. Looks like some EU countries have "misplaced" tens of thousands of blank passports, which got stolen right from the storage rooms of passport offices. What good is it to have holographic imprints in the paper if you put the blanks it in a badly protected drawer? And remember, boys and girls, such a passport gives you access to all the EU, 'cuz Europeans don't need no big bad borders no more. You cannot more clearly proclaim "Scum of all Earth, come deal and traffic in our countries!"

In this story [askmk.com], British journalists demonstrated how easy it is to claim your passport has been stolen and to get a new one issued to a fake identity. And still in sunny UK, another story shows that about 3000 passports a year, sent through 1st class mail, get lost or stolen in the mail [guardian.co.uk]. And there are tons more.

So before they start retina-scanning people in public places, maybe the EU gummints could tighten their abysmally unsecure procedures just a tad?

Re:Open Biometrics for the home?

[gnu-generation-one]

"I've always had a geeky dreamproject of supplementing my traditional lock and key entry to my house with biometric security devices. The idea being that in the event of a systems failure, instead of being locked out of the house I could fall back to the old lock-n-key method."

(a) Nevermind the authentication -- unless you're still using cylinder locks, the weakest link will be the physical bolt itself. Get something which can withstand a battering ram before you worry too much about lockpicks.

(b) Get one of those coded safes that they use in hotel rooms -- cement it into your garage floor, set a long code on it, and put a spare set of house keys inside.

(c) If you have cylinder locks, then anyone with a pick set already has a universal key to your house.