The topic of school safety evokes a visceral response from parents, teachers, administrators, and lawmakers. It’s the subject of Gallup polls, nonprofit mission statements, and countless studies, all attempting to make campuses and schools more secure.
For several southern California schools, the latest attempt comes in the form of biometrics.
The Antelope Valley Schools Transportation Agency (AVSTA), which serves four school districts in the Lancaster, Calif. area, is testing iris scanning devices on three special needs buses this semester through December. It’s meant to ensure that no student is accidentally left on the bus. Though the trial has been a few months in the making, the death of a special needs student in September in Whittier, Calif., who died of unknown causes after being accidentally left on a school bus, fortified the transportation agency's efforts to find a solution to keep something like that from happening in their districts.
"This could be the long awaited silver bullet to solve the problem of, 'where is my child?' " said Shawn Cabey, administrator at Westside Union School District, which is testing the scanners. Mr. Cabey is the vice president of the AVSTA board of directors.
The experiment in California comes as schools nationally are increasingly deploying technologies to monitor students in the name of safety. In recent years, districts across the country have implemented social media monitoring to detect threats, and some debated fingerprinting to help improve the speed of a lunch line. Iris scanners are rarer in schools, but have been used as replacements for student ID cards in multiple states. Iris scanners are commonly used by law enforcement agencies at airports such as Amsterdam Airport Schiphol, border crossings in the United Arab Emirates, and in prisons.
While some school administrators see the scanners as an innovative way to bolster safety, the devices come with a host of privacy issues, according to privacy experts.
When it comes to iris scanning in general, advocates are particularly concerned about how securely the iris data is stored, whether that data is shared and with whom, and the ability to track people through long-range iris scanning.
Those concerns feel even weightier when school kids are added to the equation.
Sold by a company called Iritrak, the devices on buses look like a pair of binoculars attached to a tablet by a cord. When a student boards the bus, he or she looks into the binoculars while it takes a scan of both irises and matches it against the Iritrak database. Then, the bus driver receives a notification of whether or not the student is authorized to board the bus at that stop, and the school gets a notification that the student has boarded the bus. Parents can also remotely track their student’s bus in real time via an app.
"The thing that kind of appeals to me about the process is that the method of identification is acutely attached to the child," said Morris Fuselier III, chief executive officer of the transportation company. Unlike a bus pass, which can be lost, stolen, or misplaced, the iris isn’t something a student needs to keep track of, Mr. Fuselier said.
It's also a fairly reliable way to tell people apart. Iris scanning cameras use near-infrared light to see past the surface of the eye and detect that specific iris' texture. What's more, irises can't easily be changed. Research into exactly how unique irises are from one another is ongoing, but Dr. Arun Ross, director of the Integrated Pattern Recognition and Biometrics lab at Michigan State University, said its unique patterns and unchanging nature make an iris a "powerful" identifier.
This is where privacy advocates begin to worry.
"You’re collecting a piece of information you can't change, and you're doing it to solve a problem that may have easier nontechnical solutions," said Chris Calabrese, vice president for policy at the Center for Democracy and Technology (CDT). Solutions, he said, could include requiring the bus driver walk to the back of the bus to check for students.
Because of the sensitive nature of iris scanning, Mr. Calabrese said, vetting a company's security measures is paramount for schools pursuing the practice. That begins with understanding what data is being collected and how it is used. For iris scans, the first level of collection is whether only the iris scan will be collected, or if other personal information, like name and contact information, will also be linked to the scan.
In Iritrak’s case, only scans of the students' irises are collected and stored by the company. Personal information, including student names, addresses, phone numbers, birthdays, and emergency contact information is kept in a separate database maintained by contracting schools.
According to Michigan State’s Dr. Ross, iris scanners generally work the same way, but with slight variations per company depending on any proprietary elements they have. Each system, though, begins with enrolling people into a database. For an iris scanner to verify a person is who they say they are, there must be an existing iris scan on record match against. This is done by taking several pictures of the eye with the scanner to identify the unique points in someone’s iris.
Then, the image is converted into a binary code. That code is stored in the database and used as a baseline to match future scans of that person's iris against. According to Ross, many companies have proprietary algorithms when converting the images to code, meaning that if the same person was scanned by multiple companies, the codes produced would likely be different.
Companies that run iris scanning systems can either retain the original picture of the iris and the code, or they can discard the image and just keep the code. Keeping the picture, Ross said, can allow a company to generate a new code for that iris should the original code be compromised, but that can also be accomplished by applying a mathematical function to the existing code if the picture is deleted.
Privacy advocates' concern is whether the image could be used by another company to create a record of that person. While the images can be reverse engineered to create an approximate image of an iris, it won’t do anyone much good, said Ross. Recreated irises are easy to identify if the system knows how to detect them, and it’s still up for debate how much – if any – reliable information someone can glean from an iris picture, such as health or gender.
According to biometrics expert Samir Nanavati, author of "Biometrics: Identity Verification in a Networked World," whether or not a company keeps the image is an important part of the privacy puzzle, but there are other factors to consider as well. "It’s a spectrum, but the less you keep the better," he said.
Data retention and storage
What also matters when it comes to preserving people's privacy with iris scans, privacy experts said, is how long the data is kept and whether there are appropriate security measures while stored. Appropriate security measures, they said, include anonymity. According to Iritrak, scans in the school bus test are given a unique identifier not associated with the student's student ID number to anonymize the database entries. Those are stored in a cloud server, encrypted, until the schools request the information be deleted, according to Iritrak founder John DeVries.
Parents, and the schools, can follow along with a student’s ride by accessing an online portal protected with a username and password. For parents, that means seeing in real time where their child is to ensure that their student gets home or to school. For schools, that means tracking buses and every student on the bus in real time. School administrators can also add or subtract stops from a route.
"I don’t think it can be right that this is somehow anonymous information," the CDT’s Calabrese said. "You can say say it's not linked to child's name, but if a parent can know whether the child is on a bus or not, it's not anonymous." This could also be an area of concern if someone other than an authorized guardian or school official obtained a login credential, he notes.
But Iritrak's Mr. DeVries said he was not concerned about this, insisting that the schools will take security seriously.
Sharing and selling data
When asked if Iritrak would sell or share any student data collected, DeVries said, "Heck no!"
It may be, however, that his verbal agreement is all that exists – at least for now. Since the program is only a trial, Iritrak has no formal contract with the transportation company that would regulate the sharing or selling of student data collected, according to DeVries.
This has privacy advocates concerned. Without something more firm, Calabrese said, "There’s nothing that would prevent the company, except maybe a contractual agreement with the school, from selling or sharing the information."
There are also relatively few laws that protect biometric data. The Family Educational Rights and Privacy Act requires that biometric records not be disclosed without consent. According to privacy lawyer Leeza Garber of Capsicum Group, the Children’s Online Privacy Protection Act, which governs the collection of personal information for children under 13 by websites, could apply in the Iritrak case. Illinois’ Biometric Information Privacy Act, she said, will likely be looked to as a standard. BIPA is the most comprehensive law governing biometric privacy, as it regulates the "collection, use, safeguarding, handling, storage, retention, and destruction" of biometric information.
Scope creep, where the technology could be used in ways beyond the original mandate, is another facet to examine, Calabrese said, as any other areas iris scanning is used could bring further concerns.
For Iritrak, founder DeVries said there are multiple other uses for the product -- such as keeping attendance or checking out in the lunch line -- that he and the schools have yet to explore.
The possibilities are reminiscent of fingerprint-scanning lunch programs in Colorado, Pennsylvania, New Jersey, and West Virginia. After a Colorado school proposed fingerprint scanning to speed up lunch lines, parents raised enough concern about identity theft and government tracking that the plan never saw the light of day.
While the schools involved are not currently pursuing any additional use of the iris scanners, parents of children in the pilot program are noticeably absent from the school bus scanner debate. According to AVSTA CEO Fuselier, the bus service sent multiple letters home to parents and called their homes, offering to schedule meetings to address any concerns the parents have. But no one came.
"We kind of took it as a good sign that the communications we had with them [before] the trial gave them the explanation they needed and we had no one opt out," Fuselier said. There will likely be parental concerns once more students are involved should the program move forward, he said.
One way that companies can reassure customers that their security measures are up to par is through an independent audit. A third party will compare the company's security measures to best practices and recommend areas for improvement. But Iritrak founder DeVries said he doesn’t see a need for a security audit beyond security checks the schools do before contracting with a company. For parents who are uncomfortable with the service, he said, just don’t use it.
"If you don’t like it opt out," he said. "It’s only security of your child."
According to the Capsicum Group’s Ms. Garber, not opting for an audit is concerning. "There is no system that can be 100 percent secure every minute of every day," she said. "The threat technology moves faster than the security can keep up."