Jump to content

Is it impossible to get eye images with an infrared camera?


Recommended Posts

@yayumura To add some context, this is expressly not allowed as images of the iris are individually identifiable biometric data (meaning you can't change it like  a text password). We're not allowed to provide access to these images per our technology licensing agreements with Tobii and per the T&C of the integrated solution in the Pro Eye headset.

Here is the developer agreement for the Pro eye in full (May 2019):

Quote

SDK Developer Privacy Guidelines:
This SDK contains software which collects facial images and processes those images into user facial feature data for VIVE Pro Eye or other HTC VR products. Facial feature data includes eye tracking data (such as gaze position, pupil size and eye openness), but not actual images or representations of the face, eyes or lips. Facial feature data but not actual facial images or representations are available to the SDK developer. Information about how this SDK collects and processes facial feature data that the SDK developer can collect and use can be found in the Vive Eye Tracking section of the HTC Learn More page. We recognize the importance and privacy of user data, and to create a platform that supports these values we require developers who use this SDK to conduct the following self-review privacy checklist:
- You must post a conspicuous privacy statement to users in your application disclosing the use of facial tracking technology and collection of facial feature data. Such privacy statement shall describe your collection and use of facial feature data, including what data is collected, how data is being collected and used, purpose of data usage, whether any data is shared with third parties, data retention etc.
- You must keep your privacy statement up-to-date as you make changes to your data processing practices such as what type of facial feature data you collect, and how you use it or if you add new features and functionality to your application that may affect user privacy.
- You must get explicit opt-in consent before you collect facial feature data where required by applicable laws.
- You must only collect or provide access to facial feature data which is required to accomplish the task or functionality in your application and as disclosed in your privacy statement.
- While this SDK might allow you to access certain facial feature data, you must not, and must not attempt to, collect, store, distribute or transfer eye image data.
- You must not use any facial feature data, on its own, as an identifier to identify or recognize an individual.
- You must not share facial feature data with third parties without user consent or otherwise complying with data protection law.
- If you share or make available facial feature data to any third party, you must ensure that third parties comply with the same requirements in these guidelines.
- If you collect or use facial feature data for profiling or behavioral analysis, you must provide a mechanism for users to reject profiling and behavioral analysis.
- If you process facial feature data about individuals in the European Union, you must comply with all terms of European Union’s General Data Protection Regulation (“GDPR”) and any corresponding or equivalent national laws or regulations.
- If you collect facial feature data of a minor (subject to the definition of children age under applicable laws), you must comply with applicable data protection laws meant to protect children (such as the U.S. Children’s Online Privacy Protection Act (“COPPA”)).
- If you use, collect or process facial feature date for healthcare or health research use, you must comply with applicable data protection laws and relevant healthcare or medical regulations and determine for yourself if our product meets your compliance needs (we note that we are not and do not desire to be a business associate, under HIPAA, with respect to your application).
- You must implement appropriate security measures to protect the confidentiality and integrity of facial feature data and prevent unauthorized access, use or disclosure, such as using industry standard encryption methods when appropriate.
- Don't sell or license any facial feature data received through this SDK.
- Don't use a service provider to process facial feature data you received through SDK unless you make them sign a contract to: (a) protect any facial feature data you received through us (that is at least as protective as our terms and policies), and (b) limit their use of that facial feature data solely to using it on your behalf to provide services to your application (and not for their own purposes or any other purposes). You must ensure they comply with our terms and policies (and you are responsible for their non-compliance).
- Don't use facial feature data obtained through this SDK to discriminate (including based on race or gender) or make decisions about eligibility to participate in plans or activities, including to approve or reject an application or charge different interest rates for a loan.

Published May 2019

 

  • Like 1
Link to comment
Share on other sites

  • 3 months later...

@imarin18, please refer to my post here explaining the different SDK options around Pro-Eye. This is a situation where we're licensing Tobii's technology and Tobii has determined the level of API access to their hardware that's available in the SRAnipal SDK. In order to gain deeper API access to the hardware, you need to license Tobii's first party SDK (the Tobii XR SDK) and you'll need to meet and agree to the terms and conditions specific to their XR SDK.

Please bear in mind, that once your doing things like accessing retinal images, your legal obligation as a developer/studio to protect user's biometric data and privacy is dramatically increased under international regulatory frameworks, especially GDPR. It isn't a situation where you simply flip a switch in your project and viola - prior to your collection beginning, your organization also has to have the legal and technical framework to safely collect and protect protect bio-metric data and other PII. Your studio may face additional regulations and security audits around your use of biometrics, especially if you're capturing data on EU citizens due to GDPR. It all really depends on where your studio is located and where your users will be - with GDPR currently being the international gold standard. Even though SRAnipal doesn't allow access to retinal imagery, the data the SDK generates is definitely legally protected  PII and our SRAnipal SDK requires developers to meet corresponding security requirements as laid out in the SDK's developer agreement.

Bio-metrics are a pretty serious topic as you can't alter/change your own bio-metric data if it's leaked in a breach. As such - you're probably going to see a similar setup across all major hardware platforms that integrate eye tracking where the base SDK will be geared towards "feature data" rather than raw data.

@yayumura

Link to comment
Share on other sites

Dear @VibrantNebula

Thank you very much for your reply and the explanation. I understood the conditions. I will ask Tobii if they are still supporting XR SDK for HTC VIVE Pro Eye. Regarding the privacy concern, I totally agree with you. Since the retinal images captured by IR camera include biometric information that could lead to identifying persons, we should be really careful of handling the data. I will check the conditions in my case.

Best regards,

imarin18

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...