Similarly to the CarMen project, PopEye aims to implement advanced biometric technologies for on-the-move identity verification at EU borders. Such “unobtrusive” solutions promise the ability to perform “identification and verification of people on the move and without stopping them, at up to 200m distance, when multiple travellers cross borders, on foot or inside the same vehicle, in different nature e.g. open-air conditions, night, time, time constraints, space constraints, etc.”.
PopEye outputs ensure compliance with the GDPR and AI Act, and beyond that to “empower the EU values and fundamental rights”, while at the same time avoiding “bias and discrimination”.
To “stay ahead of the curve”, PopEye technologies will also comply with EU migration policy, such as the ‘Migration Pact’, and will immediately be compatible with the forthcoming Entry-Exit System and with all “emerging initiatives” on the interoperability of the EU’s large-scale IT databases.
Impacts are foreseen at social, economic and environmental levels. These include:
1) fostering “general trust in and acceptance of biometric technologies”
2) enhancing accuracy, reducing human error, mitigating bias, and leading to “better-informed decisions”
3) positioning “European research institutes, universities and companies at the forefront of biometric recognition R&D”, thus “increasing the block’s competitiveness”
4) facilitating “the movement of goods and people with minimal disruptions”, and therefore “stimulating economic activity” (as the project’s About clarifies, “Not only are longer waiting times a source of frustration for travellers and Border Authorities alike, but they also carry significant economic implications: increased costs, reduced competitiveness for businesses, disruption of supply chains, and decreased revenues for tourism and other sectors”)
5) reducing carbon emissions “through less energy-intensive algorithms and a more efficient use of transportation resources.”
Interestingly, consortium members claim that PopEye answers to the specific demands highlighted by Frontex in a 2021 report on the development of ‘Artificial Intelligence-based capabilities for the European Border and Coast Guard‘, in particular through the addition of gait recognition.
But while the report did argue that gait recognition, when combined with 3D facial recognition, could facilitate identification and verification “on the move for seamless border crossings”, it also argued that gait recognition — together with periocular recognition, crucial in the CarMen project — is at the “childhood” stage of its technology lifecycle.
This means that for both gait and periocular recognition, wrote the Frontex analysis, “their future impact on the sector is impossible to determine based on the data. The clusters contain technologies that might find applications in border checks but for which no dominant design exists”. The report even added that “Research focused on such technologies is generally limited, and few researchers concentrate on them. Consequently, the majority of publications are authored by a narrow group of researchers.” There was only one EU-funded R&I project on gait recognition at the time of writing.
According to the Frontex report, gait recognition is also particularly risky, gaining a score of 4 out of 5 in “Comparative inherent vulnerability to adversary attacks”, as the technology is
1) “not very distinctive”
2) “vulnerable to presentation attacks”
3) “not suitable as the main modality for recognition at border checks”
and 4) “Gait pattern may be impacted by various factors, including temporary health issues”.
The report does however say that it is “suitable for on-the-move acquisition” and can “easily” be “captured from a distance”.
Finally, the estimated “Earliest Time to Mainstream (ETM)”— i.e., the shortest time required for the envisaged technological solution to become available on the market and widely adopted in border checks at external EU borders — for gait recognition was 10 years, in 2021. This means that no real-world application is envisioned before 2031, according to Frontex. PopEye’s own Grant Agreement, which we obtained in redacted form from the Research Executive Agency, mentions “on-the-move biometric recognition methods with earliest time to maintenance 5-10 years”.
And yet Biometric Update, the site that first reported on the existence of the PopEye project, claims that “If the project is successful, it will lead to the introduction of innovative biometric technologies for use by EU citizens and third-country nationals.”
PopEye aims to develop technological solutions for “on-the-move biometric recognition” at EU borders. According to the project’s Grant Agreement, “on-the-move” means “while the travellers are moving and without cooperation from them”.
The redacted document also explains that such solutions include “3D face recognition, infrared face recognition, gait recognition, and iris recognition in the NIR (near-infrared, ndr) and visible spectrum, all designed to excel in challenging border control environments (inside a vehicle, by foot, at open air, night-time, difference distances, constraint environments etc.).”
To obtain “clear improvements on acquisition, processing and validation, compared to the state-of-the-art”, “pioneering mechanisms” will be developed, including “robust face and iris at different natures (…) and contactless ridge and behavioural recognition” that can operate in “challenging border control environments”.
Efforts will be directed at obtaining unprecedented “Face and Gait Recognition at Longe Distance” capabilities, together with others derived from experimental proofs-of-concept developed in other EU-funded projects, such as D4FLY (for iris recognition in the NIR spectrum), ISOLA and VICTORIA (for “Infrared Face Recognition at different natures”), MOBILEPASS AND FASTPASS (for contactless ridge recognition), PRIMA and TURBINE (for 3D face recognition).
Going beyond the current state of the art, these new technologies will “revolutionize biometric identification in mobile scenarios, allowing individuals to be identified without stopping”, reads the document.
How ? For example, through innovative “Contactless friction ridge recognition”. The agreement describes it with unusual clarity:
“PopEye will introduce a novel technology that allows the instant identification and identity verification based on the distinctive patterns of lines and ridges in the human hand and fingers. It will develop a prototype that combines various biometric traits, including hand geometry, fingerprints, hand palm, knuckles, and infrared-based features such as vascular patterns.”
This means that “identification and person verification based on human hand, finger and vein through 3D infrared technologies” will be possible.
The project has extremely ambitious key performance indicators (KPIs), which we could read in detail in the Grant Agreement we obtained. Target measurable KPIs for the desired technologies include
– “identification and person verification range > 200m”
– “identification and person verification compatible with policies introduced during pandemics” (including “Systematic assessment of the technology’s adaptability to pandemic-related policies conducting tests under controlled conditions (face masks, social distancing, etc.”) (PopEye advertises itself as a pandemic-ready tool at EU level, ndr)
– “reduction of time required to recognize a citizen > 30%”
– “reduction of queues at the border by > 70%”
– “improved citizens’ experience when crossing the borders > 80%”.
– “Iris recognition in the visible spectrum, biometrics-on-the-move up to 6m with accuracy > 99%”.
Time and again, redactions in the document we obtained indicate the clear will to hide some technological components of the PopEye solution from public view. Why?
Included in the agreement we obtained is a table on “Links to other National and International Projects”. It details specific components of previous projects PopEye vows to build on. These include SafeTravellers, iMARS, METICOS, BEAT, PERSONA, BODEGA and FLEXI-cross.
Parts of it are redacted, but we can still read that SafeTravellers “will provide mechanisms for detecting various impersonation attacks at biometrics”, whereas identity fraud detection techniques developed over the course of the iMARS project will be leveraged. Impact assessment methods and tools will be imported from METICOS, BODEGA and PERSONA, while FLEXI-cross will provide “the portable biometric based checks” and modules for real-time verification that might constitute the building blocks for viable “biometrics on the move” solutions.
Background results will also be used from projects such as TENSOR and CEASEFIRE, which involved partners of PopEye.
A new cluster of EU projects on biometric technologies and border security (at least 10) — possibly including some of the ones we analyzed and mentioned: ODYSSEUS, SafeTravellers, EINSTEIN, iMARS, TENSOR — is also included among PopEye’s KPIs.
The project’s official website lists SafeTravellers, TENSOR, ODYSSEUS, CarMen and EINSTEIN as “related projects”.
Lastly, PopEye is coordinated by Austrian Institute of Technology, which is also coordinator of BorderForce and consortium member for the SafeTravellers project. According to Cordis data, these three projects alone awarded the institute more than 1,7 million euros in EU funding.
Two pilots will be conducted. The redacted Grant Agreement we obtained specifies that “extensive pilot tests in real-world border control scenarios, both at land and sea borders” will be conducted, “through deploying the PopEye framework in realistic settings to assess its performance under diverse conditions”. These will be held “in the context of the two most challenging border control points across land and sea borders”. As revealed by a consortium member, EAB CEO Dinusha Frings, on LinkedIn, the pilots will take place at the external borders of Finland and Romania (in the same post, she enthusiastically proclaims that “The future of identity is biometrics!“).
A working package (WP9) is dedicated to “Pilot Demonstrations and Validation Campaigns”, but its description is redacted in the document we received from REA. We can only read that deliverable D9.1 concerns “Pilot preparation protocols and evaluation”, and that its corresponding description only reads that “only information which can be published should be contained”.
Similarly, the two-liner description we can read about D9.3 ‘Pilot assessment and user acceptance evaluation’ states that “only information which could be published publical [sic] should be included. For sensitive information there exists an annex”.
Agencies such as eu-LISA, Frontex (through its Technology and Innovation Centre) and Europol (through its Innovation Lab) will also be providing their feedbacks.
In terms of expected technology readiness level (TRL), KPIs reveal that “Targeted TRL for PopEye framework” is “> 5”, same as “Societal Readiness Level”. This means that for PopEye prototypes the testing environment is expected to be “as closer as possible to a realistic one, although still (…) under a control mode”, at project completion and in the best possible scenario. It would however also mean that the envisioned solutions are actually “feasible from a technological point of view“.
Furthermore, the agreement specifies that “(…) the partners will actively seek opportunities to advance the PopEye project to subsequent TRLs and its eventual operational deployment”. Among the KPIs, we can in fact read:
“Number of adopters of the overall or individual biometric components during their early stages > 10”.
Consistently, and crucially, some law enforcement agencies already plan on adopting PopEye solutions, the document reveals. For both the Finnish Minister of Interior and the Timisoara Border Police Territorial Inspectorate in Romania, the Grant Agreement writes: “the developed technologies within PopEye will be adopted (…) to enhance the current border control process and bolster the safety of border control points”.
A broader future of security and profit is ambitiously envisioned in the Grant Agreement we obtained. In fact, while the project’s “Exploitation Strategy” section is redacted, we can still read that
“To realize the market potential of PopEye, the project aims to generate value by translating project outcomes into market-ready offerings”, and that
“Additionally, there is an exploration of establishing a spinoff company that project partners will jointly participate in as shareholders”.
Lastly, we could read that PopEye’s vision goes well beyond EU borders:
“Given that the solution adopts a Business-to-Business (B2B) approach coupled with a SaaS business model, it is anticipated to yield substantial revenue streams on both European and global scales”.
While informative, the Grant Agreement we obtained from REA suffers from several substantial redactions. These include:
– the list of Working Packages, meaning that we don’t know what the project will do and what deliverables will produce except for 4 WPs focussed on Project Management and Communication, Dissemination and Exploitation strategies;
– the list of deliverables, together with the details for each deliverable;
– most of the list of critical risks;
– significant portions of the “Impact” section.
We do however learn that consortium members expect a “profound” social impact from PopEye solutions, “with implications spanning various dimensions of public life and governance.” In fact, “Through this seamless border crossing experience, EU citizens will feel more comfortable and safer during their journey”.
Similarly to CarMen’s, the forthcoming EU Entry-Exit System (EES), which responds to the same overall logic and needs of EU migration policy, is however considered a threat in PopEye’s Grant Agreement. The concern, when the EES will actually be effective, is a “significant increase in waiting times at the borders”, with Austria expecting “the waiting times to double”.
This justifies a noticeable increase in data collection. PopEye itself will indeed handle a considerable amount of data and information, including
– “raw data from biometric sensors capturing travellers on-the-move. These datasets may also include gait patterns, iris scans, palm prints, etc.”, and
– “advanced algorithms for biometric recognition on the move, including image processing techniques, feature extraction methods, machine learning models and deep learning architectures coupled with data on environmental conditions (lighting, weather, and spatial constraints”.
Four Working Packages will concern the safeguard of “EU values” and human rights (GDPR, Ethical guidelines on Trustworthy AI and AIA-compliant solutions). Renowned experts from the Universities of Leuven and Brussels will be dealing with this, and specific “Measurable Outcomes and Success Indicators” include KPIs such as
– “Success rate in mitigation effectiveness >99%”
– “Percentage of identified ethical risks mitigated = 100%”
– “AI Act compliance through conformance check”.
PopEye promises “technically robust and trustworthy AI systems coupled with biometric technologies” focused on transparency of the adopted AI models (“explainability-by-design” approach, “glass-box” explainable models), reliability and fairness (“elimination of any potential bias in the algorithms” through “dedicated mechanisms” that “ensures fairness of the produced AI recommendations”), and the protection of data in AI models.
Full compliance with the AI Act is declared. Interim and final DPIA+s and FRIAs are also expected.
And yet, the project claims it will only “strive to create a balance between security measures and the preservation of fundamental rights”, rather than promising their full protection (does this mean that in certain cases security can and should be obtain without the preservation of fundamental rights?, ndr).
Also, while PopEye will try and minimize its environmental impact (by “minimising reliance on large, energy-intensive data centres” and using “algorithms that are less energy-intensive”, even if it is not clear compared to what), “evolving regulatory landscapes”, “changes in political administrations” and even the “lack of international collaboration and standardization in biometric technologies” are all discussed as “political barriers”.
Tellingly, the agreement states that “Public concerns and political debates surrounding the use of biometrics for surveillance and border control may impact the project’s acceptance”.
It is pretty clear that consortium members would prefer to unilaterally adopt the solutions they are developing, rather than democratically discuss them. In the document, in fact, resistance to adoption is portrayed as only motivated by “lack of understanding or awareness about biometric technologies” — which, “especially in sensitive domains like border control, can impede acceptance”. “Cultural sensitivities in certain communities or regions” could also prevent acceptance, but the agreement doesn’t say which ones it is referring to more precisely.
As stated above, there seems to be a consistent pattern of redactions for certain PopEye functionalities, preventing them from public scrutiny. Working Packages 5 and 7 seem to be the ones containing their forbidden details. From what we could read, they deal with “developing components related to ridge and behavioural recognition during “on-the-move” situations”. We could not however understand which ones exactly and why they’ve been consistently redacted throughout the document.
In challenging the REA’s initial disclosure, we learned that not even the list of work packages, deliverables, milestones and critical risks could be disclosed (except for some extremely marginal exceptions), as they “play a critical role in maintaining the competitive edge and strategic advantage of the companies” involved in the PopEye project. This clearly undermines their commercial interests, wrote REA Director, Marc Tachelet.
Lastly, we also obtained the disclosure of the project’s ‘Evaluation Summary Report‘. While comments are generally positive, some issues are highlighted:
– KPIs were “not sufficiently benchmarked in terms of baselines or adequately substantiated”;
– “the justification for including behavioural biometrics in border control is presented, but how they will be deployed for identification on the move is insufficiently addressed”;
– “The scale and significance of impacts have not been sufficiently substantiated, which is a shortcoming.”
