Skip to content

Iris — Commercial compliance: editions, model licences, biometric law

How to ship Iris as a legally-clean paid product without buying anything (except, if the customer wants face recognition, a commercial face-model licence — see §4). This is the configuration story; the model-licence background is in docs/LICENSING.md.

1. Two editions (one codebase, set by config)

Personal / full (current default) Commercial — detection-only (the GA default)
biometrics_enabled true false
Face recognition (buffalo_l) on off
Identity gallery / Re-ID on off
Age / gender on off
Detection (person/vehicle/…) on on
Event recording + clips on on
Counting / zones / dwell on on
Speech-to-text (subtitles, transcripts) on on
Voiceprints (speaker ID) consent-gated off until consent

biometrics_enabled=false is the master gate (app/workers/manager.py::_gate_biometrics, app/main.py recognizer/FaceIndex boot). It forces face/reid/age-gender OFF regardless of per-camera settings. The running developer instance keeps the true default; the commercial sealed image provisions false so a paid box is legally clean out of the box. Surfaced at GET /healthbiometrics_enabled.

2. Model licences vs the clean config (from docs/LICENSING.md)

Model Role Licence Clean commercial path
YOLOv8n detection AGPL ship RT-DETR (Apache, app/detect/rtdetr_onnx.py) as the default detector — scripts/fetch_rtdetr.py
OSNet (MSMT17) appearance Re-ID research-only replace with DINOv2 (Apache) appearance backend, or leave Re-ID off in detection-only edition
buffalo_l face detect+recognise non-commercial off by default (detection-only). Opt-in needs a commercial InsightFace licence (§4)
ffmpeg decode/encode GPL if --enable-gpl build LGPL ffmpeg for distribution (drop --enable-gpl); keep NVIDIA EULA notice

In the detection-only edition none of the ❌ models is used at runtime (face/reid off), so the only remaining items are the detector (ship RT-DETR, not YOLOv8) and ffmpeg LGPL — both free. That makes the shipped product licence-clean with zero purchases.

3. Biometric / privacy law (why detection-only is the safe default)

Face recognition and voiceprints are special-category biometric data: - EU / world: GDPR Art. 9 (explicit legal basis + DPIA) and the EU AI Act (remote biometric identification is high-risk / partly restricted). Shipping biometrics on by default is a real exposure. - Russia: 152-ФЗ (personal-data localisation) + the biometric-data law (consent, ЕБС).

Detection-only (people/vehicles/counting/recording, no identification) avoids special-category processing entirely. Biometrics become an explicit, consent-gated opt-in — which is both the licence posture (§4) and the lawful-basis posture. Voiceprints already have a write-time consent gate (voice_consent_required, per-identity voice_consent).

4. Enabling biometrics (customer opt-in)

Legal document templates (EULA, privacy notice, DPIA, biometric consent, and a per-jurisdiction matrix for EU/US/Ukraine/Russia/CIS) live in legal/ — see legal/README.md. They are drafting starting points, not legal advice (counsel must finalize).

A customer who wants face recognition must, before flipping biometrics_enabled=true: 1. Licence a commercial face model — a commercial InsightFace licence for buffalo_l (recognition-oss-pack@insightface.ai), or drop in their own licensed pack (insightface_pack). This is the only paid item; the vendor does not bundle it. 2. Establish a lawful basis + consent for biometric processing in their jurisdiction (signage/notice, DPIA, retention policy). Iris records voice consent per identity; face consent is the operator's policy responsibility.

The vendor ships detection-only; the customer assumes biometric licence + legal-basis responsibility when opting in. Put this in the EULA.

5. Commercial build recipe (GA, no purchases by the vendor)

The provisioner already writes the clean runtime config — scripts/provision_appliance.sh defaults to EDITION=commercialbiometrics_enabled=false, detector_backend=rtdetr, integrity_check_enabled=true, IRIS_SECRET_KEY_MODE=derived. The remaining items are at image-build time (run on the build host, not covered by tests):

(a) Apache detector instead of AGPL YOLOv8 — fetch RT-DETR, drop the YOLO weights:

python3 scripts/fetch_rtdetr.py --out models/rtdetr.onnx     # PekingU/rtdetr_r50vd, Apache-2.0
rm -f models/yolov8n.onnx                                    # do NOT ship AGPL weights

(b) Do NOT bundle the non-commercial weights in the commercial image — exclude models/buffalo_l* (InsightFace) and models/osnet* (research-only). With biometrics_enabled=false they are never loaded anyway; not shipping them removes all doubt. A customer opting into biometrics supplies their own licensed pack (insightface_pack).

(c) LGPL ffmpeg — Debian's ffmpeg is built --enable-gpl. For distribution use an LGPL build (multi-stage; BtbN publishes LGPL static builds), replacing the apt install:

FROM debian:bookworm-slim AS ffmpeg
ADD https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-linux64-lgpl.tar.xz /tmp/ff.tar.xz
RUN tar -xf /tmp/ff.tar.xz -C /opt && mv /opt/ffmpeg-*-lgpl /opt/ffmpeg
# in the runtime stage:  COPY --from=ffmpeg /opt/ffmpeg/bin/ffmpeg /opt/ffmpeg/bin/ffprobe /usr/local/bin/
Verify ffmpeg -version does not list --enable-gpl. Keep the NVIDIA EULA notice for the CUDA base image.

Release checklist

  • [ ] Provision with EDITION=commercial (biometrics off, RT-DETR, integrity on).
  • [ ] RT-DETR fetched; YOLOv8 weights removed from the image.
  • [ ] buffalo_l / OSNet weights not bundled (opt-in customer supplies a licensed pack).
  • [ ] ffmpeg is LGPL (no --enable-gpl); NVIDIA EULA notice retained.
  • [ ] EULA: biometrics are opt-in and require a customer-supplied face-model licence + lawful basis.
  • [ ] (Per market) privacy notice / DPIA template shipped with the appliance.