Iris — Commercial compliance: editions, model licences, biometric law¶
How to ship Iris as a legally-clean paid product without buying anything (except, if the
customer wants face recognition, a commercial face-model licence — see §4). This is the
configuration story; the model-licence background is in docs/LICENSING.md.
1. Two editions (one codebase, set by config)¶
| Personal / full (current default) | Commercial — detection-only (the GA default) | |
|---|---|---|
biometrics_enabled |
true |
false |
| Face recognition (buffalo_l) | on | off |
| Identity gallery / Re-ID | on | off |
| Age / gender | on | off |
| Detection (person/vehicle/…) | on | on |
| Event recording + clips | on | on |
| Counting / zones / dwell | on | on |
| Speech-to-text (subtitles, transcripts) | on | on |
| Voiceprints (speaker ID) | consent-gated | off until consent |
biometrics_enabled=false is the master gate (app/workers/manager.py::_gate_biometrics,
app/main.py recognizer/FaceIndex boot). It forces face/reid/age-gender OFF regardless of
per-camera settings. The running developer instance keeps the true default; the commercial
sealed image provisions false so a paid box is legally clean out of the box. Surfaced at
GET /health → biometrics_enabled.
2. Model licences vs the clean config (from docs/LICENSING.md)¶
| Model | Role | Licence | Clean commercial path |
|---|---|---|---|
| YOLOv8n | detection | AGPL ❌ | ship RT-DETR (Apache, app/detect/rtdetr_onnx.py) as the default detector — scripts/fetch_rtdetr.py |
| OSNet (MSMT17) | appearance Re-ID | research-only ❌ | replace with DINOv2 (Apache) appearance backend, or leave Re-ID off in detection-only edition |
| buffalo_l | face detect+recognise | non-commercial ❌ | off by default (detection-only). Opt-in needs a commercial InsightFace licence (§4) |
| ffmpeg | decode/encode | GPL if --enable-gpl |
build LGPL ffmpeg for distribution (drop --enable-gpl); keep NVIDIA EULA notice |
In the detection-only edition none of the ❌ models is used at runtime (face/reid off), so the only remaining items are the detector (ship RT-DETR, not YOLOv8) and ffmpeg LGPL — both free. That makes the shipped product licence-clean with zero purchases.
3. Biometric / privacy law (why detection-only is the safe default)¶
Face recognition and voiceprints are special-category biometric data: - EU / world: GDPR Art. 9 (explicit legal basis + DPIA) and the EU AI Act (remote biometric identification is high-risk / partly restricted). Shipping biometrics on by default is a real exposure. - Russia: 152-ФЗ (personal-data localisation) + the biometric-data law (consent, ЕБС).
Detection-only (people/vehicles/counting/recording, no identification) avoids special-category
processing entirely. Biometrics become an explicit, consent-gated opt-in — which is both the
licence posture (§4) and the lawful-basis posture. Voiceprints already have a write-time consent
gate (voice_consent_required, per-identity voice_consent).
4. Enabling biometrics (customer opt-in)¶
Legal document templates (EULA, privacy notice, DPIA, biometric consent, and a per-jurisdiction matrix for EU/US/Ukraine/Russia/CIS) live in
legal/— seelegal/README.md. They are drafting starting points, not legal advice (counsel must finalize).
A customer who wants face recognition must, before flipping biometrics_enabled=true:
1. Licence a commercial face model — a commercial InsightFace licence for buffalo_l
(recognition-oss-pack@insightface.ai), or drop in their own licensed pack
(insightface_pack). This is the only paid item; the vendor does not bundle it.
2. Establish a lawful basis + consent for biometric processing in their jurisdiction
(signage/notice, DPIA, retention policy). Iris records voice consent per identity; face
consent is the operator's policy responsibility.
The vendor ships detection-only; the customer assumes biometric licence + legal-basis responsibility when opting in. Put this in the EULA.
5. Commercial build recipe (GA, no purchases by the vendor)¶
The provisioner already writes the clean runtime config — scripts/provision_appliance.sh
defaults to EDITION=commercial → biometrics_enabled=false, detector_backend=rtdetr,
integrity_check_enabled=true, IRIS_SECRET_KEY_MODE=derived. The remaining items are at
image-build time (run on the build host, not covered by tests):
(a) Apache detector instead of AGPL YOLOv8 — fetch RT-DETR, drop the YOLO weights:
python3 scripts/fetch_rtdetr.py --out models/rtdetr.onnx # PekingU/rtdetr_r50vd, Apache-2.0
rm -f models/yolov8n.onnx # do NOT ship AGPL weights
(b) Do NOT bundle the non-commercial weights in the commercial image — exclude
models/buffalo_l* (InsightFace) and models/osnet* (research-only). With
biometrics_enabled=false they are never loaded anyway; not shipping them removes all doubt.
A customer opting into biometrics supplies their own licensed pack (insightface_pack).
(c) LGPL ffmpeg — Debian's ffmpeg is built --enable-gpl. For distribution use an
LGPL build (multi-stage; BtbN publishes LGPL static builds), replacing the apt install:
FROM debian:bookworm-slim AS ffmpeg
ADD https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-linux64-lgpl.tar.xz /tmp/ff.tar.xz
RUN tar -xf /tmp/ff.tar.xz -C /opt && mv /opt/ffmpeg-*-lgpl /opt/ffmpeg
# in the runtime stage: COPY --from=ffmpeg /opt/ffmpeg/bin/ffmpeg /opt/ffmpeg/bin/ffprobe /usr/local/bin/
ffmpeg -version does not list --enable-gpl. Keep the NVIDIA EULA notice for the
CUDA base image.
Release checklist¶
- [ ] Provision with
EDITION=commercial(biometrics off, RT-DETR, integrity on). - [ ] RT-DETR fetched; YOLOv8 weights removed from the image.
- [ ] buffalo_l / OSNet weights not bundled (opt-in customer supplies a licensed pack).
- [ ] ffmpeg is LGPL (no
--enable-gpl); NVIDIA EULA notice retained. - [ ] EULA: biometrics are opt-in and require a customer-supplied face-model licence + lawful basis.
- [ ] (Per market) privacy notice / DPIA template shipped with the appliance.