Body scanners ignite privacy debate

It’s practically impossible to search the term “body scanner” without coming up with at least a dozen editorials and news stories on the topic with international headlines including phrases like “privacy invasion,” “potential misuse” and “unconstitutional.”

A debate over the machines’ legality has been brewing for months now in the U.S. It began to simmer last March when, on the heels of similar

in the UK and Canada, the Transportation Security Administration (TSA) declared it would increasingly implement the millimeter wave scanners and backscatter technology at U.S. airports. But the debate bubbled to its boiling point as the 2010 holiday travel period approached and millions prepared to stand in line for security checks.

In response, legislators have begun introducing bills to protect passenger privacy, such as Sen. Charles Schumer (D-NY), whose legislation would make it illegal for anyone with access to body scan images to disseminate such data.

Besides passenger complaints about Fourth Amendment violations to privacy, concerns exist about data protection and privacy as well. The topic has also reached the courts. It is the focus of a lawsuit filed by the Electronic Privacy and Information Center (EPIC) alleging that the Department of Homeland Security (DHS) claim that the machines are incapable of storing and sharing data is false.

Mary Ellen Callahan, CIPP, DHS chief privacy officer, says the idea to use body scanners at U.S. airports began gaining momentum in 2006. The TSA had been aware of an increased likelihood of non-metallic threats on airplanes for some time, making screening methods beyond metal detectors necessary. In January 2008, prior to the machines’ deployment, DHS released a Privacy Impact Assessment (PIA) on the scanners. DHS released an updated

in July 2009 to reflect minor changes, including reduced scanning time and the type of signage used to notify travelers of the process.

Currently, there are nearly 500 imaging technology units at 78 airports. The TSA plans to purchase and deploy additional units in 2011.

The TSA uses two types of scanning technologies—millimeter wave and backscatter. Passengers are asked to remove all items from pockets and certain accessories, such as watches, belts and bulky jewelry, from the body. Passengers are then directed to walk through a portal, stand in position and remain still while an image is taken. A remotely located officer views the image for potential threat items; if none are found, the image is deleted and the officer moves to the next image. If a threat item is detected, the officer relays that to the officer staffing the body scanner, and then the image is deleted, according to TSA officials.

Passengers who choose not to enter the body scanner receive an alternative screening to include a physical pat-down by a TSA officer.

EPIC filed a

in July 2010, co-petitioned by EPIC advisory board members Bruce Schneier and Chip Pitts, and by

, to compel disclosure of advanced imaging technology (body scanning) images and TSA training documents. A federal judge has since rejected those requests. EPIC has also filed a Motion for Default Judgment in federal district court in Washington, DC, calling for the scanning machines’ “deployment and contracting to be suspended” until privacy and security problems identified in the suit are adequately resolved.

According to the 2009 DHS PIA, TSA operational procedures require that the machines “do not collect, store or distribute any personally identifiable information.” The TSA reiterated this during a recent interview with the IAPP

, noting that the privacy protections implemented ahead of the scanners’ deployment were developed based on DHS Fair Information Practice Principles and Fourth Amendment considerations and were discussed with numerous advocacy groups, including privacy, religious, civil liberties and transgender organizations.

Security protocols prohibit machine operators from bringing mobile phones or cameras into the image-screening room, says Peter Pietra, the TSA’s director of privacy policy and compliance. Violations of this are punishable by termination. In addition, operators are required to complete 20 hours of classroom training and eight hours of on-the-job training before operating the scanners.

In addition, Pietra says, the agency held a demonstration of the scanners in October 2007 and invited sundry advocacy groups to weigh in on the privacy protections.

“Only one of the groups showed up,” Pietra said, adding that since then, the agency has held three dozen educational events.

In early February, TSA chief John Pistole

that the agency would deploy new and less invasive body scanner software. The software displays avatars instead of silhouettes of individuals’ bodies and boxes indicate areas of suspicion, if detected. The new software is being incorporated in Washington, DC, and Atlanta, and could eventually land at all airports currently using body scanning technology. "We believe it addresses the privacy issues that have been raised," Pistole said.

Sen. Tom Udall (D-N.M.) has introduced

that would require the new software to be installed on existing scanners nationwide within a year. Udall drafted the bill after his constituents “overwhelmingly expressed concerns about these TSA screening procedures,”

reported.

According to Pietra and Callahan, no information is collected during passenger body scans, eliminating the possibility for any information to be retained and used at present or in the future. As described before, the screening officer sees the image, reviews for threats and then hits a button marked “clear,” purging the images from the system. Though the machines are manufactured to store and even export images when in “test mode,” TSA and DHS requirements have such features disabled before machines are deployed to airports, officials say.

EPIC disputes this point in its lawsuit. The advocacy group’s FOIA

returned the “TSA Operational Requirements Document,” in which it states that different levels of employee access allow the machines’ data storage, download, upload and export capabilities to be activated. The suit alleges that Section 2.9 of the document states that “The (Whole Body Imaging machine) shall provide ten selectable levels of privacy.”

According to EPIC’s suit, the TSA’s “Procedural Specifications Document” allows for what’s called “Level Z clearances” to be given to an “unspecified number of users.” Level Z authorities may disable privacy protections, save and download images.

But the TSA’s Pietra says those clearances apply to none of the machine’s operators and only to a select and very small number of “super users” at TSA headquarters during the machine’s test mode—never when the machine is deployed.

“It’s an involved process and not one that occurs,” Pietra said. “In operational mode, you cannot have the image storage capacity turned on.”

Callahan added that to turn image storage capacities on, new software would need to be installed.

“I can’t think of any instances for it,” Callahan said.

Security expert Bruce Schneier, co-petitioner on the EPIC lawsuit, says it doesn’t appear to be true that the scanners cannot store and export data and that, even if it is, “a moment's policy change” could reverse that.

The distinction of whether machines contain image storage capabilities is an important one in the eyes of Jeffrey Rosen, a law professor at George Washington University, who says that data storage could make a difference in the machines’ legality.

In

, Rosen opined that should the Supreme Court one day hear a case involving the constitutionality of body scanners, it should rule against use of the machines and the pat-down alternative “as an unreasonable search and a violation of what Justice Louis Brandeis called ‘the most comprehensive of rights’—namely, ‘the right to be let alone.’”

Rosen

a U.S. Court of Appeals Third Circuit ruling by Associate Justice Samuel Alito in 2006 that scanning methods must be both “minimally intrusive” and “effective.”

“In evaluating the constitutionality of these scanners, U.S. courts might hold that the machines can't be considered ‘minimally invasive’ as long as images can be stored and recorded,” Rosen wrote.

The TSA asserts that the scanners strike a favorable balance between privacy and the public interest involved and cites Alito’s assertion in the same ruling that “there can be no doubt that preventing terrorist attacks on airplanes is of paramount importance.” The scanners’ effectiveness has been well established as the best technology currently available for detecting metallic as well as non-metallic threats concealed under a person’s clothing while protecting personal privacy through the aforementioned provisions, such as not storing, saving or transmitting the images.

In recent months, news stories have detailed passengers’ concerns, while on the IAPP Privacy List, the controversy has incited a lively debate among privacy pros. Some have questioned the potential for “future secondary uses” of scanner data and whether that data may be used to track travelers as they move across the country. Others have questioned whether or not the data could be combined with airport surveillance footage to match and identify passengers. Many have questioned whether the TSA stores the images and whether it will in the future.

During one such Privacy List discussion, Michael Spadea, CIPP, shared that his “consent” to the scanning technology, or the alternative “pat down” should he choose to opt-out of the scan, is ostensibly given when he decides to purchase a ticket. However, he says, what if privacy policies change between the time he buys a ticket and when he arrives at the airport due to a perceived “imminent threat?”

“I don't think persons who purchase tickets are adequately informed of the procedures. Assume that credible intelligence is received and new security procedures are put in place. Assume the security procedures are reasonable. My prior consent was based on the information provided to me six months ago. The new security procedure is significantly different and could not be reasonably anticipated based on the information I was provided.”

Callahan says that the processes and protocols put in place are evolving and that when “technology and risks change, so too will the PIA.”

Bill Turner, CIPP, CIPP/G, CIPP/C, CIPP/IT,  says privacy professionals must now act on legislative and educational fronts and raise individuals’ awareness so they feel they have both notice and choice, which he says has not been adequately accomplished to date.

“Privacy professionals have an opportunity to bring constructive change. The public, legislators and business professionals must come to the table together. Today, too many privacy professionals hide in their office and interpret legislation and policy,” Turner said.

Brian Dean, CIPP, suggests a 30- to 90-day moratorium on body scanner usage, during which a determination should be made if the technology used is “viable, effective and even needed.” He suggests that scanners should remain optional, which significantly limits the legal ramifications.

Meanwhile, Sen. Charles Schumer’s proposed

, which would impose penalties of up to one year in prison or fines of up to $100,000 for those that disseminate body scanner images, was recently accepted as an amendment to the

being considered by the senate.

Both Callahan and Pietra emphasize that they are open to suggestions for alternatives.

Pietra said the TSA is looking at automated target recognition (ATR), technology similar to that which has been deployed in Amsterdam. From a privacy professional’s perspective, ATR is attractive, Callahan says, because it shows a cutout rather than a silhouette of a person, and only anomalies are identified.

“We’re taking this issue very seriously, and we are attempting to implement all the privacy protections possible,” Callahan said. “If people have ideas, they are welcome to contact us.”

Meanwhile, Pietra shared a traveler’s recent gripe to him that “travel was much better 30 years ago.”

“Well, yes. I agree,” Pietra said. “But there’s not much we can do about that.”