Since the Christmas Day plot, many voices on both sides of the Atlantic have called for increased use of full-body scanners—even to the point of having them replace the now traditional metal detector screening. But how do they work and what’s the fuss about?
OperationThere are full-body scanners that have been developed that use x-rays (generally referred to as “backscatter” scanners), but the scanners that have attracted so much attention in the media lately are millimeter wave scanners. These units rely on waves that lie somewhere between microwaves and infrared light on the frequency spectrum. According to this
article from the Austrian newspaper,
Der Standard, human bodies naturally emit millimeter waves. In order to produce a clear image, however, millimeter wave scanners using the so-called “active method” bombard the body with additional millimeter waves. These waves are able to pass through clothing, paper, and thin plastics but not through human bodies. Thus, the reception of these waves as they bounce back from the body can be used to construct a picture of the outer surface of the body and reveal unusual objects hidden beneath clothing. Apparently, “passive method” scanners, which merely read naturally occurring millimeter wave emissions, have been developed and used in some airports (See e.g., this
article from
heise online (in German)). However, I can imagine that these scanners may not produce images of the same clarity and/or may require longer screening times.
Are the “active method” machines safe?The jury is still out. The German
Federal Office for Radiation Protection indicated in an
article in the
sueddeutsche that existing wave research has tended to concentrate on testing the health risks of waves used in mobile devices such as mobile phones. Therefore, there isn’t a great deal of research available on the health impact of these millimeter wave frequencies. What scientists seem to agree on is that the waves won’t ionize atoms within the body like X-rays and thus won’t damage cells the way ionizing radiation does. Millimeter waves will, however, warm the tissues that they strike. What tissues they strike depends on the wavelength of the wave. These waves encompass a range of frequencies beginning somewhere around 10 gigahertz and ending somewhere around 10 terahertz. According to the article in the sueddeutsche, waves at the lower end of that spectrum could penetrate a few millimeters into the skin. I don’t know whether current models of scanners tend to use waves around one specific frequency, whether they always send out waves at various frequencies, or whether they have frequency settings which may be adjusted by the operator. This
article on the German Wikipedia, however, indicates that different frequencies may be useful for detecting different materials. For one official of the German Federal Office for Radiation Protection, the “big question” is whether the waves could cause other biological effects in addition to warming—such as bringing components of skin cells into oscillation or causing changes within the blood as it flows through surface capillaries. He adds, however, that these questions are “pure speculation.” For me, the question that always arises with radiation exposure is whether more frequent exposure will pose risks that don’t present themselves in simple, short-term testing. It’s not inconceivable that frequent flyers may have to pass through such scanners 2-3 times within a 10 hour period on several occasions within a single month.
Privacy issuesThere are obvious privacy issues connected with a scanner that produces images of the naked body. But apart from revealing intimate parts of the anatomy and physical anomalies that an individual might not want to bare, the scanners might also reveal details such as that the person has had a colostomy, has incontinence problems, or is menstruating. Cognizant of the privacy issues, developers of these scanners aimed to develop solutions that would address them. Initially, the idea was to place the person reviewing the images from the scanner in a separate location than where the actual scanning takes place. Thus, the person viewing the image would be unable to see “in the flesh” the individual with whom that image was associated. Additionally, algorithms were introduced to automatically blur faces (an example of an image with facial blurring can be seen
here). In this way, the image reviewer would be unable to link the image to an actual person. Of course, the problem is that colostomy pouches, feminine hygiene pads, devices that deliver medications or insulin, and the like still might prompt an embarrassing or uncomfortable confrontation with security personnel at the screening location.
Scan Tech: The Next Generation?What if we could remove the image reviewer? Could we design software to do the reviewing for us and indicate where suspicious things crop up? One
project led by Loughborough University that we heard about at the first DETECTER meeting in Birmingham was aiming to develop just such a program—one that could distinguish a bottle from a handgun carried in the hand of an individual captured in video recordings. We also heard from one of the manufacturers of a millimeter wave scanner who indicated that they were working to develop that kind of technology, but that it hadn’t yet matured to where it could be implemented.
But news reports today suggest that this “second generation” technology is now available and pictures have emerged from Amsterdam’s Schiphol airport which feature just the kind of generic, impersonal gingerbread-man-like graphic that we had talked about in Birmingham (an example is available
here with a close-up
here). Areas of the body that hold suspicious objects are then highlighted on the graphic, so that security personnel can conduct a search of that area. Unlike the original setup, the system in Amsterdam displays the computer-generated “results” directly to the personnel manning the scanner.
There are a few things to point out about this second generation of scanning. First of all, just because pictures in the media show displays with the gingerbread man figure doesn’t necessarily mean that the viewing of the “raw” image—so to speak—has been eliminated altogether. Secondly, I’m a bit skeptical as to how well this software will perform as compared with a human viewer. It seems like getting the optimal set of algorithms would take countless test runs and tweaking, and I imagine that there would still be things that the software would miss but that a human reviewer would pick up on, as well as things that the software would catch that a human reviewer would miss or identify as harmless (like colostomy pouches). Which brings us to the third point—that the software-based solution might result in more uncomfortable confrontations with security than with the human reviewer. Lastly, the software would rely on raw data from the scanner, and it would still be theoretically possible for someone to “reconstruct” the image if that someone had access to the raw data.
Access and Data StorageThe
Electronic Privacy Information Center (EPIC) has obtained documents from the US
Transportation Security Administration pertaining to the procurement of full-body scanners (For links, see this
post on the LIFT). The procurement specifications indicate that the TSA has put significant thought and planning into the implementation of these systems, including privacy safeguards. Nonetheless, EPIC points out that, despite TSA’s public assurances that scan images could not be saved, the documents reveal that the systems would be able to store images when in “test mode.” Granted, TSA foresees different levels of access to these systems. In this case, only TSA headquarters, maintenance technicians, and so-called “super users” would be able to put a scanner system into test mode, and image storage would be disabled during normal operation, according to the TSA’s procurement specifications (see pp. 4, C-1). A note in Appendix C of these specifications indicates that super user access for a particular system would be disabled once the system was installed, suggesting that these super users would be representatives of the equipment vendor responsible for the initial setup of the system. Thus, for normal operation on passengers, that would officially leave just TSA headquarters and technicians who would be able to place the system in test mode in which images would be stored.
Nonetheless, this news does indicate that the systems have storage capacity. The question is how much. By limiting the storage capacity to only a few images, the risk of negative privacy impact could be minimized. Of course, the flip-side of not saving images is that it rules out the possibility of performing ex post re-evaluations. Suppose another incident like that on Christmas Day occurs, but the attempted bomber had gone through a full-body scanner. Would security specialists want to take another look at that person’s scan image (supposing they can identify it) to see if they can learn something from the mistake?
Open or Closed Network(s)?Related to the issue of access is the question of whether the system represents a closed system or is linked or exposed to broader communication networks such as the internet. At first glance, I don’t see too many reasons why these systems would need to be connected to the internet. The image reviewer would not need to read e-mail or access websites to do his or her work. One advantage of allowing internet communication is that it would permit quick, uniform updating of changes to user accounts from a central office. Thus, if an image reviewer left his or her position with the TSA, that former employee’s access could be lifted for all scanner systems throughout the country more or less simultaneously. It might also be desirable to have uniform access at all airports so that image reviewers could be shifted around according to need. On the other hand, these same objectives might be achieved through other systems, such as physical access controls—using an employee ID card or the like—that would prevent unauthorized personnel from entering image viewing facilities. However, the ability to access remotely every system’s system log would allow auditing to take place on a more efficient basis. Thus, this point would speak in favor of network access. But I’m not convinced that the burden of conducting audits on the local level would necessarily outweigh the benefit of the added security. Alternatively to local audits, audit data (which does not include image data) could be exported using flash drives or a
temporary network connection.
There are indications that the TSA is opting for the fully linked system. The TSA’s procurement specifications for a “Whole Body Imager” state that the system should support a minimum user database of 10,000 accounts (p. 17). That’s an extremely high number for any single airport. Additionally, the TSA’s operational requirements call for the system to have an “802.11X compatible” network interface (p. 11). IEEE 802.11 denotes a set of wireless network protocols. Thus, the inclusion of this functionality within the operation requirements indicates that the TSA would like to ensure that these systems are capable of sending and receiving wireless communications. The operational requirements also call for the network interface to be “configurable with an IP address” (Ibid.). This requirement suggests that there would be internet access. Lastly, the documentation requires that the system be able to interface with “STIP” (Security Technology Integrated Program) (Ibid.), which appears to be the TSA’s enterprise architecture for allowing communication between detection technology instruments in the field and central headquarters (See this
entry on the US government’s “IT Dashboard”).
Summing UpIn sum, health-related risks are probably minimal, but currently unknown. In light of this fact, why not simply use passive systems that rely on the human body’s own millimeter wave emissions to eliminate any possible health risk? In terms of privacy protections, replacing the human reviewer with software algorithms may reduce the privacy impact for many but increase it for others. Eliminating network access would also substantially lower the risk that scan images end up distributed where they don’t need to be but could hamper other aspects of operations. All of these considerations come on top of the questions concerning the scanners’ effectiveness and necessity (See the last full paragraph of this
earlier post and
this from the LIFT).