Thursday, January 28, 2010

News: Florence DETECTER Programme Announced

The second DETECTER Project Meeting will take place in Florence on Thursday the 18th of February 2010. The Programme will run as follows:

9.00 – 9.15 Introduction by Prof. Martin Scheinin, Professor of International Law at the European University Institute and United Nations Special Rapporteur on the protection of human rights while countering terrorism

9.15 – 11.00 Identification of terrorist suspects through detection technologies: risks and opportunities
Chair: Martin Scheinin (European University Institute, Italy)
  • Ehud Givon (WECU-technologies, Israel) – Security through intent detection
  • Jacques Verraes (Europan Commission, Belgium) – Data protection issues related to identification of terrorist suspects
  • Ben Hayes (Statewatch, United Kingdom) – Respondent to presentations of Commission and WeCU technologies

11.00 – 11.30 Coffee break

11.30 – 13.30 Human rights aspects of the use of detection technologies

Chair: Daniel Moeckli (University of Zurich, Switzerland)
  • Roos van der hilst (University of Oslo, Norway) – Human rights risks of selected detection technologies - sample uses by governments
  • Emilio Mordini (HIDE, Italy) - Biometrics, Body, Identity
  • R. Leenes (University of Tilburg, the Netherlands) – Location based surveillance – why planes, trains and automobiles are the new castles
13.30 – 15.00 Lunch

15.00-17.00 Martin Scheinin presenting WP4 Deliverable on "Developments in the Declarations of Exceptions, Claims of Inapplicability, or Unilateral Modifications in Respect of Internation Law for the Sake of Counter-Terrorism"

Limited Places - To register, please e-mail mathias.vermeulen@eui.eu

Martin Scheinin on Body Scanners and Profiling

DETECTER Partner Martin Scheinin has a piece in the Guardian. He argues against the idea that the aim of preventing acts of terrorism always trumps privacy or other fundamental rights and that any restrictions of such rights ought to be specifically provided for in clear law ensuring their effectiveness, necessity and proportionality. A few select quotes:

...The current generation of body scanners entail an unnecessary and therefore disproportionate intrusion into privacy, by showing a graphic image of a naked human person to one or more observers. It would be technologically easy to avoid this, by securing that no images are ever stored, and by using an algorithm to replace on the observer's screen the image of a real person with a standard animation figure but places any suspicious items on that image...

What is worse, body scanners are ineffective. They are unlikely to detect 80 grams of PETN explosives hidden in the underware of a person. And once it is known that body scanners are in use, they are easy to avoid by hiding this type of explosives in a body cavity or in a commercial item in one's hand luggage...

There are better ways than body scanners and group-related profiling to improve security at airports and elsewhere. The technology already exists for detecting from distance most explosive substances, including PETN. Together with professional observation of behavioral patterns this provides a prospect of respecting privacy while at the same time doing a better job in preventing acts of terrorism. It seems to be the unwarranted obsession to know more about the perceived bad person that has slowed down work to detect explosives....

The article also features a link to his latest report written in his capacity as UN Special Rapporteur on Human Rights and Counterterrorism, highlighting the erosion of the right to privacy in the fight against terrorism.

Wednesday, January 20, 2010

News: New Security Measures for UK Airports

From the BBC: In a statement to the House of Commons earlier today, Prime Minister Gordon Brown announced the recommendations arising from a review of airport security and further intelligence briefings. The main measures include:
  • Direct Flights from Yemen to the UK are suspended until security concerns are addressed.
  • A "no fly" list is to be established to prevent suspected terrorists from travelling to the UK.
  • A second list of lower risk suspects will be established entailing 'special measures' for those attempting to fly to the UK, such as more stringent screening (officials are not currently specifying anything further).
  • All UK airports and ports to follow the 'e-borders' scheme, designed to collect personal data on all passengers entering or exiting the country, by the end of the year.
  • Enhanced global cooperation to enable suspect individuals to be checked against watchlists 24 hours before flying to or via the UK.
  • Full Body Scanners at British airports next week.
  • New Intelligence teams to identify threats to British security abroad.

Tuesday, January 19, 2010

Comment: Privacy is Dead According to Facebook Chief

There's a nice discussion piece about social networking and privacy in the Times, following on from Mark Zuckerberg's reported statement that 'privacy is dead' (a statement, according to the article, he is now trying to downplay). As well as pointing out how careful Zuckerberg is about safeguarding his own privacy, it goes through the arguments that privacy has become less important to the younger generation who make an informed choice that the benefits of sharing information outweigh the disadvantages. A couple of choice quotations:

As Daniel Masoliver, a 24-year-old postgraduate student in London, put it: “The only reason privacy ever existed is because Facebook didn’t. People have always liked talking about what they’re into and the more people share information with one another, the more comfortable others are joining in.”

And another (somewhat tongue in cheek one imagines) from Ross Anderson, a Professer of Security Engineering at Cambridge:

“At Cambridge all the party invitations go out on Facebook,” he said. “So if you don’t have Facebook, you won’t get invited to any parties, so you won’t have any sex, so you won’t have any children, so your genes die out. So it’s an evolutionary necessity to be on Facebook.”

Ross Anderson also touches on what I consider the key point when it comes to the argument that privacy is no longer important because as a society we have weighed up the pros and cons and decided it is not needed:

By analysing...[social networking] data, “spider” programs can draw up social graphs that reveal your sexuality, political beliefs and other characteristics. According to Ross Anderson...it can be done even if you list as few as eight friends.

That might not matter so much in Britain, says Anderson, “but in a country like Iran, where they punish gays, this is serious stuff”.


Iran may seem an extreme case, but I think there is a huge degree to which the acceptability of behaviour revealed by internet activity depends on what social circles you live in. It's a very different matter sharing facets of your life such as sexual preference when you live in San Francisco, than it is doing so in an isolated, conservative town. But decisions about what level of privacy is available for users tends to be made by people who live in more liberal communities, tolerant of far more than is typically the case in wider society.

News: UK Equality and Human Rights Commission Say Body Scanners Breach Privacy

From the Times: Trevor Phillips, head of the UK watchdog created under the Equality Act (2006) in order to uphold nondiscrimination, has declared them a violation of privacy law established by the Human Rights Act.

They are calling on the UK Home Secretary Alan Johnson to explain in detail how the government will ensure that implementation of body scanning is compliant with the right to privacy. In particular they have raised privacy concerns with the use of body scanners on the disabled, the elderly, preoperative transsexuals and those with potentially embarrassing medical aids.

An EHRC spokesman said the use of profiling was “discriminatory, contrary to domestic legislation and international standards, and is harmful to community relations”.

A source at the watchdog added: “Scanners have a negative impact on people’s right to privacy, particularly the disabled, older people and children. Transsexuals and transgender people would be particularly vulnerable.

“We are talking about very intimate pictures. To be blunt, one could imagine a bunch of loutish security guards seeing some attractive women in the queue and all rushing into the office saying, ‘Let’s have a look’.”

Monday, January 18, 2010

Focus on Full-Body Scanners

Since the Christmas Day plot, many voices on both sides of the Atlantic have called for increased use of full-body scanners—even to the point of having them replace the now traditional metal detector screening. But how do they work and what’s the fuss about?

Operation

There are full-body scanners that have been developed that use x-rays (generally referred to as “backscatter” scanners), but the scanners that have attracted so much attention in the media lately are millimeter wave scanners. These units rely on waves that lie somewhere between microwaves and infrared light on the frequency spectrum. According to this article from the Austrian newspaper, Der Standard, human bodies naturally emit millimeter waves. In order to produce a clear image, however, millimeter wave scanners using the so-called “active method” bombard the body with additional millimeter waves. These waves are able to pass through clothing, paper, and thin plastics but not through human bodies. Thus, the reception of these waves as they bounce back from the body can be used to construct a picture of the outer surface of the body and reveal unusual objects hidden beneath clothing. Apparently, “passive method” scanners, which merely read naturally occurring millimeter wave emissions, have been developed and used in some airports (See e.g., this article from heise online (in German)). However, I can imagine that these scanners may not produce images of the same clarity and/or may require longer screening times.

Are the “active method” machines safe?

The jury is still out. The German Federal Office for Radiation Protection indicated in an article in the sueddeutsche that existing wave research has tended to concentrate on testing the health risks of waves used in mobile devices such as mobile phones. Therefore, there isn’t a great deal of research available on the health impact of these millimeter wave frequencies. What scientists seem to agree on is that the waves won’t ionize atoms within the body like X-rays and thus won’t damage cells the way ionizing radiation does. Millimeter waves will, however, warm the tissues that they strike. What tissues they strike depends on the wavelength of the wave. These waves encompass a range of frequencies beginning somewhere around 10 gigahertz and ending somewhere around 10 terahertz. According to the article in the sueddeutsche, waves at the lower end of that spectrum could penetrate a few millimeters into the skin. I don’t know whether current models of scanners tend to use waves around one specific frequency, whether they always send out waves at various frequencies, or whether they have frequency settings which may be adjusted by the operator. This article on the German Wikipedia, however, indicates that different frequencies may be useful for detecting different materials. For one official of the German Federal Office for Radiation Protection, the “big question” is whether the waves could cause other biological effects in addition to warming—such as bringing components of skin cells into oscillation or causing changes within the blood as it flows through surface capillaries. He adds, however, that these questions are “pure speculation.” For me, the question that always arises with radiation exposure is whether more frequent exposure will pose risks that don’t present themselves in simple, short-term testing. It’s not inconceivable that frequent flyers may have to pass through such scanners 2-3 times within a 10 hour period on several occasions within a single month.

Privacy issues

There are obvious privacy issues connected with a scanner that produces images of the naked body. But apart from revealing intimate parts of the anatomy and physical anomalies that an individual might not want to bare, the scanners might also reveal details such as that the person has had a colostomy, has incontinence problems, or is menstruating. Cognizant of the privacy issues, developers of these scanners aimed to develop solutions that would address them. Initially, the idea was to place the person reviewing the images from the scanner in a separate location than where the actual scanning takes place. Thus, the person viewing the image would be unable to see “in the flesh” the individual with whom that image was associated. Additionally, algorithms were introduced to automatically blur faces (an example of an image with facial blurring can be seen here). In this way, the image reviewer would be unable to link the image to an actual person. Of course, the problem is that colostomy pouches, feminine hygiene pads, devices that deliver medications or insulin, and the like still might prompt an embarrassing or uncomfortable confrontation with security personnel at the screening location.

Scan Tech: The Next Generation?

What if we could remove the image reviewer? Could we design software to do the reviewing for us and indicate where suspicious things crop up? One project led by Loughborough University that we heard about at the first DETECTER meeting in Birmingham was aiming to develop just such a program—one that could distinguish a bottle from a handgun carried in the hand of an individual captured in video recordings. We also heard from one of the manufacturers of a millimeter wave scanner who indicated that they were working to develop that kind of technology, but that it hadn’t yet matured to where it could be implemented.

But news reports today suggest that this “second generation” technology is now available and pictures have emerged from Amsterdam’s Schiphol airport which feature just the kind of generic, impersonal gingerbread-man-like graphic that we had talked about in Birmingham (an example is available here with a close-up here). Areas of the body that hold suspicious objects are then highlighted on the graphic, so that security personnel can conduct a search of that area. Unlike the original setup, the system in Amsterdam displays the computer-generated “results” directly to the personnel manning the scanner.

There are a few things to point out about this second generation of scanning. First of all, just because pictures in the media show displays with the gingerbread man figure doesn’t necessarily mean that the viewing of the “raw” image—so to speak—has been eliminated altogether. Secondly, I’m a bit skeptical as to how well this software will perform as compared with a human viewer. It seems like getting the optimal set of algorithms would take countless test runs and tweaking, and I imagine that there would still be things that the software would miss but that a human reviewer would pick up on, as well as things that the software would catch that a human reviewer would miss or identify as harmless (like colostomy pouches). Which brings us to the third point—that the software-based solution might result in more uncomfortable confrontations with security than with the human reviewer. Lastly, the software would rely on raw data from the scanner, and it would still be theoretically possible for someone to “reconstruct” the image if that someone had access to the raw data.

Access and Data Storage

The Electronic Privacy Information Center (EPIC) has obtained documents from the US Transportation Security Administration pertaining to the procurement of full-body scanners (For links, see this post on the LIFT). The procurement specifications indicate that the TSA has put significant thought and planning into the implementation of these systems, including privacy safeguards. Nonetheless, EPIC points out that, despite TSA’s public assurances that scan images could not be saved, the documents reveal that the systems would be able to store images when in “test mode.” Granted, TSA foresees different levels of access to these systems. In this case, only TSA headquarters, maintenance technicians, and so-called “super users” would be able to put a scanner system into test mode, and image storage would be disabled during normal operation, according to the TSA’s procurement specifications (see pp. 4, C-1). A note in Appendix C of these specifications indicates that super user access for a particular system would be disabled once the system was installed, suggesting that these super users would be representatives of the equipment vendor responsible for the initial setup of the system. Thus, for normal operation on passengers, that would officially leave just TSA headquarters and technicians who would be able to place the system in test mode in which images would be stored.

Nonetheless, this news does indicate that the systems have storage capacity. The question is how much. By limiting the storage capacity to only a few images, the risk of negative privacy impact could be minimized. Of course, the flip-side of not saving images is that it rules out the possibility of performing ex post re-evaluations. Suppose another incident like that on Christmas Day occurs, but the attempted bomber had gone through a full-body scanner. Would security specialists want to take another look at that person’s scan image (supposing they can identify it) to see if they can learn something from the mistake?

Open or Closed Network(s)?

Related to the issue of access is the question of whether the system represents a closed system or is linked or exposed to broader communication networks such as the internet. At first glance, I don’t see too many reasons why these systems would need to be connected to the internet. The image reviewer would not need to read e-mail or access websites to do his or her work. One advantage of allowing internet communication is that it would permit quick, uniform updating of changes to user accounts from a central office. Thus, if an image reviewer left his or her position with the TSA, that former employee’s access could be lifted for all scanner systems throughout the country more or less simultaneously. It might also be desirable to have uniform access at all airports so that image reviewers could be shifted around according to need. On the other hand, these same objectives might be achieved through other systems, such as physical access controls—using an employee ID card or the like—that would prevent unauthorized personnel from entering image viewing facilities. However, the ability to access remotely every system’s system log would allow auditing to take place on a more efficient basis. Thus, this point would speak in favor of network access. But I’m not convinced that the burden of conducting audits on the local level would necessarily outweigh the benefit of the added security. Alternatively to local audits, audit data (which does not include image data) could be exported using flash drives or a temporary network connection.

There are indications that the TSA is opting for the fully linked system. The TSA’s procurement specifications for a “Whole Body Imager” state that the system should support a minimum user database of 10,000 accounts (p. 17). That’s an extremely high number for any single airport. Additionally, the TSA’s operational requirements call for the system to have an “802.11X compatible” network interface (p. 11). IEEE 802.11 denotes a set of wireless network protocols. Thus, the inclusion of this functionality within the operation requirements indicates that the TSA would like to ensure that these systems are capable of sending and receiving wireless communications. The operational requirements also call for the network interface to be “configurable with an IP address” (Ibid.). This requirement suggests that there would be internet access. Lastly, the documentation requires that the system be able to interface with “STIP” (Security Technology Integrated Program) (Ibid.), which appears to be the TSA’s enterprise architecture for allowing communication between detection technology instruments in the field and central headquarters (See this entry on the US government’s “IT Dashboard”).

Summing Up


In sum, health-related risks are probably minimal, but currently unknown. In light of this fact, why not simply use passive systems that rely on the human body’s own millimeter wave emissions to eliminate any possible health risk? In terms of privacy protections, replacing the human reviewer with software algorithms may reduce the privacy impact for many but increase it for others. Eliminating network access would also substantially lower the risk that scan images end up distributed where they don’t need to be but could hamper other aspects of operations. All of these considerations come on top of the questions concerning the scanners’ effectiveness and necessity (See the last full paragraph of this earlier post and this from the LIFT).

Wednesday, January 13, 2010

News: European Court of Human Rights Renders Judgement concerning UK's Terrorism Act 2000

The ECHR has held that the expanded search powers granted to police under section 44 of the Terrorism Act 2000 violate Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms.

Story from the Telegraph
Note on the case on the Legalift Blog

The judgement is currently available on the ECHR's HUDOC service under "List of recent judgments."

Friday, January 8, 2010

News: Aiport Security Technology

Forbes has posted an interesting article today discussing various proposals for improving airport security, including behavioral analysis systems, physiological sensors, and increased use of profiling. One system being tested in Israel even sounds like psychological warfare—flashing images onto airport screens, “such as symbols associated with a certain terrorist group or some other image only a would-be terrorist would recognize” and then assessing individuals’ reactions to those images. The article also cites Jim Harper of the Cato Institute for suggesting that security be placed in the hands of the airlines in order to introduce more variation in security procedures.

Thursday, January 7, 2010

Comment: Christmas Day Plot, Part I (Update)

The Telegraph has published a story today claiming that US Customs and Border Protection had singled out Umar Farouk Abdulmutallab based on the human intelligence submitted by the State Department and were waiting to bring him in for interrogation in Detroit. This claim seems to take some steam out of the argument that US intelligence failed to “connect the dots.” This raises the question whether, under the circumstances, some other operative action should have been taken while the flight was in the air. Given what was known, would it have been appropriate to order the flight to turn back around to Amsterdam? Suppose Abdulmutallab caught on to what was happening and decided to detonate over Amsterdam upon the return. Would it have been appropriate to order the flight crew to restrain him? Think of the standards that would apply if the “suspect” were simply someone standing on a public street. Should different standards apply on airplanes?

The article also features an interesting quote from a “senior Homeland Security official” who indicated that “in-depth vetting only begins once the flight manifest has been generated, a few hours before takeoff.” This statement suggests that passenger name records are not submitted on a rolling basis as reservations are made but only once the list of passengers on any one flight has been relatively solidified.

Wednesday, January 6, 2010

Comment: Christmas Day Plot, Part I

“Failure to connect the dots” became a catch-phrase paraphrasing the mistakes within the intelligence community that permitted the 9/11 attacks despite the presence of intelligence within the possession of various US agencies that pointed toward the development of the underlying plot. This phrase has cropped up again in connection with the Christmas Day plot involving Northwestern Flight 253, leading to the question as to whether the lessons learned from the 9/11 review have been implemented.

As news of the attempted attack began to unfold, reports began to roll in that the individual behind the attempt, Umar Farouk Abdulmutallab, had raised a number of red flags which should have resulted in enhanced screening, potentially his detention for further investigation, or--as some have suggested--the denial of an entry visa for the US. First it was revealed that Abdulmutallab had been included in the National Counterterrorism Center’s TIDE (Terrorist Identitites Datamart Environment) database (more on TIDE in Part II) (See this story from CBS). Then, it came to light that Abdulmutallab’s father had approached US State Department officials in Nigeria with concerns that his son had “fallen under the influence of ‘religious extremists’ in Yemen” (See this story from CBS). According to a report from CBS News, this information was forwarded to officials in Washington (In fact, it may have been the basis for Abdulmutallab being entered in TIDE). Apparently, however, no flags were attached to Abdulmutallab’s US visa, and the CBS report suggests that US officials who had received information relating the father’s concerns did not realize that the individual in question had been issued a multiple-entry visa by the US Embassy in London that was valid from June 16, 2008 to June 12, 2010. Lastly, it has been reported that the NSA had identified communications among Al Qaeda members in Yemen concerning a plot involving a Nigerian (See articles here and here).

The Obama administration called for two reviews: one quick review of flight screening procedures and technologies, the other a more in-depth review of the terrorist watch list system in use in the US. President Obama has promised that the results of the reviews will be revealed in public reports in the near future. It will be interesting to see to what extent the details of what happened at each stage of Abdulmutallab’s journey will be released. For me, the following questions come up: 1) Were any personal data pertaining to Abdulmutallab submitted to the TSA before he boarded the flight from Nigeria? 2) What security procedures did Abdulmutallab undergo in Lagos (or Ghana)? 3) Was Abdulmutallab subjected to security procedures at Schiphol? It would be particularly interesting to know whether he underwent a full-body scan (such scanners are evidently in common use at Schiphol) (more on full-body scanning below)?

In this case, it isn’t clear to what extent fault can be found with US authorities. Clearly mistakes were made, but even if all the information on Abdulmutallab had come together and resulted in an operational decision, measures stemming from that decision would have to have been taken in Nigeria or the Netherlands in order to have been effective. The incident may primarily reflect the lack of uniform and coordinated procedures at the international level. The US has expressed the desire to receive passenger name records for all passengers who have booked flights to the US. Yet, the question arises as to how many airlines indulge that desire and with what level of accuracy. This requirement has been particularly contentious within the EU. However, given the fact that Abdulmutallab had booked passage with a US-based air carrier for the final leg of his journey, it seems likely that the US carrier submitted passenger record data on Abdulmutallab to the TSA. But again, even if the TSA had singled out Abdulmutallab for enhanced screening or identified him as being on the no-fly list, how does it ensure that Dutch or Nigerian airport security take appropriate action? If a Dutch or Nigerian equivalent of the TSA have special requests with respect to a particular passenger departing from the US en route to the Netherlands or Nigeria, would the TSA automatically comply in reciprocal fashion? Note that according to an editorial in the New York Times, the TSA can still request a US-bound flight to return to its point of departure if there is a suspicious passenger on board, but for long distance flights, this option may become unfeasible if the request is not received until later stages of the flight.

Suggestions for changes already began to be voiced soon after the incident. Among the calls for improvements to security that have emerged in public discourse, the notion of making more use of body scanners, such as millimeter wave scanners, has been particularly prominent--notably former US Department of Homeland Security Secretary, Michael Chertoff, has been among those advocating this move (see here) (although it later came to light that Chertoff’s company, the Chertoff Group, has a manufacturer of such machines as a client). Some commentators, however, have argued that such full-body scanners would have failed to detect the explosive device in this case. The Telegraph has cited two former US officials from counter-terrorism agencies for having long argued that swabbing for explosive substances and other chemicals is “cheaper, easier and more effective” than full-body scanners. In that article, Larry Johnson, former deputy director of Counter Terrorism at the US State Department was quoted as saying “[s]wabbing everyone is not hard and it’s just about the only way, short of making passengers fly naked and without luggage, of being reasonably sure they aren’t carrying a bomb.” Although swabbing would entail making bodily contact with the swabs, for some--if not most--it may raise fewer privacy concerns than the full-body scanners. The Telegraph article suggests that the swab tests would not need to be taken from the same part of the body or baggage where explosives were located. That means that contact with sensitive areas of the body could be avoided.

In Part II, I’ll discuss databases and watch lists.