Since the Christmas Day plot, many voices on both sides of the Atlantic have called for increased use of full-body scanners—even to the point of having them replace the now traditional metal detector screening. But how do they work and what’s the fuss about?
Operation
There are full-body scanners that have been developed that use x-rays (generally referred to as “backscatter” scanners), but the scanners that have attracted so much attention in the media lately are millimeter wave scanners. These units rely on waves that lie somewhere between microwaves and infrared light on the frequency spectrum. According to this article from the Austrian newspaper, Der Standard, human bodies naturally emit millimeter waves. In order to produce a clear image, however, millimeter wave scanners using the so-called “active method” bombard the body with additional millimeter waves. These waves are able to pass through clothing, paper, and thin plastics but not through human bodies. Thus, the reception of these waves as they bounce back from the body can be used to construct a picture of the outer surface of the body and reveal unusual objects hidden beneath clothing. Apparently, “passive method” scanners, which merely read naturally occurring millimeter wave emissions, have been developed and used in some airports (See e.g., this article from heise online (in German)). However, I can imagine that these scanners may not produce images of the same clarity and/or may require longer screening times.
Are the “active method” machines safe?
The jury is still out. The German Federal Office for Radiation Protection indicated in an article in the sueddeutsche that existing wave research has tended to concentrate on testing the health risks of waves used in mobile devices such as mobile phones. Therefore, there isn’t a great deal of research available on the health impact of these millimeter wave frequencies. What scientists seem to agree on is that the waves won’t ionize atoms within the body like X-rays and thus won’t damage cells the way ionizing radiation does. Millimeter waves will, however, warm the tissues that they strike. What tissues they strike depends on the wavelength of the wave. These waves encompass a range of frequencies beginning somewhere around 10 gigahertz and ending somewhere around 10 terahertz. According to the article in the sueddeutsche, waves at the lower end of that spectrum could penetrate a few millimeters into the skin. I don’t know whether current models of scanners tend to use waves around one specific frequency, whether they always send out waves at various frequencies, or whether they have frequency settings which may be adjusted by the operator. This article on the German Wikipedia, however, indicates that different frequencies may be useful for detecting different materials. For one official of the German Federal Office for Radiation Protection, the “big question” is whether the waves could cause other biological effects in addition to warming—such as bringing components of skin cells into oscillation or causing changes within the blood as it flows through surface capillaries. He adds, however, that these questions are “pure speculation.” For me, the question that always arises with radiation exposure is whether more frequent exposure will pose risks that don’t present themselves in simple, short-term testing. It’s not inconceivable that frequent flyers may have to pass through such scanners 2-3 times within a 10 hour period on several occasions within a single month.
Privacy issues
There are obvious privacy issues connected with a scanner that produces images of the naked body. But apart from revealing intimate parts of the anatomy and physical anomalies that an individual might not want to bare, the scanners might also reveal details such as that the person has had a colostomy, has incontinence problems, or is menstruating. Cognizant of the privacy issues, developers of these scanners aimed to develop solutions that would address them. Initially, the idea was to place the person reviewing the images from the scanner in a separate location than where the actual scanning takes place. Thus, the person viewing the image would be unable to see “in the flesh” the individual with whom that image was associated. Additionally, algorithms were introduced to automatically blur faces (an example of an image with facial blurring can be seen here). In this way, the image reviewer would be unable to link the image to an actual person. Of course, the problem is that colostomy pouches, feminine hygiene pads, devices that deliver medications or insulin, and the like still might prompt an embarrassing or uncomfortable confrontation with security personnel at the screening location.
Scan Tech: The Next Generation?
What if we could remove the image reviewer? Could we design software to do the reviewing for us and indicate where suspicious things crop up? One project led by Loughborough University that we heard about at the first DETECTER meeting in Birmingham was aiming to develop just such a program—one that could distinguish a bottle from a handgun carried in the hand of an individual captured in video recordings. We also heard from one of the manufacturers of a millimeter wave scanner who indicated that they were working to develop that kind of technology, but that it hadn’t yet matured to where it could be implemented.
But news reports today suggest that this “second generation” technology is now available and pictures have emerged from Amsterdam’s Schiphol airport which feature just the kind of generic, impersonal gingerbread-man-like graphic that we had talked about in Birmingham (an example is available here with a close-up here). Areas of the body that hold suspicious objects are then highlighted on the graphic, so that security personnel can conduct a search of that area. Unlike the original setup, the system in Amsterdam displays the computer-generated “results” directly to the personnel manning the scanner.
There are a few things to point out about this second generation of scanning. First of all, just because pictures in the media show displays with the gingerbread man figure doesn’t necessarily mean that the viewing of the “raw” image—so to speak—has been eliminated altogether. Secondly, I’m a bit skeptical as to how well this software will perform as compared with a human viewer. It seems like getting the optimal set of algorithms would take countless test runs and tweaking, and I imagine that there would still be things that the software would miss but that a human reviewer would pick up on, as well as things that the software would catch that a human reviewer would miss or identify as harmless (like colostomy pouches). Which brings us to the third point—that the software-based solution might result in more uncomfortable confrontations with security than with the human reviewer. Lastly, the software would rely on raw data from the scanner, and it would still be theoretically possible for someone to “reconstruct” the image if that someone had access to the raw data.
Access and Data Storage
The Electronic Privacy Information Center (EPIC) has obtained documents from the US Transportation Security Administration pertaining to the procurement of full-body scanners (For links, see this post on the LIFT). The procurement specifications indicate that the TSA has put significant thought and planning into the implementation of these systems, including privacy safeguards. Nonetheless, EPIC points out that, despite TSA’s public assurances that scan images could not be saved, the documents reveal that the systems would be able to store images when in “test mode.” Granted, TSA foresees different levels of access to these systems. In this case, only TSA headquarters, maintenance technicians, and so-called “super users” would be able to put a scanner system into test mode, and image storage would be disabled during normal operation, according to the TSA’s procurement specifications (see pp. 4, C-1). A note in Appendix C of these specifications indicates that super user access for a particular system would be disabled once the system was installed, suggesting that these super users would be representatives of the equipment vendor responsible for the initial setup of the system. Thus, for normal operation on passengers, that would officially leave just TSA headquarters and technicians who would be able to place the system in test mode in which images would be stored.
Nonetheless, this news does indicate that the systems have storage capacity. The question is how much. By limiting the storage capacity to only a few images, the risk of negative privacy impact could be minimized. Of course, the flip-side of not saving images is that it rules out the possibility of performing ex post re-evaluations. Suppose another incident like that on Christmas Day occurs, but the attempted bomber had gone through a full-body scanner. Would security specialists want to take another look at that person’s scan image (supposing they can identify it) to see if they can learn something from the mistake?
Open or Closed Network(s)?
Related to the issue of access is the question of whether the system represents a closed system or is linked or exposed to broader communication networks such as the internet. At first glance, I don’t see too many reasons why these systems would need to be connected to the internet. The image reviewer would not need to read e-mail or access websites to do his or her work. One advantage of allowing internet communication is that it would permit quick, uniform updating of changes to user accounts from a central office. Thus, if an image reviewer left his or her position with the TSA, that former employee’s access could be lifted for all scanner systems throughout the country more or less simultaneously. It might also be desirable to have uniform access at all airports so that image reviewers could be shifted around according to need. On the other hand, these same objectives might be achieved through other systems, such as physical access controls—using an employee ID card or the like—that would prevent unauthorized personnel from entering image viewing facilities. However, the ability to access remotely every system’s system log would allow auditing to take place on a more efficient basis. Thus, this point would speak in favor of network access. But I’m not convinced that the burden of conducting audits on the local level would necessarily outweigh the benefit of the added security. Alternatively to local audits, audit data (which does not include image data) could be exported using flash drives or a temporary network connection.
There are indications that the TSA is opting for the fully linked system. The TSA’s procurement specifications for a “Whole Body Imager” state that the system should support a minimum user database of 10,000 accounts (p. 17). That’s an extremely high number for any single airport. Additionally, the TSA’s operational requirements call for the system to have an “802.11X compatible” network interface (p. 11). IEEE 802.11 denotes a set of wireless network protocols. Thus, the inclusion of this functionality within the operation requirements indicates that the TSA would like to ensure that these systems are capable of sending and receiving wireless communications. The operational requirements also call for the network interface to be “configurable with an IP address” (Ibid.). This requirement suggests that there would be internet access. Lastly, the documentation requires that the system be able to interface with “STIP” (Security Technology Integrated Program) (Ibid.), which appears to be the TSA’s enterprise architecture for allowing communication between detection technology instruments in the field and central headquarters (See this entry on the US government’s “IT Dashboard”).
Summing Up
In sum, health-related risks are probably minimal, but currently unknown. In light of this fact, why not simply use passive systems that rely on the human body’s own millimeter wave emissions to eliminate any possible health risk? In terms of privacy protections, replacing the human reviewer with software algorithms may reduce the privacy impact for many but increase it for others. Eliminating network access would also substantially lower the risk that scan images end up distributed where they don’t need to be but could hamper other aspects of operations. All of these considerations come on top of the questions concerning the scanners’ effectiveness and necessity (See the last full paragraph of this earlier post and this from the LIFT).
Monday, January 18, 2010
Subscribe to:
Post Comments (Atom)
Re. the development of 'the next generation' of body scanners which would only output the 'gingerbread-like-man' graphic: I have been surprised to find very little coverage of this alternative in the British media. In the immediate aftermath of the Christmas Day Plot there was a lot of debate about the potential use of these machines (and further use of profiling), with many objecting to the privacy implications. All this debate centred on the use of millimetre wave machines outputting the full 'virtual strip search'. I suppose those who find the machines unacceptably intrusive are likely to be cautious about being seen to be endorsing any similar system while those in favour of using the machines want to move the conversation on from privacy issues.
ReplyDeleteFurthermore there was absolutely no mention of the health issues associated with exposure to radiation. My guess here is simply that it suffers by comparison with the 'sexier' controversies this issue has to offer.
I worked for year as a radiological safety supervisor in the Oil Industry. Completing a number of radiation courses on safety what I am aware of at this time is that there is "no" known safe dose of radiation. Government guidelines are just that - guidelines. Ironically your Doctor or Dentist does not need to worry about giving you radiation from an X-Ray but Industry monitors and tracks this as a matter or Government requirement. As with Cell phones only future statistical analysis will tell whether there is danger or not from their use. In this case it is criminal to expect Frequent Fliers to go through bombardment with damaging ionising Active Millimeter Radiation. Even with a claimed low dose rate "nobody" can say it is safe as the fact is that cells in the body can exist at a state where they they are "tipped" into going malignant by that final attack on their fragile state. Taking genetic factors aside, a frequent flier from a sun drenched country is statisically at greater risk than a Manchester based UK indoors person. The USA TSA has this right where you can request a manual "pat down" but the UK has it "completely" wrong. I do not care about the privacy issues but I am concerned about the total ignorance of the claims of radiation dose rate given with no reference to the combinational factors above that are important. Compulsory or "no-fly" is a dubious criminal action because there is no choice as in the USA. The Systems should be passive and then we can all go through it with zero danger with scan times extended. In one country Rapiscan do not even seem to have trained the operator who points the radiation source at the passengers as well as themselves and in the latter they get ongoing dose rates for a very long time and are completely ignorant or what is happening. Security is important however this sort of commercially driven nonsense is out of control as there is no calibration factor. A very scary proposition indeed. The whole rationale seems to be commercial and get the passengrs through the system fast using Active Millimeter Systems. I travel to the UK as far as I am concerned this is like being randomly picked out for a dental or chest X-Ray by "ignorant of Physics" background people who can deny me access to the flight, disrupt my planning and business and dictate whether or not I am to receive bodily damage from Active Millimeter Systems. Remember the body cellular relative aspecs above when we talk about dose rates. The UK airport authorities have to change policy whereby there is a choice of manual pat down otherwise this is to my mind a criminal action being perpetrated on the "physics and physiology" ignorant public that need to fly for their living.
ReplyDeleteI think it's also interesting that one of the women who was denied access to her flight at Manchester after refusing a full body scan, did so citing 'health concerns'.
ReplyDeleteHowever, as she did so following her travel companion's refusal of a scan on religious grounds, I suspect that in this instance this aspect will continue not to be discussed very much.
The comparison with mobile phones is instructive: what I take to have happened there is that what evidence there is of the harmfulness of radiation has been trumped as far as governments are concerned by the usefulness of mobile phones. I guess some will think that even if the levels of radiation could be harmful that this is trumped by the necessity of making air travel safe - but if you don't think these machines really make that much difference you're going to be fairly unimpressed with that line of thought. If there really is evidence that this is harmful it seems unfair to force it on people without any alternative.
John,
ReplyDeleteI read your 'Focus on Full Body Scanners' with great interest.
You say that the passive millimeter scanners are not as clear but I would urge you to go to the websites of two Florida based companies 'Thermal Matrix' and 'Brijot'.
Both Companies were excluded from the TSA's evaluation process in 2008 as requirements were specifically written around the active millimeter/back scatter products of companies such as Rapiscan.
Thermal Matrix and Brijot offer products which are quicker, more effective but which maintains privacy whilst being totally safe.
The above products are currently going through TSA approval but not before large numbers of the Rapiscan scanners have been committed to.
Regrettably the rest of the world is following the TSA selection fooled into believing the US has performed the proper ground work.
I am British and my husband is American. We are currently avoiding the UK given its stance on compulsory scanning. The US still allows the alternative pat down.
It would be hard to object to passive scanning but it is quite clear that the TSA selection criteria did not focus on privacy and safety.
The TSA have led us to believe the only option is the strip search but I guess travelling TSA employees would never be scanned once their ID is wafted.
Brijot and Tampa Matrix prove that privacy need not be sacrificed for safety.
I do hope you can raise the awareness of the alternatives.
I agree with Mr. Anonymous! The privacy is above all in such matters! Full body scans should not even be visible to humans and should be computerized fully, including the examination of the scan results! I think it is possible with the technology now days.
ReplyDelete