Documents refute TSA privacy claims on body scanners, group says
Body imaging technologies can store, transmit images of airline passengers, EPIC says
Computerworld - The Transportation Security Administration is overstating the privacy protections applied in the use of whole body scanners at U.S. airports, a leading privacy advocacy group warned today.
As a result of a Freedom of Information Act lawsuit, the Electronic Privacy Information Center (EPIC) recently obtained U.S. Department of Homeland Security documents related to the use of whole body imaging technologies.
The documents "clearly refute" what the TSA has said about the devices on a number of fronts, said Marc Rotenberg, EPIC's executive director. They also show that the devices, which are based on Windows XP technology, may be vulnerable to tampering, EPIC said.
The documents show that contrary to the representations of the TSA, whole body imaging devices include the ability to store, record and transfer images of passengers screened at U.S. airports. The device specifications include hard disk storage, USB integration and Ethernet connectivity, all of which raise significant privacy and security concerns, EPIC said.
The advocacy group said the device's specifications allow the TSA to manipulate 10 variable privacy settings.
"Presumably, privacy can be dialed both up and down," Rotenberg said.
The TSA's technical specifications for the body scanners and its language in vendor contracts show that the systems also have a category of generic superusers who have the ability to disable privacy functions at any time, EPIC said. The group also drew attention to the fact that the systems are based on Windows XP Embedded with Ethernet connectivity and are therefore subject to all of the security risks associated with Windows.
In an e-mailed comment, a TSA spokeswoman today said the TSA is committed to ensuring the privacy of the traveling public to the greatest extent possible. "This technology is part of our multi-layered security strategy to stay ahead of evolving threats," she wrote.
On the DHS Web site, the department maintains that all full body scanners are delivered to airports without the capability to store, print or transmit images. It says each image is automatically deleted after it is cleared by the officer looking at the images. It also says the documents obtained by EPIC show that the TSA required the ability to store and export images only for use while testing the systems, and that the ability to change privacy settings was only possible in the testing phase. The machines also are not connected to one another, or to the Internet, making external hacking unlikely.
EPIC's concerns over the body scanning technology come amid what appears to be growing public support for use of the machines after a failed attempt to blow up a U.S. airliner on Christmas Day. In a USA Today/Gallup poll conducted last week, 78% of those surveyed said they approve of full body scans on airline passengers. About 67% said they would not feel uncomfortable if they were to undergo a full body scan at an airline security checkpoint.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Practice Management: Double Billing Rate and Improve Patient Services
- Would you like to double your billing rate and achieve faster payment for services?
Download this customer success story to see how One Health... - Mission Critical Data Explosion and Customer Case Study
- Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?
Download this customer success story to see how... - Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
- Read this new eBook to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.
- Database Activity Monitoring Is Evolving
- Read the analyst report and learn how you can leverage the core capabilities of a DAP solution for better database security.
- Establishing a Strategy for Database Security is No Longer Optional
- The options for securing increasingly valuable databases are very broad and deep, and can be confusing. This research provides an overview of three... All Privacy White Papers
- Close a Dangerous Vulnerability: Automated Methods for Managing Admin Rights
- In this exclusive webcast from Viewfinity, you'll hear how to leverage Group Policy Object settings to close this vulnerability by elevating privileges for...
- Data Protection and Disaster Recovery with iSCSI and VMware
- Get this on demand webcast now
- Distributed Database Security with Real-time Monitoring
- View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
- InfoSphere Warehouse Packs Demo
- These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,...
All Privacy Webcasts