GAO calls for more testing of whole body scanners

A Government Accountability Office (GAO) report this week called on the Transportation Security Administration (TSA) to ensure that the controversial Whole Body Imager technologies the agency is planning on deploying at airports around the country first undergo thorough operational and vulnerability testing.

A failure to do such vetting has already resulted in a similar airport checkpoint security technology for explosives detection being withdrawn from service before being fully deployed, the GAO report noted.

To avoid the same thing from happening with whole body imagers, the TSA needs to test their effectiveness in day-to-day operations and to assess whether they are vulnerable to terrorist countermeasures, the report said.

The GAO report was prepared at the behest of the House Committee on Homeland Security in the aftermath of the failed Dec. 25 bombing attempt of a U.S. airline. The report examines measures for strengthening airport security via the better use of terrorist watch list information and a more planned deployment of checkpoint security technologies.

The report noted that the TSA expects to deploy about 200 whole body imagers, or Advanced Imaging Technology (AIT) scanners, by the end of this year. By 2014, as many as 878 units are expected to be installed in airports around the country.

AIT scanners are designed to detect non-metallic weapons and explosives concealed under a passenger's clothing--such as the explosive PETN powder that the would-be Christmas Day bomber concealed in his underwear.

The scan creates a graphic image of an individual's body under their clothes. Privacy advocates have blasted the plan to install such devices, saying they enable virtual strip searching of passengers at U.S. airports.

Polls taken in the wake of the attempted bombing attempt however appear to show growing public support for the use of the technology, however.

AIT systems cost between $130,000 and $170,000 and are currently installed at 20 airports.

According to the GAO report, as of October 2009, the TSA had not yet conducted an assessment of the potential tactics that terrorists could employ to evade detection by AIT scanners.

As the attempted bombing on Dec. 25 demonstrated, terrorists have various ways to conceal explosives on their bodies. What is unclear, though, is how effective ATI scanners will be in detecting such hidden explosives, the report said.

The TSA has stated that it has completed testing the AIT scanners as of the end of 2009, the GAO said. But the issue of whether that testing was done in an operational environment still needs to be verified.

"Completing these steps should better position TSA to ensure that its costly deployment of AIT machines will enhance passenger checkpoint security," the report said.

In its report, the GAO highlighted the TSA's botched attempt to deploy so-called Explosives Trace Portals (ETP) at airport checkpoints as an example of what can go wrong with technologies that are not properly vetted.

ETPs are designed to detect traces of explosives on a passenger's body by using small puffs of air to dislodge particles from the body and clothing which are then analyzed for the presence of explosives.

The TSA procured over 200 ETPs in 2006 and deployed over 100 of them at 36 airports even though tests on earlier models had show them to be unreliable, the GAO said.

Just a few months after it began rolling out the systems, the TSA halted further deployments because of performance, maintenance and installation issues. As of Dec. 31, 2009, all but 9 ETPs have been removed from service in airports and even those will be uninstalled by year-end 2010.

The problems with ETPs stemmed from TSA's failure to test their performance in an operational environment. The systems were deployed without any assurance of their effective performance or whether they would perform as intended, the GAO noted. "In the future, using validated technologies would enhance TSA's efforts to improve checkpoint security," the report said.

The TSA could not immediately be reached for comment.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan , send e-mail to or subscribe to Jaikumar's RSS feed .

Read more about security in Computerworld's Security Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon