The Department for Transport has invited responses from stakeholders on the Government’s interim code of practice for the acceptable use of advanced imaging technology (body scanners) in an aviation security environment. The consultation page is here. The consultation document is here.
This document, dated 18th June 2010, contains my response to Department for Transport’s consultation “Code of practice for the acceptable use of advanced imaging technology (body scanners) in an aviation security environment” at http://www.dft.gov.uk/consultations/open/2010-23/. The consultation paper itself is at http://www.dft.gov.uk/consultations/open/2010-23/consultation.pdf
I am commenting as an individual. My name and address is:
Please remove my address from any published form of this document.
The questions posed in the consultation document are fairly narrow in scope, and miss out some important issues related to the deployment of scanners. For completeness I have answered the questions, however it is important to note that the most important part of my response is in the paragraphs before my answers to the questions.
The decision to introduce and roll out body scanners at UK airports was a knee-jerk reaction in response to a single aviation incident. The trouble with such reactions is that they are made quickly and so there is no time to do a proper analysis and give a considered response. The maxim “act in haste, repent at leisure” applies. We’ve just had one of these ill-thought out schemes put on hold: the home secretary, Theresa May, has just scaled back the child worker vetting scheme – a scheme that was hastily concocted after the Soham murders in 2002. Rather than hastily add yet another ad-hoc airport security measure, we should take the time to make a thorough analysis of the threats to air travel and update our airport security measures accordingly. As security expert Bruce Schneier says “there’s been far too little discussion about what worked and what didn’t, and what will and will not make us safer in the future”.
The introduction of airport scanners is just the latest step in a sequence of piecemeal, reactive, retrospective security measures. There was a shoe bomber, so we start to examine people’s shoes; there was a threat of a liquid bomb, so we ban liquids; there was an underpants bomber, so we decide to introduce technology that enables us to examine people’s underwear. Such an approach is doomed to failure, since it will fail to anticipate the next bomber. Schneier calls this “magical thinking”: “If we defend against what the terrorists did last time, we’ll somehow defend against what they do next time. Of course this doesn’t work”. I repeat: what we need is a proper holistic review of airport security. Let’s take time to make a considered, thorough review of the threats and issues involved, and then act on the recommendations of that review.
All security measures are a trade-off. Whether the trade-off is worthwhile depends on a number of factors including the costs (including non-monetary costs such as inconvenience) and efficacy of the security measures, the risks of the security measures failing, and the consequences of a security failure. The consultation document looks at some of the non-monetary costs of airport scanners (for example, privacy invasion, health risks and risks of discrimination), but fails to consider either the efficacy of scanners or their monetary costs. The following two paragraphs look at these issues.
Efficacy. There is anecdotal evidence that airport scanners “don’t do what it says on the tin”. On a German television program a physics professor demonstrated how to get all the ingredients of an explosive device through a scanner, see: http://www.youtube.com/watch?v=nrKvweNugnQ . The “Independent on Sunday” asserts that airport scanners would not have detected the underwear bomber, see “http://www.independent.co.uk/news/uk/home-news/are-planned-airport-scanners-just-a-scam-1856175.html . If scanners don’t actually work reliably, then all the health and safety, privacy, and cost issues are moot – they are simply a waste of money.
Monetary cost. The monetary cost of scanners is important. Not because excessive cost should preclude the use of scanners, but because the question of whether that money could be better spent on other means of security. If airport scanners cost £X million, then the question: “Can we spend £X million on a different security measure that brings more security?” needs to be asked and answered. If the answer is yes, deploying airport scanners actually reduces our security.
The consultation document looks at the issue of privacy, but the analysis is superficial and in some cases erroneous. The following paragraphs look at some of the privacy issues.
The first thing to note about the privacy safeguards is that they reduce security. Paragraph 37 states:
“Security staff viewing images will be separate from, and not be able to identify, the person whose image they are viewing”
Security screening involves a combination of human and technological factors and works best when the two operates in conjunction. For example, when someone is searched, the unconscious signals given off by the person being searched aid the person doing the search. Airport scanners are rendered less effective if the operator cannot identify and observer the person being scanned. For example: “Do they look nervous?”, “Were they fidgeting in the queue?” and so on. By divorcing the human and technological factors in this way the code of practice makes the scanners less effective.
The decision not to offer those selected for scanning an alternative method of screening is flawed from both a privacy and security perspective. Paragraph 23 states: “For many people in society security scanners offer a less intrusive process than a hand search…”. Yes, but not for everybody. For some a hand search is less intrusive, and those who would prefer a hand search should be offered one. Privacy is a personal matter, and offering what the consultation asserts is a minority the alternative of a hand search would enhance privacy without compromising security.
If those who refuse to be scanned are simply not allowed to travel, then a large loophole has been introduced into the scanning process. A bomber can simply go to the airport and hope they aren’t scanned. If they do get selected for scanning then they can just refuse and they will be not allowed to travel – they can go home and try again another day. For this reason, anyone who refuses to be scanned should be searched. If we have compulsory hand search of anyone who refuses to be scanned, they we may as well allow all passengers the choice.
Paragraph 44 states: “The image produced does not show any distinguishing features such as hair or skin tone and it is not possible to recognise people from their facial features”. There are many features that people can be used to recognise people that will show up on the scanner image, for example height. If a queue of people in the airport contains an exceptionally tall or short person, then it will be possible to recognise that person from their image. Similarly if the queue near the scanner includes only one child. If the code of practice requires that an individual is not recognisable from their scanned image, then that requirement cannot consistently be met.
It must be noted that the some of the authority quoted is now outdated. In particular paragraph 19 states: “The Government believes that they[scanners] should be deployed as quickly as possible…” and paragraph 22 states: “The Government believes that this is a proportionate measure to maintain security levels.” The Government changed during the course of the consultation, so these statements may or may not be true.
Question 1: Do you agree with this approach? If not, what changes to the code of practice do you propose?
It is not clear what is meant by “approach”, since no overall approach has been defined, and indeed this is the first use of the word “approach” in the consultation paper. The overall approach to security has been a piecemeal reactive retrospective one. There was a shoe bomber, so we start to examine people’s shoes; there was a threat of a liquid bomb, so we ban liquids; there was an underpants bomber, so we decide to introduce technology that enables us to examine people’s underwear. Such an approach is doomed to failure, since it will fail to anticipate the next bomber.
The approach to airport security needs to be a holistic one. Rather than hastily introduce scanners, we should take a considered approach. We should have an overall review of airport security that looks at all aspects of security. This review should make recommendations about how security should be improved, and we should enact those recommendations.
Question 2: Do you agree that the safeguards outlined in the interim code of practice address all potential privacy concerns? If not, what else should be included?
No. As stated above, for both security and privacy reasons, people who do not wished to be scanned should be allowed to submit to an alternative form of search.
Question 3: Do you agree that the safeguards outlined in the interim code of practice satisfactorily address any potential data protection concerns? If not, what else should be included?
No. Images on the scanning machines may be photographed, so operators of the machines must not be allowed to have cameras or camera-phones on their persons. The issue that people can be identified by distinguishing physical characteristics (such as height) also needs to addressed.
Question 4: Do you agree that the safeguards outlined in the interim code of practice and HPA assessment satisfactorily address any potential health and safety concerns? If not, what further analysis would you wish the Government to undertake?
No. While I am persuaded that, when working correctly, airport scanners probably pose no undue health risk, I don’t think the possibility of malfunction has been sufficiently addressed. I suggest two further safety measures:
i) when a scan is made, a device inside the scanner records the actual level of radiation and displays and records this. This way, if the scanner becomes uncalibrated then it will be immediately apparent, and at most one passenger will be a
ii) Operators of scanners should wear a device that measures their accumulated exposure to radiation, and this is checked on a daily basis. This would help protect from accidental overexposure to radiation caused by, for example, radiation leakage from a scanner. Presumably operators of X-ray machines in airports already wear a similar device that is sensitive to X-rays; this would be a continuation of this practice.
Question 5: Do you agree that requiring airport operators to discuss with the DFT all prospective use of security scanners as outlined in the interim code of practice satisfactorily addresses the requirement for all equipment to undergo a suitable approval process? If not, what else should be included?
No. The requirement to “discuss with the DFT” is hardy a suitable approval process. An approval process should set out clearly the objective criteria for approval, and then should test applications for deployment of scanners against those criteria.
Question 6: Do you agree that requiring security officers operating security scanners to hold government security clearance and to have received training delivered in accordance with a DfT mandated security scanning training module before deployment satisfactorily addresses the issues of vetting and training? If not, what else should be included?
No. The main issue is vetting, not training. People who view scanned images need to be vetted over and above the standard vetting procedures.
Question 7: Do you agree that the requirements for keeping passengers informed outlined in the interim code of practice are sufficient? If not, what else should be included? And what additional means of communication do you suggest the Government or the travel industry should put into place?
Question 8: Do you agree that selection criteria defined in the interim code of practice provide an appropriate safeguard to ensure that passengers are selected for screening on a non-discriminatory basis? If not, how do you suggest passengers should be selected?
Question 9: Do you agree that the guidance provided in the Protocol section of the interim code of practice is satisfactory? If not, what else should be included?
No. The Protocol section states: “the details of the protocol are not published due to the security sensitive content.” Why even bother to ask this question?
Question 10: Are there any other issues that you would like to see the final code of practice consider? If so, what and why?
Yes, as stated above the issue of whether airport scanners actually work must be addressed. What tests have been conducted to show they work? The issue of their cost effectiveness must also be addressed. Are their other security measures that, for the same cost as the scanners, could deliver more security than scanners?
Yes. See preliminary section of my response.