Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: The Search for the Colossal Squid |
| Thinking About Obscurity »
January 21, 2013
TSA Removing Rapiscan Full-Body Scanners from U.S. Airports
This is big news:
The U.S. Transportation Security Administration will remove airport body scanners that privacy advocates likened to strip searches after OSI Systems Inc. (OSIS) couldn't write software to make passenger images less revealing.
This doesn't mean the end of full-body scanning. There are two categories of these devices: backscatter X-ray and millimeter wave.
The government said Friday it is abandoning its deployment of so-called backscatter technology machines produced by Rapiscan because the company could not meet deadlines to switch to generic imaging with so-called Automated Target Recognition software, the TSA said. Instead, the TSA will continue to use and deploy more millimeter wave technology scanners produced by L-3 Communications, which has adopted the generic-outline standard.
Rapiscan had a contract to produce 500 machines for the TSA at a cost of about $180,000 each. The company could be fined and barred from participating in government contracts, or employees could face prison terms if it is found to have defrauded the government. In all, the 250 Rapiscan machines already deployed are to be phased out of airports nationwide and will be replaced with machines produced by L-3 Communications.
And there are still backscatter X-ray machines being deployed, but I don't think there are very many of them.
TSA has contracted with L-3, Smiths Group Plc (SMIN) and American Science & Engineering Inc. (ASEI) for new body-image scanners, all of which must have privacy software. L-3 and Smiths used millimeter-wave technology. American Science uses backscatter.
This is a big win for privacy. But, more importantly, it's a big win because the TSA is actually taking privacy seriously. Yes, Congress ordered them to do so. But they didn't defy Congress; they did it. The machines will be gone by June.
Posted on January 21, 2013 at 6:38 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
> This is a big win for privacy
A big VICTORY. VICTORY. A BIG VICTORY. I expected no bastardization of the English language from you.
I wonder what will happen to the decommissioned machines next. Will Rapiscan sell them to other countries which don't care about privacy? Will they get retrofitted with "privacy software", and then re-deployed?
So does anybody know how the images are stored and processed in the L-3 machines? It seems like perhaps I should end my opposition to body scanners, except I'm concerned that the raw images of naked people may be stored somewhere and be theoretically accessible.
I note that ASEI is still using x-ray backscatter devices, which will dose one with excessive radiation. In my opinion, anything that uses perceptible levels of ionizing radiation should be prohibited, imaging tech notwithstanding.
@Jonathan: "I wonder what will happen to the decommissioned machines next"
They'll be sold off to tanning salons, for customers who just *can't* get enough skin cancer with plain old UV light.
The initial reports I heard were that they were being pulled for two reasons:
1) Health concerns
2) Privacy concerns
I've only heard #2 mentioned by main media outlets.
I don't believe for a second that the TSA has suddenly become concerned about our privacy.
According to a USA Today article, the President of OSI Systems, the parent company of Rapiscan, is Deepak Chopra. Ironic to have the same name as the Indian physician and writer.
Is the US taxpayer getting any money back from Rapiscan on the defective machines? I suspect not. Maybe this was the point from the beginning.
Is it really pronounced RAPE-ee-SCAN?
So, congress orders investigations into safety and a couple of weeks later they are phased out. Anyone else connecting the dots there?
"The images from these machines are not stored and are not too revealing. Here's a picture we uploaded to show that they're not stored, and we're sacking Rapiscan because the images are too revealing."
Isn't it a sad day for privacy when a big win is a agency NOT defying a direct order from congress ?
I was in Ecuador 2 weeks ago, flying to Panama. They x-rayed me at the airport too. I was so pissed - TSA's practice is influencing other countries (the hassle part, not the privacy part), and I have an inkling Ecuador is not as keen about privacy; if nothing else, unlike the US, my naked image is right there on the screen next to the device for everybody to see :(
This is definitely a win for privacy. But I don't think it's a win at all in the battle against security theater, as I'm sure some people may believe. While this does discredit the backscatter X-ray machines, it also kind of legitimizes the millimeter-wave machines.
Privacy, or safety? The X-ray scanners had the major problem that it is possible that they are extremely dangerous (in the sense of melanoma risk, not sudden and instant death.)
Millimeter is a non-ionizing microwave frequency. It's as safe as microwaves or visible light. Which is to say, if you aren't blasting someone with an 800-watt bulb, they aren't likely to cook.
From a privacy standpoint, either one can see through your clothing, so the degree of privacy depends on software.
Maybe this blog is prodding (embarassing) the TSA into fixing some of their more obvious deficiencies. Blog is written by a former TSA airport screener. The insider jargon is most amusing (if you hear "code red" look around for the babe wearing red).
According to the TSA blog, the machines "will be removed by Rapiscan at their expense and stored until they can be redeployed to other mission priorities within the government."
With new L-3 machines on the way as replacements, this looks more like an expansion of privacy invasion rather than a contraction. Wonder what those "other mission priorities" include? Gov. buildings? Military facilities? Schools?
This is still not a win. It is in terms of health, but not in terms of privacy.
> I was wondering if you had any suggestions for elementary school supplies at an affordable price?
Now we know where the porno-scanners are going - into our schools!
Who cares about naked pictures? The real problems with TSA are the fact that they (1) disarm the public, (2) search people without probable cause, and (3) violate people's body cavities. All unconstitutional and not to be tolerated in a free country.
To the extent this so-called victory results in some people ceasing to hate and fight the TSA, it's a very bad thing. Both practices listed above, and the TSA itself must be abolished. Nothing less is acceptable.
Interestingly everybody seems to be concerned with the possibility someone would get a computer image of someone's body but the possible and probable health risk that those backscatter scanners represent receive no attention. Sort of "I don't care if I get a cancer, but don't ogle my boobs".
I don't see a problem with the media focusing on the privacy issues (which are clear and obvious) rather than the health issues (which are *very* iffy.)
Jarda: that's a case of a rock or a hard place.. would you rather have your genes mutilated by x-rays or cooked by microwaves? Both variants are bad from a health perspective.
A recent trip out of the LAX international terminal gave me a pretty good idea of just how bad these things are for you, from an epidemiological perspective:
The business/first security queue had only the old gate-style metal detectors deployed. The economy security queue had only new backscatter and millimeter machines.
That's about as good as saying "No matter what we say, we know these things are no good. And we certainly don't want to fuck with the people who can afford to pay $5000 for a seat for 9 hours."
Eric • January 21, 2013 8:07 AM
"So does anybody know how the images are stored and processed in the L-3 machines? It seems like perhaps I should end my opposition to body scanners, except I'm concerned that the raw images of naked people may be stored somewhere and be theoretically accessible."
I've read some things about these earlier and may be able to help you a bit on your way.
As said in this forum, the main concerns are radiation and what I would not hesitate to use the word virtue as more to the point than privacy.
As far as radiation is concerned, the whole discussion shouldn't be necessary. Not because of the arguments of intensity and so on, but because there are now several types that emit no radiation at all. I know of passive terahertz and infrared. This is because the human body is a radiation source as well. In my view, anything that emits any kind of radiation is second-rate at best and has to be condemned.
About virtue, I've read claims from some manufacturers that their products are incapable of generating full images, but never got my hands on proof in the form of the physics involved. If this is correct though, the same goes as above. In any case, through work at cryptography I have some idea about the kind of standards for sensitive data, and a bit of software to me seems mediocre at best.
To me, this does feel like an improvement, getting rid of much of the cheap junk (backscatter X-ray is generally half the price of L-3's) that is pretty much outlawed in the rest of the civilised world. But along with that rest of the world, the setup still feels second-class.
In the Netherlands they told the public the images were created without head and colored weirdly (silvery skin?) to make them "unattractive".
Whether this is true or not I have no idea.
When I passed the scanners, their display showed a standard schematic silhouette with shadows for stuff I should not carry.
Woo wrote: "would you rather have your genes mutilated by x-rays or cooked by microwaves? Both variants are bad from a health perspective."
Your comment shows how dangerously wrong your decisionmaking can be if you don't understand the biology and physics. x-rays vs microwaves is not a "screwed either way" choice: if cell phones emitted their energy as x-rays rather than microwaves, anyone who used one would die after making a 1-minute phone call.
The type of radiation matters. A *lot*. I'll let you off the hook on the distinction between microwaves and millimeter waves, though.
The millimeter wave machines are still far from perfect. One thought my knee was suspicious, even though I had nothing but my pants around the knee. Apparently false positives are common with this tech:
Terahertz (aka microwave) machines HAVE NO ESTABLISHED SAFETY RECORD. It is as simple as that. Nobody knows how safe they are. What we have here is an experiment on millions of nonconsenting (by virtue of being uninformed and intimidated) participants.
And, yes, there is some data which shows that EM radiation in that frequency zone can be biologically active beyond mere heating (I remember seeing an article in MIT Review showing that it affects DNA unzipping).
Deployment of these machines is a moral equivalent of Dr. Mengele's research - what it lacks in gruesomeness it compensates with the vast scale. But what you'd expect from the department of Total Sexual Assault - ethics?
Travelling yesterday I overheard two TSA agents talking:
Agent 1: "Did you get that memo about employees active between 2003-2007?"
Agent 2: "Yeah, I was working backscatter for 2 years - They can give me that money!"
To me that sounds like they are offering to compensate possible long-term exposure candidates probably in exchange for not suing in case it turns out that the radiation effects are significant.
The removal of the machines is more likely employee-health related than privacy related. As we know, privacy is not important enough to affect policy.
Hmm, I have never thought of that but it makse pretty good sense. Something happened that is related to those machines they covered it up and now removing the machines because of privacy..
For the record: my comments below are specifically on the safety of millimeter-wave scanners, not on x-ray backscatter machines or the privacy issues surrounding each.
"Terahertz (aka microwave) machines HAVE NO ESTABLISHED SAFETY RECORD."
The machines themselves do not, but we have millions of years of experience with the amount and kind of waves they emit. These machines emit on the order of 100 microwatts /square meter of power in the millimeter waveband. I calculate the natural blackbody radiation from room-temperature objects to be on the order of 1000 microwatts/square meter in the millimeter waveband.
That is, as you read this, the floor, walls, chair, and your clothing are bombarding you with 10 times more millimeter wave energy than the scanner creates. It's actually remarkable that the scanner can "hear" itself above all this background noise.
If these energy levels were harmful, we would all be dead.
"Deployment of these machines is a moral equivalent of Dr. Mengele's research"
Oh, *please*. There is no moral equivalence between subjecting people to known-lethal situations, and subjecting them to unfamiliar situations which all available evidence indicates to be perfectly safe. Even if the scans were known to be dangerous, you can opt out of them while Mengele's subjects could not. Equating these two situations is a disgusting rhetorical low blow, and an insult to those tortured to death in the holocaust.
> These machines emit on the order of 100
> microwatts /square meter of power in the
> millimeter waveband. I calculate the natural
> blackbody radiation from room-temperature
> objects to be on the order of 1000
> microwatts/square meter in the millimeter
This argument is quite specious, and you know it, because what matters is not a total dose of radiation in the entire range, but intensity and dose *at specific frequencies*. Quite a few biological molecules have resonant frequencies in the range.
Secondly, I have no reason to believe that these machines actually produce anything close to the claimed low power. There were documented cases of the backscatter machine test reports being off by an order of magnitude. Until there's a public oversight and established public safety standards for this technology, there's no way to believe the guys in charge aren't lying. They certainly did lie when they claimed that the backscatter X-rays were safe (surely that's why they remove these machines now - because they are safe; how can anyone be THAT naive?)
As for "please", please - subjecting uninformed and unwilling people by millions to the radiation with largely unexplored biological effects is very likely to kill some people. What is truly insulting to the memory of the Holocaust victims is perpetuating the very ideology that killed them. Do I have to remind that "security" imposed on the unwilling people was one of the prominent features of that ideology? Do you seriously think fascists presented themselves as the caricature Evil Guys in Cool Uniforms(tm)? All they did was presented to the public as good and necessary to protect people from the terrorists. Until the public got used to the life in the police state and offered no resistance when the definition of "terrorists" started to expand to cover members of the public.
As for opting-out - sure, if you like to be sexually assaulted and intimidated. Any private party doing what TSA screeners do when you choose to "opt out" would be locked up for years, deservedly. And never mind that if you opt out you run a very real chance of missing your flight (or if you fail to control your natural impulses and recoil from the assault or resist - then you can get arrested and charged with "endangering" the officers) - which makes a complete mockery of the notion that not opting out is somehow consensual.
I don't see this is a victory for anything to be honest.
They're replacing ionizing x-ray machines with ionizing x-ray machines.
They're still basically doing strip searches on everyone who walks through the machines.
They're still groping anyone who triggers a machine or who objects to the machine.
They're still wasting billions a year on techniques and machines which have been proven to be completely ineffective.
Their staff still generally acts unprofessional.
Their leadership still acts like it is above the law of the Courts and Congress.
Additionally, we now have the NYPD looking to do virtual strip searches as well: http://www.livescience.com/...
Keep in mind ASEI's been pushing hard for their backscatter trucks to be deployed on the nation's streets. I heard they were in Tampa for the RNC, but I stayed far away from that. I also dislike ASEI's promo videos for their trucks were they are proud of how non-descript their trucks are. So the plan is to x-ray people, but not let them be aware of it.
Big win for L-3, SMIN, and ASEI.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.