Eight years ago, officials at Orlando International Airport first began testing the millimeter-wave body scanners that are currently at the center of a national uproar. The designers of the scanners at Pacific Northwest National Laboratory offered U.S. officials a choice: naked machines or blob machines? The same researchers had developed both technologies, and both were equally effective at identifying contraband. But, as their nicknames suggest, the former displays graphic images of the human body, while the latter scrambles the images into a non-humiliating blob.
Since both versions of the scanners promise the same degree of security, any sane attempt to balance privacy and safety would seem to favor the blob machines. And that’s what the handful of European airports that have adopted body scanners chose. This is in part due to the efforts of European privacy commissioners, such as Germany’s Peter Schaar, who have emphasized the importance of designing body scanners in ways that protect privacy. However, most European airport authorities have declined to adopt body scanners at all, because of the persuasive evidence that they’re not effective at detecting low-density illegal material, such as the chemical powder PETN concealed by the so-called underwear bomber last Christmas.
The U.S. Department of Homeland Security (DHS) made a very different decision. It deployed the naked body scanners without any opportunity for public comment—then appeared surprised by the predictable backlash. Why? Part of the answer is that protecting privacy isn’t something that the U.S. government has ever done well. Compared to their European counterparts, U.S. privacy offices lack both independence and regulatory teeth. And, while the Department of Homeland Security’s privacy office has broader legal authorities than most, it nevertheless failed to raise the obvious objections to the body scanners. That suggests the government needs a genuinely independent institution dedicated to protecting Americans’ privacy in order to avoid similar debacles in the future.
The role of the DHS privacy officer was at the center of the controversy over the creation of the department itself. In 2002, conservative libertarians and liberal civil libertarians protested that the newly created DHS might end up spying on Americans. So Republican House Majority Leader Dick Armey, a staunch libertarian, added a requirement that the new agency appoint a chief privacy officer to ensure that new technologies “sustain and do not erode” privacy protections. Some advocates, such as Marc Rotenberg of the Electronic Privacy Information Center (EPIC), insisted that the privacy officer would cave to the secretary of DHS unless the office was made independent. (Disclosure: I’m on the EPIC advisory board). Rotenberg proved to be right.
When the Transportation Security Administration (TSA) first proposed to test the use of body scanners for secondary screening during the Bush administration, the DHS chief privacy officer, Hugo Teufel, issued a privacy impact assessment saying that the pilot program achieved its goal of “minimizing privacy intrusions.” However, Teufel’s assessment did not even consider the blob machine as a possible alternative. In July 2009, the Obama administration’s newly appointed DHS chief privacy officer, Mary Ellen Callahan, reaffirmed this conclusion. Her analysis also misleadingly stressed that DHS had disabled the storage capacity of the machines in airports. However, a Freedom of Information Act request by EPIC revealed that it was DHS that had required vendors to produce devices capable of storing and transmitting images in the first place.
In May 2009, EPIC learned that DHS had decided to use body scanners for primary screening rather than secondary screening, as the agency had previously asserted. So EPIC and a coalition of similar organizations wrote to DHS Secretary Janet Napolitano urging her to begin a formal rule-making process so the public could weigh in. Napolitano didn’t respond to the request, or to a subsequent call to suspend the program. In October 2009, EPIC and its partners wrote to the chair of the House Committee on Homeland Security, Representative Bennie Thompson, and complained that Callahan had “failed to fulfill her statutory obligations and that the Congress must consider the establishment of alternative oversight mechanisms, including the creation of an office that is independent of the agency it purports to oversee.”
A natural solution would be to increase the powers of the Privacy and Civil Liberties Oversight Board that Congress created in 2004. During the Bush administration, the board gained a reputation for being under the thumb of the White House. In 2007, administration officials deleted from its first report a passage that would have disclosed an internal procedure for intelligence officials to file privacy complaints against intrusive surveillance programs. (One of the panel’s five members, Democrat Lanny J. Davis, resigned from the panel to protest the deletion.) Congress responded by making the board more independent of the White House and giving it subpoena powers. But the board has been empty since January 2008, and President Obama hasn’t nominated any members, let alone a chair.
In light of the failure of the DHS privacy office, Congress needs to give a federal privacy office the status of an independent regulatory agency, like the Federal Trade Commission (FTC). The FTC recently proved its ability to resist political and commercial pressures by releasing an important report on consumer privacy calling for a “do not track” tool to protect privacy on the Web. But, although independent, the FTC lacks the statutory authority to regulate the public and private sectors as effectively as European privacy commissions do. What’s required is a stand-alone agency whose core mission is to serve as a privacy watchdog for the federal government.
Unfortunately, the same libertarian conservatives who have provided crucial leadership in the fight against the body scanners are ideologically opposed to creating new regulatory agencies that might restrict the private sector. For example, at the end of November, Ron Paul introduced in the House the American Traveler Dignity Act, which would deny immunity to any federal employee who subjects travelers to physical contact or body scanners as a condition of flying. But in the past, libertarians like Paul have opposed the creation of a federal privacy agency because of concern about strengthening government regulation.
Yet strong and independent privacy agencies have allowed most European countries to escape the absurd security theater of the naked body scanners. And European regulators have succeeded in creating a culture of privacy protection even among law enforcement officials. The European commissioner for justice, fundamental rights, and citizenship, Viviane Reding, holds a role in Europe that combines some of the functions of Janet Napolitano and Attorney General Eric Holder, but she has become an eloquent champion of privacy and data protection. She not only opposed the naked machines, expressing concerns about both their effectiveness and their intrusiveness, but she also recently proposed the creation of a right to be forgotten online, which would require companies like Facebook to delete embarrassing photos and messages on request. (“God forgives and forgets but the Web never does,” she told the European Data Protection and Privacy Conference.) Although Reding’s proposals raise complicated questions about free expression, it’s impossible to imagine Janet Napolitano making a similarly strong defense of privacy. That needs to change, so that American citizens aren’t subject to more pointless indignities at the airport.
Jeffrey Rosen is the legal editor for The New Republic. This article ran in the December 30, 2010, issue of the magazine.