The attempted Y-Front bombing of a US-bound flight by Umar Farouk Abdulmutallab on Christmas Day has been the dominant international news story of the past few weeks. The repercussions for privacy are significant: President Obama has been scathing about security controls and demanded reforms. Around the world, governments are rushing to purchase full-body scanners that effectively undress passengers. As with any other spectacularly disproportionate and invasive new technology, we are assured that they are a panacea for all our security concerns, and that privacy controls will be adequate. But this time people are being taken in by the rhetoric.
The millimetre-wave body scanning devices allow operators to see an individual’s body profile, including any objects hidden within their clothing, and will (apparently) even show up implants, prosthetics and exploding underpants. The government has announced its intention to install them at major airports, despite experts questioning the devices’ effectiveness, and it now seems inevitable that we will soon be obliged to go through the scanners before boarding an aircraft. It would therefore seem likely that we will also see body scanning devices appearing at key public places and other parts of the public transport system.
The government has assured travellers that their privacy will be respected: that operators will be screened away unable to see the faces of travellers, and that images will not be shared with other systems. The public seem to have accepted – once again – that a loss of privacy is acceptable in return for a sense of increased security. But these controls are inadequate and simplistic: applying privacy controls to a fundamentally invasive system does not make it privacy-friendly, any more than designing an assault rifle with a safety catch stops it from being a dangerous weapon.
In a recent paper, Ontario Privacy Commissioner Dr Ann Cavoukian explains how Transformative Technologies can be used to achieve Privacy by Design in whole-body scanner systems. Graphical filter algorithms can be used to retain the information contained within the body scan image, whilst simultaneously blurring and silhouetting body outlines that would otherwise be intrusive: unauthorised objects can be spotted without the operator seeing an image of the traveller’s naked body. If body scanners are to be used then it seems logical to incorporate these privacy features, but that doesn’t mean that the technology complies with principles of Privacy by Design.
Privacy by Design is about building systems that fundamentally respect and preserve personal information rights throughout every aspect of their processing. A machine that is designed to undress people is clearly never going to be privacy-friendly no matter how one tries to apply controls: it is, however, possible to minimise the risk of information leaking outside of the operating environment, being stored or aggregated with other information. Furthermore, this is a poor example of privacy controls, since most reasonable individuals would tolerate a degree of privacy loss to preserve their safety in an environment such as air travel, where we generally have an imbalanced perception of risk because of the terrible impact of the likes of 9-11.
This whole debate distracts attention from two important issues (and I suspect that it is designed to do precisely that):
- Security of departures from UK airports, and the major hubs in particular, is generally extraordinarily good. If a terrorist really wants to cause chaos and fear, then there are plenty of public places that present much easier and more effective targets than an aircraft.
- Our focus of frontline security continues to be upon finding the bombs, not the terrorists: Israel has known for years that the most effective way to protect its air travel is to create ‘layers’ of trained operatives who look at the individuals, not what they might be hiding in their shorts. I was delighted to see that today’s Evening Standard’s headline is “New Way to Spot a Plane Bomber,” in which they reveal that ‘acting nervously or gripping a bag are tell-tale signs.’ That’s not exactly news, but at least it recognises that maybe technology isn’t the answer.
There is of course a role for the nudatrons, but not as the first (and only) layer of defence. If they are used as a way to conduct a detailed body search without forcing the subject to strip, then they become privacy-enhancing, not a threat to privacy. But they shouldn’t be applied to everyone, just as we wouldn’t force every air traveller to strip. The detailed searches should be just for those who have been identified by profilers and trained observers as being of potential interest. If there’s a need for us to relinquish a degree of privacy in order to achieve safety in the air – and that case isn’t proven – then let’s not force that sacrifice on everyone.