Comment A blog reader asked me to look at the code of practice on the acceptable use of body scanners to enhance security at UK airports. The consultation period associated with the code ended four weeks ago, so I apologise for a severe case of “better late than never”.
In summary, the code still ignores several key issues. However, to be fair to the incoming coalition government, the consultation (.doc) had been commenced in the dying days of the previous administration. It had no choice but to finish a process that carries all the hallmarks of New Labour’s dismissive approach to most privacy concerns.
The code gives the impression that the Data Protection Act only applies at the margins. This is illustrated by a 400-word Privacy Impact Assessment (pdf) which fails to impress; it is limited mainly to some security commentary – as if these were the only issues. The PIA does not consider the fairness elements of the processing of personal data, an area where the code needs most work.
For instance, the fair processing notice implied by the code fails to explain important elements. For instance, those who are scanned can request a same sex member of staff to see the scanned images. So how is this option going to be exercised, if this does not form part of the fair processing arrangements?
Also, I think the fair processing procedure excludes its most obvious component. Anybody selected for scanning, I am sure, will be thinking: “How does this system display my ‘bits’?” So how can a passenger be properly informed about the processing of his personal data if he has no idea what kind of images are produced (or displayed) by the specific scanning system used?
I think another major problem is an absence of a commitment to implement privacy-enhanced scanning technologies as a matter of principle. Instead, the decision of “which choice of scanner” (ionising X-ray or non-ionising millimetre wave) is merely “an operational decision for individual airports” (eg on cost grounds).
The consultation thus ignores the research published by Dr Anne Cavoukian that shows there are solutions that can protect privacy. I would have liked the code to make a commitment to implement such non-ionising scanners as soon as their operational effectiveness is proven.
Also I think the code is misleading when it tells passengers that they have a choice – they can either “be scanned” or “not fly”. I don’t believe this to be the relevant choice. For instance, suppose an individual tries to get on a plane and is selected for random scanning. Suppose further that the individual refuses to be scanned for whatever reason. Do you think that the refusal to be scanned would be the end of it?
To provide an extreme example: do you really think that someone who might be a terrorist who has opted-out of a scan because he might be discovered will merely be escorted away from the secure passenger side of the airport and let go?
Nope! I think any refusal to be scanned would result in close scrutiny of that individual and anybody remotely “suspicious” would be searched. And if the security people are then going to search “suspects” and find nothing, why can’t the searched individual then go on to fly?
I think the whole proposition in the code is based on a fallacy. The option is not between “be scanned” or “don’t fly” - the only real option is between “be scanned” or “be searched”.
In other words, those who refuse to be scanned and "don't fly" are likely to be searched. And if this is the case, why can’t someone state that they would prefer to be searched at the outset? Another example. Suppose the scanner sees “something” - that passenger will then be searched. And if that is the case, why can’t people choose to be searched before the scan?
I therefore think the code is wrong to insist that those with electronic heart pacemakers, pregnant women, external medical bags (eg stoma), the disabled and young children have to be scanned (eg by ionising radiation) if selected.
Indeed, with respect to ionising radiation, the code confidently states that analysis has shown that procedure “does not constitute any unacceptable risk to health” – almost with the same certainty of those who said the Titanic was unsinkable. But if you are that passenger with an electronic pacemaker or a young child or a patient with a certain medical condition, I do not think you will be reassured by government statisticians. This reinforces my view that a choice between “scan” or “search” should be available.
The code acknowledges that the Data Protection Act applies to the scanning regime, but fails to mention some of the consequences of this. For example, there is no mention of the fact that the ICO has regulatory powers over the use of scanners. Instead the code refers to inspectors from the Department of Transport taking enforcement action against those Airports.
This shows that the code has not got its data protection analysis correct. I would expect that any complainant would prefer to contact the ICO if there was an issue with the scanners and not deal with the Department of State that has a vested interest in installing these scanners.
Offences in the Act are overlooked. I would have thought passengers would be reassured that any leering security guard could face criminal sanction under the Act.
Finally, as with all the previous government’s surveillance activity, there is no mention in the code about measuring outcomes. For instance, how many people are scanned? How much does it cost per scan? How many false positives? How many searches? How many passengers objected to compulsory scanning? How many choose not to fly? All these numbers allow for these scanners to be assessed. The numbers to allow assessment are simply not collected and it is simply not good enough.
In summary, there is no change of mind from me. This code needs a total rethink.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.