The incomparable Frank Work, Information and Privacy Commissioner of Alberta, appears to have an opinion on body scanning technologies.

Privacy boss pans scans

New naked body security measures at airports don't fly, he says

By MICHAEL PLATT

The thin edge of the wedge -it's not the happiest of analogies when the subject is naked body scans and orifice-probing technology.

But that's the uncomfortable warning from Alberta Privacy Commissioner Frank Work, following a federal decision to install full-body security scanners at major Canadian airports, including Calgary and Edmonton.

Blasting the move as a serious blow to personal privacy and dignity, Work says he expects the obvious flaws in body-scanning security will result in more high-tech "toys" to fill the gaps.

"What will they do next, after the next incident? We're running out of toys and technological silver bullets," said Work, one day after the federal government announced the new airport security measures.

Work guards the privacy of Albertans, be it information or images.

If this was an Alberta rule or an airport decision, Work would surely step in and prevent the visual strip-search.

But being federal legislation, Work fears there is nothing he can do to block the airport scanners, which expose naked images of passengers to the eyes of prying security staff.

"The bottom line is it's a dignity issue, and either out of fear or because we don't want to stand in line too long, we've forsaken any notion of dignity -- it's like, all right, we'll assume the position," said Work.

He's awaiting a call from federal Transport Minister John Baird, but Work believes his hands are tied.

Work said that because human-monitored body scanners aren't perfect, showing only a surface view of the nude passenger, he believes it's a matter of time and/or tragedy before the next step is taken.

"The system is still prone to failure, so let's say the next guy packs his ass with however many grams of (plastic explosive) he can shove up there, and either successfully or unsuccessfully detonates it. What do they do next?" said Work.

"How do they trump full body scans? There actually is a device called the BOSS -- the Body Orifice Security Scanner -- where you sit in a plastic armchair and it can detect plastic or metal in body orifices. Is this next?"

The privacy boss knows his technology, and the chair he references is used in U.S. prisons, in lieu of the old rubber glove approach. That it could easily be installed in airport security areas is a squirmy thought.

Work believes it's just a matter of time.

"At what point do we say, 'Holy crap man, you're patting me down, you've got pictures of me naked, you've got me squatting on a chair, and you've taken my water bottle away'. I mean at what point is enough, enough?"

The federal government is installing 44 of the $250,000 body-scanners across Canada, as well as implementing a new system of visual observation, where security staff will monitor passenger behaviour.

The changes come in response to a Christmas Day attempt to blow up a jetliner over Michigan, when a Nigerian man failed to ignite explosives sewn into his underwear.

While the new body-scanners reportedly wouldn't have caught the underwear bomber -- the explosives were spread too thin -- U.S. demands for extra security have forced countries like Canada to follow suit.

Work says Canada obviously has little choice, if citizens want to travel internationally.

While the U.S. is forcing Canadian travellers to surrender their dignity, Work said the real danger is people starting to believe in safety, purchased through an invasion of privacy.

"The thing that troubles me most as the privacy commissioner, is we're getting more and more used to this stuff.

"Maybe we have to throw in the towel on the body scanners, but the next time the police or authorities come along wanting to blanket the city in cameras for safety reasons, we'll be that much more compliant."

Labels: air travel, airlines, homeland security, national security, privacy

The thwarted Christmas Day bombing plot has certainly raised security levels in airports over the holidays. Individual passengers are being frisked before boarding, presumably to make sure they don't have any hidden compartments in their unmentionables (but inspectables). Carryons are being dramatically restricted to reduce screening times, as all such items have been hand inspected. Not at all surprisingly, this has brought body scanning technology to the fore.

In October of this year, the Federal Privacy Commissioner gave her conditional approval to the use of the technology. The conditions are that the images are not retained and the scanners are used only as a secondary screening tool. (See: A necessary image - The Globe and Mail.) However, all passengers to the US are now subject to secondary screening. The Globe article says that technology exists to blur faces and genitals, but I would think that genital blurring may might have obscured a cleverly hidden crotch bomb.

Also according to the Globe (Nigeria, Netherlands to introduce full-body imaging; Canada undecided - The Globe and Mail), both countries that were connected to the pantsbomber, Nigeria and the Netherlands, are introducing body scanning for all flights to the United States. So are UK airports (BAA to introduce full-body scanners at UK's Heathrow).

I travel a lot. Personally, I'd rather be virtually stripped in five seconds than physical patted down by a stranger over two or three minutes. But I'm not so shy. I would also think that the same technology that is currently used to detect explosives residue should be rolled out on a wider scale as well.

For a good overview of the technology and the debate, check out: Full-Body Scanners at Airports: The Good, the Bad, and the Ugly Technomix Fast Company.

Labels: air travel, airlines, homeland security, privacy, security

Computerworld is reporting on the first report of the Department of Homeland Security Privacy Office since the changeover to the Obama administration. The report itself is interesting, but perhaps most interesting are the statistics related to the number of searches of laptops at border crossings. This has been a controversial practice since reports on it came to light some time ago. I was surprised to read that fewer than two thousand took place in the year under review, in light of the millions of people (and laptops) that have crossed the border during that time.

Here's Computerworld's coverage: Laptop searches at airports infrequent, DHS privacy report says.

Labels: air travel, airlines, border, homeland security, laptop, law enforcement, privacy

Two senators have introduced a bill to curb controversial laptop searches and seizures, limiting them to when there is a reasonable suspicion of illegal activity:

Techworld - Privacy groups praise bill curbing warrantless laptop searches

Feingold's bill spells out standards for search and seizures of electronic equipment belonging to US travelers at airports and other borders. The biggest condition is that such searches may be initiated only if the customs agent has "reasonable suspicion" that the traveler is carrying contraband or items otherwise prohibited in the country, or because the traveler is prohibited from entering the US. The equipment may be seized only if the DHS secretary, or a relevant federal or state law enforcement agency, obtains a probable-cause warrant on the belief that the equipment contains information that either violates a law, provides evidence of illegal activity or is foreign intelligence material.

Labels: air travel, airlines, homeland security, laptop, privacy

The US Department of Homeland Security is warning government types travelling internationally that their electronic devices may be subject to seizure or intereception. Oh noes! Imagine such a threat to privacy and security!

Thank goodness they've provided some tips on how to avoid the prying eyes of oppressive governments. Of course, these tips weren't provided to the unwashed masses, but wikileaks has a copy of the "FOR OFFICIAL USE ONLY" document. See: US DHS: Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities 2008 - Wikileaks.

I suggest reading it before travelilng into, out of, through, around or over the United States. Or any other intrusive country.

Labels: homeland security, privacy

There's been a bit of a buzz lately about laptop inspections by the Department of Homeland Security (Crossing the border? Consider the possibility of laptop searches, Hands off my laptop, Your papers and laptops, please?, US Customs confiscating laptops). Today, the Washington Post is reporting on recently disclosed policies used by the DHS to take and inspect laptops:

Travelers' Laptops May Be Detained At Border (washingtonpost.com)

... The policies state that officers may "detain" laptops "for a reasonable period of time" to "review and analyze information." This may take place "absent individualized suspicion."

The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as 'pocket trash' or 'pocket litter.' "

Reasonable measures must be taken to protect business information and attorney-client privileged material, the policies say, but there is no specific mention of the handling of personal data such as medical and financial records.

When a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS. But the documents specify that there is no limitation on authorities keeping written notes or reports about the materials.

"They're saying they can rifle through all the information in a traveler's laptop without having a smidgen of evidence that the traveler is breaking the law," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Notably, he said, the policies "don't establish any criteria for whose computer can be searched." ...

If you want to take a look at the policy itself, it's here.

Thanks to Rob Hyndman for the tipoff.

Labels: border, homeland security, international travel, laptop, patriot act, privacy

Another "year in review" ... this time the Computerworld nominees to the security hall of shame:

The 2007 Security Hall of Shame

A brace of breaches: 2007's five worst

In a league of its own: The TJX Companies Inc.

The U.K.'s VA: HMRC misplaces records on 25 million kids In November

The system was broken brokered: Fidelity National Information Services

Some honor among thieves: TD Ameritrade Holding Corp. Brokerage firm Ameritrade

Creatures from the hack lagoon: Monster.com

Ummm ... oops?

Notable meltdowns

Do you copy?: DHS's self-created DDoS attack

Bag that: Supervalu gets phished

Undiplomatic relations: Symantec in China

Hear me, see me: House outs whistle-blowers

Arrrrr! WGA sees pirate people

... and your 2007 poster boys

Consultant turns bot herder: John Schiefer

Exit strategy: Gary Min

Don't drop the soap: Ivory Dickerson

Unbirthday boy: Yung-Hsun Lin

Pick a hat already: Maxwell Butler

Labels: 2007 in review, homeland security, privacy, tjx

Yesterday's Washington Post ran a front page story on the amount of information collected by the Department of Homeland Security as part of its Automated Targeting System.

Collecting of Details on Travelers Documented - washingtonpost.com

The U.S. government is collecting electronic records on the travel habits of millions of Americans who fly, drive or take cruises abroad, retaining data on the persons with whom they travel or plan to stay, the personal items they carry during their journeys, and even the books that travelers have carried, according to documents obtained by a group of civil liberties advocates and statements by government officials.

The personal travel records are meant to be stored for as long as 15 years, as part of the Department of Homeland Security's effort to assess the security threat posed by all travelers entering the country. Officials say the records, which are analyzed by the department's Automated Targeting System, help border officials distinguish potential terrorists from innocent people entering the country.

But new details about the information being retained suggest that the government is monitoring the personal habits of travelers more closely than it has previously acknowledged. The details were learned when a group of activists requested copies of official records on their own travel. Those records included a description of a book on marijuana that one of them carried and small flashlights bearing the symbol of a marijuana leaf....

Labels: homeland security, privacy

If a current bill introduced in the US Congress is passed, the chief privacy officer will have expanded powers, including the ability to issue subpoena and to report directly to Congress. See: House bill would boost power of DHS privacy chief (1/19/07).

Labels: homeland security, law enforcement, national security, privacy

Labels: homeland security, privacy

This is interesting (and unexpected):

DHS Privacy Office Bashes RFID Technology To Track People - Yahoo! News:

The Department of Homeland Security's Privacy Office has issued a draft report that strongly criticizes privacy and security risks of using radio frequency identification devices for human identification. Public comment on the paper is being taken until May 22.

The privacy office says the technology offers little performance benefit for identification purposes compared with other methods and could turn the government's identification system into a surveillance system.

Labels: homeland security, information breaches, rfid, surveillance

The Depatrment of Homeland Security and the Department of Health and Human Services have signed a deal to allow unprecedented data sharing to address pandemics and other travel-related health concerns. This goes far beyond the "Safe Traveler" deal previously worked out and critics say that it violates the US/EU pact related to passenger info. To make matters worse, the agencies involved did not publish a privacy impact assessment, though one is required for projects such as this.  See: http://www.govhealthit.com/article94159-04-24-06-Print

Posted on my Blackberry from Calgary, so my apologies for the formatting.

Privacy Security Homeland+Security DHS Personal+Information Health+Information

Labels: health information, homeland security, information breaches

One of the problems with widespread monitoring is the huge incidence of "false positives". This example from the University of Massachusetts is instructive and a bit chilling to those who have commented upon it.

A senior at UMass Dartmouth was doing a research paper on communism in a class on fascism and totalitarianism. As part of his research, he requested a copy of Chairman Mao's Little Red Book using the interlibrary loans system. (Why a major univeristy library does not have its own copy of the book raises completely different questions.) Instead of the book, he received a visit from officials from the Department of Homeland Security. The agents told the students that the book is on a "watch list". Actually, the agents brought the book with them, but did not leave it with him.

Privacy advocates aren't generally pleased with any watching of what people read, but the chilling effect of this is significant. The professor who teaches the class has decided against teaching a planned class on terrorism because he does not want to put his students at risk of this sort of surveillance and profiling.

Read the coverage here: Agents' visit chills UMass Dartmouth senior: 12/ 17/ 2005, Student Gets Surprise From Mao's Book. Some comment here: Gardistan in Vision: Political censorship in Bush's USA, The Dark Wraith Forums: Special Report: Feds Question Student for Requesting Book of Mao Tse-Tung Quotations, Villa Beausoleil: Fascism comes to New Bedford, David Farrar: Book Monitoring.

UPDATE: There is speculation at Boing Boing that this story is a hoax. Boing Boing: DHS agents visit student over Little Red Book - HOAX DEBATE. As I hear more, I'll post here.

UPDATE 2: The Canadian Privacy Law Blog: Story about feds visiting after request for Mao book is a hoax.

Labels: homeland security, information breaches, libraries, surveillance

The Los Angeles Times is reporting that the embattled ChoicePoint has garnered some additional publicity as it seeks to have access to the entire database maintained by the California Department of Motor Vehicles. It is seeking to have the usual DMV fees waived as it is seeking the records in order to serve its client, the Department of Homeland Security. A number of Californians are a little reluctant to have the state give access to the company that allowed identity thieves free rein in its other databases. The article also discusses some tussles with the Pennsylvania DMV. Check it out: Big Data Broker Eyes DMV Records - Los Angeles Times.

Thanks to Daniel Solove at Concurring Opinions for the link. Check out what he has to say as well: Concurring Opinions: ChoicePoint Wants Your Motor Vehicle Records.

Labels: choicepoint, homeland security, information breaches

I think we might see some backlash against the proposition that Muslims in the United States should pre-register with the Department of Homeland Security if they want to fly on a commercial aircraft. It is a bit ironic that it is coming from the head of Civil Rights for the DHS. And I would have thought that they would have spun this a little better. I'm not so sure that too many people will be comfortable with handing the DHS a completed "Passenger Identity Verification Form", including name, address, birth date, height, weight, eye and hair color, and attaching copies of three of the following documents: passport, visa, birth certificate, naturalization certificate, voter registration card, government identity card or military identity card. The more suspicious and cynical among us might think that law enforcement and intelligence folks may keep that information on hand and use it for other purposes. See: Homeland Security rights chief urges Muslim fliers to register (phillyBurbs.com) | New Jersey News.

Labels: homeland security, information breaches

Ryan Singel at Secondary Screening is reporting that the privacy officer at the Department of Homeland Security is resigning unexpectedly. The DHS is the only US Federal Agency that is rquired by law to have a privacy officer: Secondary Screening: Privacy Czarina Resigns.

Labels: homeland security, information breaches

The Department of Homeland Security is learning that RFID has negative connotations. According to Wired News, they're trying to rename them, at least in their cards:

Wired News: RFID Cards Get Spin Treatment:

"... The distinction is part of an effort by the Department of Homeland Security and one of its RFID suppliers, Philips Semiconductors, to brand RFID tags in identification documents as 'proximity chips,' 'contactless chips' or 'contactless integrated circuits' -- anything but 'RFID.' ..."

I suppose they didn't want to call them "auto id chips" or "spy chips".

Labels: homeland security, information breaches, rfid

According to an investigation by the Department of Homeland Security, and reported on by Yahoo news (Report: TSA Misled Public on Personal Data), the Transportation Security Administration misled the public about its role in getting passenger information from airlines while testing its passenger profiling software.

CBS News has a strongly-worded headline for its coverage of the story: CBS News | Airline Passenger Privacy Betrayed

Labels: air travel, homeland security, information breaches

Labels: homeland security, information breaches

From Washington Technology:

Canada-DHS pilot program to use iris scanning:

"The Canada Border Service Agency, which is working on a Registered Traveler-style pilot program with the U.S. Homeland Security Department, is implementing iris-scanning technology at Canadian airports to verify the identity of travelers.

The program, called Nexus Air, will begin in November at Vancouver International Airport, Vancouver, British Columbia, before rollout at other Canadian airports for a yearlong trial. ...

Nexus Air builds on Canada’s Canpass Air program, which has 4,000 members and also uses iris scanning. As in the U.S. Transportation Security Administration’s Registered Travel pilot program, frequent fliers enroll in Canpass Air -- and soon Nexus Air -- by volunteering personal information and submitting to an iris scan. In return, they can then enjoy expedited check-in and customs screening. "

Labels: air travel, airlines, bc, homeland security, information breaches, international travel