Today, in a good NYT article, John Schwartz explores the problem of whole body imaging and privacy after the Detroit bombing. What I find interesting is the effort of privacy groups to run for cover now that the cost of their campaigns is clear. Schwartz interviews the head of a particularly aggressive privacy group, Marc Rotenberg of EPIC, asking him about his group's position on whole-body imaging:
Marc Rotenberg, head of the Electronic Privacy Information Center, said his group had not objected to the use of the devices, as long as they were designed not to store and record images.
That sounded very moderate, very nuanced.
What it didn't sound was, well, true. I didn't remember that perfectly reasonable position coming out of Rotenberg's mouth before the Detroit bombing. So I went back to the record.
In May, EPIC signed a letter demanding that use of the machines be suspended until a Privacy Impact Assessment was complete. That sounded pretty reasonable, too. Technically, EPIC's letter just asked for an assessment of the technology. But the history of environmental assessments shows that they are often just the first step in a campaign to stop new technology cold. And the name of EPIC's campaign was, after all, "Stop Whole Body Imaging."
So, was the May letter a stalling tactic or an honest request for a careful privacy impact study? If you couldn't tell in May, you surely could by October. Because by then, giving EPIC and its allies the benefit of the doubt, DHS's Chief Privacy Officer had actually completed the Privacy Impact Assessment that they had asked for. It came to the conclusion that Rotenberg now says he supports, finding that whole body imaging
"has the potential to improve threat detection capabilities for both metallic and non-metallic threat objects, while improving the passenger experience for those passengers for whom a physical pat-down is uncomfortable. The operating protocols of remote viewing and no image retention are strong privacy protections that permit security benefits to be achieved.
If all that EPIC wanted was a fair assessment plus safeguards against data storage, that should have been enough.
Was it?
Not on your life. It turns out that EPIC didn't want an assessment, or an assurance about storing images. What EPIC wanted was an assessment that banned use of the machines for primary inspection. Here's what EPIC and its allies told Congress in October about the Privacy Officer's assessment:
"[I]f the Chief Privacy Officer were satisfying her statutory duty to assure that new technologies do not erode the privacy protections of American citizens, the new policy would not have been implemented in the first place. Due to its extremely invasive nature, the whole body imaging technology is almost by definition a new technology that erodes the privacy protections of American citizens. Implementing such technology for every traveler that passes through an airport security checkpoint regardless of suspicion is exactly the type of action that the Chief Privacy Officer should be preventing in satisfaction of her statutory obligations.
What EPIC is saying here is quite remarkable. It's claiming that DHS's Chief Privacy Officer had a statutory duty to prohibit deployment of the machines. The assessment, in other words, could only come out EPIC's way. Any other outcome is a violation of law.
And EPIC's preferred outcome isn't exactly nuanced. If the law were followed, EPIC said, "the new policy would not have been implemented in the first place" because that "is exactly the type of action that the Chief Privacy Officer should be preventing in satisfaction of her statutory obligations."
As far as I can see, everything EPIC did and said up until Christmas Day 2009 was perfectly consistent with the name of its campaign. It wanted to "stop" whole body imaging, not reform it or guarantee that images weren't stored.
Now?
Not so much.
Now, I guess the question is: Whose image is EPIC protecting -- yours or its own?
Comments