Image
© Wired.com
A privacy group says the Transportation Security Administration is misleading the public with claims that full-body scanners at airports cannot store or send their graphic images.

The TSA specified in 2008 documents that the machines must have image storage and sending abilities, the Washington-based Electronic Privacy Information Center (EPIC) said.

In the documents, obtained by the privacy group and provided to CNN, the TSA specifies that the body scanners it purchases must have the ability to store and send images when in "test mode."

That requirement leaves open the possibility the machines -- which can see beneath people's clothing -- can be abused by TSA insiders and hacked by outsiders, said EPIC Executive Director Marc Rotenberg.

EPIC, a public-interest group focused on privacy and civil rights, obtained the technical specifications and vendor contracts through a Freedom of Information Act lawsuit.

The written requirements also appear to contradict numerous assurances the TSA has given the public about the machines' privacy protections.

"The machines have zero storage capability," the TSA Web site says.

And the TSA has distributed numerous news releases with similar language as it lobbies for public acceptance of the machines as a less intrusive alternative to pat-downs.

A TSA official who spoke on condition of anonymity because the official is not authorized to speak on the record said all full-body scanners have "strong privacy protections in place" and are delivered to airports "without the capability to store, print or transmit images."

"There is no way for someone in the airport environment to put the machine into the test mode," the official said, adding that test mode can be enabled only in TSA test facilities. But the official declined to say whether activating test mode requires additional hardware, software or simply additional knowledge of how the machines operate.

The controversy arises as the TSA is promoting the machines as a possible way to prevent assaults on U.S. airliners, such as the Christmas attempt on Northwest Flight 253.

About 40 machines are already in use at 19 airports, and the TSA says it will deploy 150 more nationwide this year, while appropriating money for an additional 300 machines for 2011.

"I don't think the TSA has been forthcoming with the American public about the true capability of these devices," EPIC's Rotenberg said. "They've done a bunch of very slick promotions where they show people -- including journalists -- going through the devices. And then they reassure people, based on the images that have been produced, that there's not any privacy concerns.

"But if you look at the actual technical specifications and you read the vendor contracts, you come to understand that these machines are capable of doing far more than the TSA has let on," he said.

The TSA should suspend further deployment of the machines until privacy and security questions are resolved, Rotenberg said.

TSA officials say they have taken sufficient measures to protect privacy.

The TSA officer viewing the image cannot see the actual passenger. No cameras, cell phones or other devices capable of capturing an image are allowed in the room where the image is displayed, according to the TSA. The agency adds that images are deleted from the system after the operator reviews them. And employees who misuse the machines are subject to serious discipline or removal.

Further, the TSA says, the machines are not networked and cannot be hacked.

EPIC said it is pursuing a lawsuit to obtain additional documents about the machines from the TSA.