Feeds

US airport body scanners can store and export images

Uproar likely over threat of blurry customs pr0n

Reducing the cost and complexity of web vulnerability management

Full body scanners at US airports can transmit digital strip search images of people, contrary to US Transportation Security Authority assurances.

The TSA has maintained that such scanners cannot store or transmit scanned body images of people, stating that "the machines have zero storage capability."

A TSA release stated that any scanned full body image "won't be stored, transmitted or printed, and [will be] deleted immediately once viewed." This is wrong too.

But according to documents obtained under freedom of information laws by EPIC (Electronic Privacy Information Center), they do indeed have a storage capability.

According to the TSA procurement specification, v1.02, 23 September 2008, the scanner, termed a Whole Body Imager (WBI) will have "a high capacity read/write drive... to permit data uploads and downloads." It will also "provide capabilities for data transfers via USB devices" and support both Ethernet and TCP/IP. Field reporting data for up to a year will be stored on the hard drive.

The procurement spec specifies two operating modes. In screening mode the WBI system will "prohibit the storage and exporting of passenger images."

However, "when not being used for normal screening operations, the capability to capture images of non-passengers for training and evaluation purposes is needed" and this is provided in test mode. In screening mode, the system will be prohibited from exporting passenger image data. The spec states: "During Test Mode, the WBI shall not be capable of conducting passenger screening."

Therein lies the rub. The system does not know a passenger from a non-passenger - both are simply humans inside the system's scanning field. The spec does not state how the system is switched between modes.

Another document obtained by EPIC says one system, identified by the government, can record images for training purposes. This capability is configurable at a superuser level and will be disabled in operational systems.

So that leaves us with full body scanners that can capture strip search scanned images of people when in test mode and export them either by USB or TCP/IP transfers (which are subject to certain security restrictions), and at least one system that can store scanned images.

That leaves privacy campaigners salivating at the mouth with the possibilities for information abuse, and the TSA with much egg on its face for issuing misleading statements. ®

Security and trust: The backbone of doing business over the internet

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.