Focusing public attention on emerging privacy and civil liberties issues

EPIC v. DHS - Body Scanner FOIA Appeal

Litigating the Interpretation of the Freedom of Information Act

Top News

  • Senate to Hold Homeland Security Oversight Hearing: The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 10, 2014)
  • DHS Open Government Report Reveals Increased Backlog and Use of Law Enforcement Exemptions: The Department of Homeland Security has released the 2013 Freedom of Information Act Report detailing the agencies attempts to comply with the federal open government law. The FOIA requires each agency to provide the numbers of requests received and processed, the time taken to respond, the outcome of each request, and other statistics. In 2013, the DHS reported a significant increase in its FOIA backlog, which rose from 28,553 unanswered requests in 2012 to 53,598 unanswered requests in 2013. Of the nine exemptions that an agency can invoke to withhold documents, DHS relied most heavily on exemption 7(C) (law enforcement records that if released would constitute an invasion of personal privacy) and 7(E) (law enforcement records that if released would disclose law enforcement techniques or procedures, which is significant because the DHS is not a law enforcement agency. DHS reported granting about 7% of requests for expedited processing. EPIC has prevailed in several FOIA lawsuits against DHS, and has also worked to reform the agency's FOIA processing practices for other requesters. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal, EPIC v. DHS - Social Media Monitoring, and EPIC v. DHS - SOP 303. (Feb. 21, 2014)
  • DHS Appeals Ruling in EPIC's "Internet" Kill Switch Case: The Department of Homeland Security has appealed a ruling for EPIC in a Freedom of Information Case involving Standard Operating Procedure 303, a protocol which describes the government's plan for deactivating wireless communications networks. Seeking information about the First Amendment and public safety implications of the protocol, EPIC filed a FOIA lawsuit against the agency. A federal court ruled that the protocol could not be withheld under the FOIA because it was not an investigative technique and DHS had not established that releasing the document would cause harm to any individual. Therefore, the court concluded, the documents EPIC sought should be turned over. The Department of Justice has now appealed that decision to the D.C. Circuit Court of Appeals. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA. (Jan. 13, 2014)
  • EPIC Settles FOIA Case, Obtains Body Scanner Radiation Fact Sheets: EPIC has received the documents that were the subject of EPIC's Freedom of Information Act appeal to the D.C. Circuit in EPIC v. DHS (Body Scanner FOIA Appeal). The agency had previously withheld test results, fact sheets, and estimates regarding the radiation risks of body scanners used to screen passengers at airports. EPIC challenged the lower court's determination that the factual material was "deliberative" and therefore exempt from the FOIA. After filing an opening brief to the D.C. Circuit, EPIC participated in a new appellate mediation program. As a result of the mediation, EPIC obtained not only the records sought, but also attorneys' fees. The fact sheets show that the agency did not perform a "quantitative analysis" of risks and benefits before implementing the body scanner program. EPIC addressed that concern in the 2011 lawsuit EPIC v. DHS (Suspension of Body Scanner Program). That EPIC case also had a favorable outcome, and ultimately resulted in the removal of backscatter x-ray scanners from US airports. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal and EPIC v. DHS - Suspension of Body Scanner Program. (Jan. 10, 2014)
  • Federal Court Awards EPIC $30,000 in Social Media Monitoring Case: EPIC has prevailed in a fee dispute with the Department of Homeland Security in an open government case concerning the government’s monitoring of social media. EPIC filed a FOIA request after the agency announced plans to gather information from "online forums, blogs, public websites, and message boards." After the DHS refused to produce documents, EPIC filed suit and obtained more than 500 pages describing the agency program. When the agency subsequently moved to dismiss the case, a federal judge ruled that EPIC had "substantially prevailed." And when the DHS sought to give EPIC a token amount in settlement, the court had harsh words for the agency. The court described EPIC's work in the case as "the sort of public benefit that FOIA was designed to promote." The case is EPIC v. DHS, No. 11-2261 (D.D.C. Nov. 15, 2013). For more information, see EPIC v. DHS: Social Media Monitoring. (Nov. 20, 2013)
  • EPIC Prevails in FOIA Case About "Internet Kill Switch": In a Freedom of Information Act case brought by EPIC against the Department of Homeland Security, a federal court has ruled that the DHS may not withhold the agency's plan to deactivate wireless communications networks in a crisis. EPIC had sought "Standard Operating Procedure 303," also known as the "internet Kill Switch," to determine whether the agency's plan could adversely impact free speech or public safety. EPIC filed the FOIA lawsuit in 2012 after the the technique was used by police in San Francisco to shut down cell service for protesters at a BART station, who had gathered peacefully to object to police practices. The federal court determined that the agency wrongly claimed that it could withhold SOP 303 as a "technique for law enforcement investigations or prosecutions." The phrase, the court explained, "refers only to acts by law enforcement after or during the prevention of a crime, not crime prevention techniques." The court repeatedly emphasized that FOIA exemptions are to be read narrowly. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA. (Nov. 12, 2013)
  • EPIC Obtains Information About Government-Corporate Cybersecurity Practices: As a result of a Freedom of Information Act lawsuit against the Department of Homeland Security, EPIC has obtained documents which reveal that the Department of Defense required companies to disclose information about Internet traffic on private networks. These documents contradict Homeland Security’s assertions that companies participating in a DOD pilot project would not be compelled to transmit information to federal agencies. The documents obtained by EPIC under the FOIA also indicate that the National Security Agency, a branch of the Department of Defense, is engaging in offensive cybersecurity measures. A statement to the Senate, EPIC warned that the National Security Agency has become a "black box" for public information about cybersecurity. For more information, see EPIC v. DHS: Defense Contractor Monitoring. (Nov. 1, 2013)
  • Open Government Organizations Support EPIC's FOIA Appeal: Citizens for Responsibility and Ethics in Washington (CREW) has filed a "friend of the court" brief in EPIC v. DHS, a challenge to the secrecy of government documents now pending before the D.C. Circuit Court of Appeals. EPIC's is appealing a District Court decision which allowed two federal agencies to withhold factual documents, including test results, about airport body scanners. In the brief, CREW explains that "accepting the District Court's analysis would threaten the integrity of the decision making process and undermine the goals of the FOIA." Several other open government groups joined the CREW amicus brief, including the ACLU, EFF, and the OpenTheGovernment coalition. EPIC filed the opening brief in early October. The government is expected to file an opposition brief at the beginning of November. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal. (Oct. 15, 2013)
  • EPIC Appeals Secrecy of Body Scanner Radiation Documents: EPIC has challenged a District Court decision which allowed two federal agencies to withhold documents about airport body scanners, including test results, fact sheets, and estimates regarding radiation risks. In the opening brief to the DC Circuit Court of Appeals, EPIC argues that federal agencies may not withhold factual information under the "deliberative process privilege" in the Freedom of Information Act. EPIC said that under "under the standard adopted by the lower court, not only would the judgement of agency officials be exempt, but so too would reports or studies of any significance." For more information, see EPIC: DHS Body Scanner FOIA Appeal, EPIC v. DHS and EPIC v. TSA. (Oct. 3, 2013)
  • TSA Conducts Warrantless Searches Outside of Airports: The Transportation Security Administration has expanded its Visible Intermodal Prevention and Response (VIPR) program to perform warrantless searches at various locations, including festivals, sporting events, and bus stations. The VIPR program uses "risk-based" profiling and "behavior detection" to search and detain individuals. Members of Congress have opposed these searches, and the GAO has questioned the validity of TSA's behavior detection and dispelled behavior detection effectiveness. Last year, EPIC prevailed in a lawsuit against the TSA that revealed the agency's plan to deploy body scanners outside of the airport at bus stations, train stations, and elsewhere. For more information, see EPIC: EPIC v. DHS (Mobile Body Scanners FOIA Lawsuit). (Aug. 8, 2013)

Factual Background on Airport Body Scanners

In February 2007, the Transportation Security Administration ("TSA"), a component of the U.S. Department of Homeland Security ("DHS"), began testing full body scanners - also called “whole body imaging,” and "advanced imaging technology" - to screen air travelers. Full body scanners produce detailed, three-dimensional images of individuals. Security experts have described full body scanners as the equivalent of "a physically invasive strip-search."

TSA is using full body scanner systems at airport security checkpoints, screening passengers before they board flights. The agency provided various assurances regarding its use of full body scanners. TSA stated that full body scanners would not be mandatory for passengers and that images produced by the machines would not be stored, transmitted, or printed. A previous EPIC FOIA lawsuit against DHS revealed that TSA’s body scanner images can be stored and transmitted.

On February 18, 2009, TSA announced that it would require passengers at six airports to submit to full body scanners in place of the standard metal detector search, which contravenes its earlier statements that full body scanners would not be mandatory. On April 6, 2009, TSA announced its plans to expand the mandatory use of full body scanners to all airports. TSA renewed its call for mandatory body scans for all air travelers in the wake of the attempted bombing of Northwest Flight 253, which traveled from Amsterdam to Detroit on December 25, 2009.

Since June 2009, the TSA has installed hundreds of additional full body scanners in American airports. On July 2, 2010, EPIC filed suit in the U.S. Court of Appeals for the D.C. Circuit to suspend the TSA’s full body scanner program. The Court ruled that the TSA can only use the body scanners so long as passengers are allowed to "opt-out" and receive another form of screening. In addition, the Court ordered the agency to issue formal regulations on the use of the devices. The TSA did not issue a proposed rule until early 2013, and subsequently solicited public comment. The comments have been overwhelmingly opposed to the body scanner program.

Health Risks from Body Scanner Radiation Unknown

Experts have questioned the safety of full body scanners and noted that radiation exposure from devices like full body scanner increases individuals’ cancer risk. No independent study has been conducted on the health risks of full body scanners.

In April 2010, scientists at the University of California - San Francisco wrote to President Obama, calling for an independent review of the full body scanners’ radiation risks. The experts noted that children, pregnant women, and the elderly are especially at risk “from the mutagenic effects of the [body scanners’] X-rays.” Dr. David Brenner, director of Columbia University's Center for Radiological Research and a professor of radiation biophysics, has warned “it's very likely that some number of [air travelers] will develop cancer from the radiation from these scanners.” Peter Rez, a professor of physics at Arizona State University, has identified cancer risks to air travelers arising from improper maintenance and flawed operation of the TSA’s full body scanners. Other scientists and radiology experts have also identified serious health risks associated with the full body scanner program, including increased cancer risk to American travelers.

Automated Target Recognition ("ATR") Software

The manufacturers of body scanners have developed "Automated Target Recognition" ("ATR") software that allows TSA agents viewing the whole-body images to see only a generic human image instead of an image of a traveler's naked body. The software is actually designed to detect "anomalies" on travelers' bodies, and the TSA asserts that this will automatically detect threatening objects travelers are concealing. When an anomaly is detected somewhere on a body, that area is highlighted in red on the displayed generic image. TSA employees are directed to further screen the areas on passengers where anomalies are detected, including an enhanced pat down. If the machine does not detect any threatening objects, instead of displaying an image it will merely display a green "OK."

The TSA began testing the software in airports in February 2011, and has announced that it will be installing this software on all of its millimeter wave body scanners nationwide. Images are displayed alongside the body scanning machines, and passengers are able to view the same image as TSA employees monitoring them.

The TSA believes that ATR modifications will mitigate travelers' privacy concerns. However, it remains unclear whether body scanners using the ATR software will retain, store, or transfer the underlying raw naked images that are captured before they are analyzed and used to display a generic figure. EPIC seeks to determine how ATR software handles naked images of travelers, and how ATR software really impacts traveler privacy.

EPIC's Freedom of Information Act Requests

Body Scanner Radiation Request

On July 13, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the Department of Homeland Security ("DHS") seeking agency records related to radiation emissions from the machines used at airport security checkpoints. In particular, EPIC requested:

  1. All records concerning TSA tests regarding body scanners and radiation emission or exposure; and
  2. All records concerning third party tests regarding body scanners and radiation emission or exposure.

DHS acknowledged receipt of EPIC's FOIA request, but failed to disclose any documents. On November 19, 2010, EPIC sued DHS to force disclosure of the body scanner radiation documents. The suit challenged DHS's failure to disclose public records and failure to comply with the Freedom of Information Act. On the heels of EPIC's lawsuit, DHS disclosed key documents, including test results that indicated full body scanners could be emitting more radiation than the TSA claims. But DHS failed to produce all records demanded in EPIC's FOIA request.

Automated Target Recognition Software Requests

In June 2010 and October 2010, EPIC also filed two FOIA requests with the Transportation Security Administration seeking other body scanner records. EPIC sought documents related to the Automated Target Recognition ("ATR") software used by the machines. ATR software analyzes the images produced by the body scanners and identifies "anomalies" that it deems to be "potential threats." If an "anomaly" is found, it triggers additional screening and invasive pat downs by TSA agents. EPIC sought documents that would illuminate how the software works so that its privacy risks could be better understood and managed. DHS Secretary Janet Napolitano previously submitted some of this information in a letter to Senator Susan Collins. In particular, EPIC first requested:

  1. All specifications provided by TSA to automated target recognition manufacturers concerning automated target recognition systems.
  2. All records concerning the capabilities, operational effectiveness, or suitability of automated target recognition systems, as described in Secretary Napolitano's letter to Senator Collins.
  3. All records provided to TSA from the Dutch government concerning automated target recognition systems deployed in Schiphol Airport, as described by Secretary Napolitano's letter to Senator Collins.
  4. All records evaluating the [body scanner] program and determining automated target recognition requirements for nationwide deployment, as described in Secretary Napolitano's letter to Senator Collins.

EPIC's second FOIA request asked for other ATR-related documents from DHS:

  1. All records provided from L3 Communications or Rapiscan in support of the submission or certification of ATR software modifications;
  2. All contracts, contract amendments, or statements of work related to the submission or certification of ATR software modifications;
  3. All information, including results, of government testing of ATR technology, as referenced by Greg Soule of the TSA in an e-mail to Bloomberg News, published September 8, 2010.

Litigation in the U.S. District Court for the District of Columbia

DHS and TSA failed to fully respond to EPIC's FOIA requests. The agencies withheld documents and, when they did release some documents, asserted exemptions in an overbroad manner.

In November 2010, EPIC filed a lawsuit in the U.S. District Court for the District of Columbia against the Department of Homeland Security, for the agency's failure to respond to EPIC's FOIA request for radiation emissions documents. In February 2011, EPIC filed a similar FOIA lawsuit in the same court against the TSA, for failure to disclose documents related to ATR software.

Judge Royce Lamberth, presiding over both lawsuits, ordered the agencies to disclose some documents to EPIC that had previously been withheld. But the Court allowed some other documents to be withheld under the "deliberative process privilege" exemption to the FOIA. This exemption states that agencies may withhold materials that are "deliberative and predecisional" in nature, so as to protect the decision-making process by allowing agency officials to speak candidly. However, entire documents cannot be withheld simply because part of them are deliberative. Rather, the non-deliberative and deliberative materials must be separated and all non-deliberative materials must be disclosed unless they are "inextricably intertwined" with deliberative materials.

The Court, finding that some of the documents contained non-deliberative factual materials, nonetheless allowed the materials to be withheld in their entiretybecause the documents containing them, as a whole, were deliberative. EPIC objected to this incorrect interpretation of established legal precedent and filed an appeal in these cases to the D.C. Circuit Court of Appeals.

Litigation in the Court of Appeals for the D.C. Circuit

On April 16, 2013, EPIC appealed these decisions to the Court of Appeals for the D.C. Circuit. EPIC presented the following issue to be determined by the Court:

  • "Whether the District Court erred in failing to apply this Circuit's 'inextricably intertwined test before determining that records containing non-deliberative, factual materials may properly be withheld in their entirety under Exemption 5 of the Freedom of Information Act ("FOIA")."

EPIC also filed a motion to consolidate the two appeals into one case, because they present substantially similar legal issues. Citizens for Responsibility and Ethics in Washington ("CREW") will be filing an amicus brief supporting EPIC's position.

Legal Documents

District Court Documents

Court of Appeals Documents

Disclosed Documents

Resources

Pages

News Reports