EPIC v. DHS - Body Scanner FOIA Appeal

Litigating the Interpretation of the Freedom of Information Act

Top News

  • DHS Agrees to Release Documents About Election Cybersecurity to EPIC: EPIC and DHS have filed a joint status report in EPIC v. DHS. The federal agency has agreed to reprocess previously withheld documents about election security. EPIC filed a Freedom of Information Act lawsuit in 2017, immediately after the agency's decision to designate election systems as "critical infrastructure." The announcement followed the determination that Russia meddled in the 2016 presidential election. The designation also gave the DHS new responsibilities to help protect state election systems. Over the course of litigation, DHS has provided hundreds of pages to EPIC about the agency's role in election system security. But the agency has also withheld information sought by EPIC, including: (1) documents concerning contacts between DHS and State Election Officials, (2) Election Task Force meeting minutes, (3) documents about risk characterizations and analysis reports on Russian interference; and (4) incident reports and vulnerabilities in election systems. Because the 2020 election is fast approaching, EPIC sought the prompt release of these records so that Congress and the public could assess the effectiveness of the DHS security program. The recent court filing between EPIC and the DHS should move the process forward. The case is EPIC v. DHS, 17-2047 (D.D.C). (Nov. 27, 2019)
  • EPIC Obtains Docs about Critical Infrastructure Designation for Election Systems: In a FOIA lawsuit, EPIC has obtained an original draft of the proposal by former DHS Secretary Jeh Johnson to designate state election systems as critical infrastructure. Released in a set of previously withheld documents, the draft memo states "[g]iven the vital role elections play in this country, certain systems and assets of election infrastructure meet the statutory definition of critical infrastructure in fact and in law." The DHS policy was announced on January 6, 2017, the same day the ODNI found extensive Russian interference in the 2016 Presidential election. EPIC later litigated for the release of the complete ODNI report, which found that Russian intelligence services had "obtained and maintained access to elements of multiple U.S. state or local electoral boards." EPIC also obtained from DHS documents about the background and implementation of the critical infrastructure designation. Other documents released as a result of EPIC's suit show the DHS continued to encourage state efforts in election security by making federal resources available on a voluntary basis. The case is EPIC v. DHS, No. 17-2047. (Nov. 18, 2019)
  • EPIC to TSA: Conduct Rulemaking on Facial Recognition: In comments to inform the Transportation Security Administration's 2020 National Strategy, EPIC recommended that TSA to suspend the facial recognition program at US airports. EPIC wrote, "The TSA's use of facial recognition lacks the safeguards necessary for implementation." EPIC has also warned lawmakers and the DHS about the biometric border program that incorporates deploy facial recognition. EPIC has urged the agency to undertake a notice and comment rule making that would provide the public with the opportunity to comment on the controversial program. EPIC successfully required TSA to conduct a rulemaking on its deployment of airport body scanners in EPIC v. DHS. EPIC also recommended that TSA incorporate the Universal Guidelines for Artificial Intelligence, endorsed by over 300 organizations and experts, for AI-based systems. (Apr. 26, 2019)
  • EPIC FOIA: EPIC Obtains DHS Drone Status Report: Through a Freedom of Information Act lawsuit, EPIC has obtained the DHS drone status report required by a Presidential Memorandum. The 2015 Memorandum required federal agencies to detail drone policies and procedures to protect privacy, civil rights, and civil liberties. The DHS report attempts to justify the use of drones by Customs and Border Protection, but a recent Inspector General report calls into question the CBP's policies and procedures. The Inspector General found that CBP failed to complete a required analysis for a drone surveillance system and failed to implement effective safeguards for information collected by drones. EPIC has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance." (Apr. 11, 2019)
  • EPIC Files First Lawsuit for Special Counsel Report on Russian Election Interference: EPIC has filed a Freedom of Information Act lawsuit to obtain the final report by Special Counsel Robert Mueller concerning Russian interference in the 2016 U.S. presidential election. Attorney General William Barr notified Congress on Friday that the Special Counsel had delivered the final report. In November 2018, EPIC submitted a detailed Freedom of Information Act request to the Department of Justice seeking records about the investigation. The Special Counsel was authorized to conduct an investigation into Russian interference, including "any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump." Special Counsel Mueller has since brought criminal charges against 34 individuals and three organizations. EPIC, through its Democracy and Cybersecurity Project, has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), EPIC v. IRS II (release of Trump's offers-in-compromise), and EPIC v. DHS (election cybersecurity). The case for the release of the Mueller Report is EPIC v. DOJ, No. 19-810 (D.D.C.) [Exhibits]. (Mar. 22, 2019)
  • Senate Reports Detail Russian Russian Interference in 2016 Election: In a pair of reports released this week, the Senate Intelligence Committee provided fresh details on the extent of Russian interference in the 2016 election. Committee Chairman Richard Burr explained: "This newly released data demonstrates how aggressively Russia sought to divide Americans by race, religion and ideology, and how the IRA actively worked to erode trust in our democratic institutions. Most troublingly, it shows that these activities have not stopped." Shortly after the 2016 presidential election, EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI, EPIC v. ODNI, EPIC v. IRS I, and EPIC v. DHS. As EPIC President Marc Rotenberg explained in an op-ed in March 2017: "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks." (Dec. 18, 2018)
  • D.C. Circuit Sets Date for Argument in EPIC v. IRS, FOIA Case for Trump's Tax Returns: The D.C. Circuit has scheduled oral argument in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. The Court will hear the case on Thursday, September 13, 2018. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Jun. 19, 2018)
  • EPIC Sues to Obtain Privacy Impact Assessment for DHS Journalist Database: EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for Assessment but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data. (May. 31, 2018)
  • EPIC, Coalition Oppose State Department's Plan to Collect Social Media Identifiers of Visa Applicants: EPIC, the Brennan Center and 55 privacy, civil liberties, and civil rights organizations submitted comments opposing the State Department's plan to collect social media identifiers from individuals applying for visas. The coalition warned that the proposal would "undermine First Amendment rights of speech, expression, and association." Social media monitoring raises serious privacy and civil liberties issues. EPIC previously opposed the State Department's expansion of social media collection as well as a similar proposal by the Department of Homeland Security. In EPIC v. DHS, a 2011 Freedom of Information Act case, EPIC uncovered the first agency plan to monitor social media. (May. 30, 2018)
  • After EPIC Obtains FBI Victim Notification Procedures, Court Rules for Bureau: After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity). (May. 23, 2018)

Factual Background on Airport Body Scanners

In February 2007, the Transportation Security Administration ("TSA"), a component of the U.S. Department of Homeland Security ("DHS"), began testing full body scanners - also called “whole body imaging,” and "advanced imaging technology" - to screen air travelers. Full body scanners produce detailed, three-dimensional images of individuals. Security experts have described full body scanners as the equivalent of "a physically invasive strip-search."

TSA is using full body scanner systems at airport security checkpoints, screening passengers before they board flights. The agency provided various assurances regarding its use of full body scanners. TSA stated that full body scanners would not be mandatory for passengers and that images produced by the machines would not be stored, transmitted, or printed. A previous EPIC FOIA lawsuit against DHS revealed that TSA’s body scanner images can be stored and transmitted.

On February 18, 2009, TSA announced that it would require passengers at six airports to submit to full body scanners in place of the standard metal detector search, which contravenes its earlier statements that full body scanners would not be mandatory. On April 6, 2009, TSA announced its plans to expand the mandatory use of full body scanners to all airports. TSA renewed its call for mandatory body scans for all air travelers in the wake of the attempted bombing of Northwest Flight 253, which traveled from Amsterdam to Detroit on December 25, 2009.

Since June 2009, the TSA has installed hundreds of additional full body scanners in American airports. On July 2, 2010, EPIC filed suit in the U.S. Court of Appeals for the D.C. Circuit to suspend the TSA’s full body scanner program. The Court ruled that the TSA can only use the body scanners so long as passengers are allowed to "opt-out" and receive another form of screening. In addition, the Court ordered the agency to issue formal regulations on the use of the devices. The TSA did not issue a proposed rule until early 2013, and subsequently solicited public comment. The comments have been overwhelmingly opposed to the body scanner program.

Health Risks from Body Scanner Radiation Unknown

Experts have questioned the safety of full body scanners and noted that radiation exposure from devices like full body scanner increases individuals’ cancer risk. No independent study has been conducted on the health risks of full body scanners.

In April 2010, scientists at the University of California - San Francisco wrote to President Obama, calling for an independent review of the full body scanners’ radiation risks. The experts noted that children, pregnant women, and the elderly are especially at risk “from the mutagenic effects of the [body scanners’] X-rays.” Dr. David Brenner, director of Columbia University's Center for Radiological Research and a professor of radiation biophysics, has warned “it's very likely that some number of [air travelers] will develop cancer from the radiation from these scanners.” Peter Rez, a professor of physics at Arizona State University, has identified cancer risks to air travelers arising from improper maintenance and flawed operation of the TSA’s full body scanners. Other scientists and radiology experts have also identified serious health risks associated with the full body scanner program, including increased cancer risk to American travelers.

Automated Target Recognition ("ATR") Software

The manufacturers of body scanners have developed "Automated Target Recognition" ("ATR") software that allows TSA agents viewing the whole-body images to see only a generic human image instead of an image of a traveler's naked body. The software is actually designed to detect "anomalies" on travelers' bodies, and the TSA asserts that this will automatically detect threatening objects travelers are concealing. When an anomaly is detected somewhere on a body, that area is highlighted in red on the displayed generic image. TSA employees are directed to further screen the areas on passengers where anomalies are detected, including an enhanced pat down. If the machine does not detect any threatening objects, instead of displaying an image it will merely display a green "OK."

The TSA began testing the software in airports in February 2011, and has announced that it will be installing this software on all of its millimeter wave body scanners nationwide. Images are displayed alongside the body scanning machines, and passengers are able to view the same image as TSA employees monitoring them.

The TSA believes that ATR modifications will mitigate travelers' privacy concerns. However, it remains unclear whether body scanners using the ATR software will retain, store, or transfer the underlying raw naked images that are captured before they are analyzed and used to display a generic figure. EPIC seeks to determine how ATR software handles naked images of travelers, and how ATR software really impacts traveler privacy.

EPIC's Freedom of Information Act Requests

Body Scanner Radiation Request

On July 13, 2010, EPIC filed a Freedom of Information Act ("FOIA") request with the Department of Homeland Security ("DHS") seeking agency records related to radiation emissions from the machines used at airport security checkpoints. In particular, EPIC requested:

  1. All records concerning TSA tests regarding body scanners and radiation emission or exposure; and
  2. All records concerning third party tests regarding body scanners and radiation emission or exposure.

DHS acknowledged receipt of EPIC's FOIA request, but failed to disclose any documents. On November 19, 2010, EPIC sued DHS to force disclosure of the body scanner radiation documents. The suit challenged DHS's failure to disclose public records and failure to comply with the Freedom of Information Act. On the heels of EPIC's lawsuit, DHS disclosed key documents, including test results that indicated full body scanners could be emitting more radiation than the TSA claims. But DHS failed to produce all records demanded in EPIC's FOIA request.

Automated Target Recognition Software Requests

In June 2010 and October 2010, EPIC also filed two FOIA requests with the Transportation Security Administration seeking other body scanner records. EPIC sought documents related to the Automated Target Recognition ("ATR") software used by the machines. ATR software analyzes the images produced by the body scanners and identifies "anomalies" that it deems to be "potential threats." If an "anomaly" is found, it triggers additional screening and invasive pat downs by TSA agents. EPIC sought documents that would illuminate how the software works so that its privacy risks could be better understood and managed. DHS Secretary Janet Napolitano previously submitted some of this information in a letter to Senator Susan Collins. In particular, EPIC first requested:

  1. All specifications provided by TSA to automated target recognition manufacturers concerning automated target recognition systems.
  2. All records concerning the capabilities, operational effectiveness, or suitability of automated target recognition systems, as described in Secretary Napolitano's letter to Senator Collins.
  3. All records provided to TSA from the Dutch government concerning automated target recognition systems deployed in Schiphol Airport, as described by Secretary Napolitano's letter to Senator Collins.
  4. All records evaluating the [body scanner] program and determining automated target recognition requirements for nationwide deployment, as described in Secretary Napolitano's letter to Senator Collins.

EPIC's second FOIA request asked for other ATR-related documents from DHS:

  1. All records provided from L3 Communications or Rapiscan in support of the submission or certification of ATR software modifications;
  2. All contracts, contract amendments, or statements of work related to the submission or certification of ATR software modifications;
  3. All information, including results, of government testing of ATR technology, as referenced by Greg Soule of the TSA in an e-mail to Bloomberg News, published September 8, 2010.

Litigation in the U.S. District Court for the District of Columbia

DHS and TSA failed to fully respond to EPIC's FOIA requests. The agencies withheld documents and, when they did release some documents, asserted exemptions in an overbroad manner.

In November 2010, EPIC filed a lawsuit in the U.S. District Court for the District of Columbia against the Department of Homeland Security, for the agency's failure to respond to EPIC's FOIA request for radiation emissions documents. In February 2011, EPIC filed a similar FOIA lawsuit in the same court against the TSA, for failure to disclose documents related to ATR software.

Judge Royce Lamberth, presiding over both lawsuits, ordered the agencies to disclose some documents to EPIC that had previously been withheld. But the Court allowed some other documents to be withheld under the "deliberative process privilege" exemption to the FOIA. This exemption states that agencies may withhold materials that are "deliberative and predecisional" in nature, so as to protect the decision-making process by allowing agency officials to speak candidly. However, entire documents cannot be withheld simply because part of them are deliberative. Rather, the non-deliberative and deliberative materials must be separated and all non-deliberative materials must be disclosed unless they are "inextricably intertwined" with deliberative materials.

The Court, finding that some of the documents contained non-deliberative factual materials, nonetheless allowed the materials to be withheld in their entiretybecause the documents containing them, as a whole, were deliberative. EPIC objected to this incorrect interpretation of established legal precedent and filed an appeal in these cases to the D.C. Circuit Court of Appeals.

Litigation in the Court of Appeals for the D.C. Circuit

On April 16, 2013, EPIC appealed these decisions to the Court of Appeals for the D.C. Circuit. EPIC presented the following issue to be determined by the Court:

  • "Whether the District Court erred in failing to apply this Circuit's 'inextricably intertwined test before determining that records containing non-deliberative, factual materials may properly be withheld in their entirety under Exemption 5 of the Freedom of Information Act ("FOIA")."

EPIC also filed a motion to consolidate the two appeals into one case, because they present substantially similar legal issues. Citizens for Responsibility and Ethics in Washington ("CREW") will be filing an amicus brief supporting EPIC's position.

Legal Documents

District Court Documents

Court of Appeals Documents

Disclosed Documents



News Reports

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency