Focusing public attention on emerging privacy and civil liberties issues

EPIC v. DHS (Suspension of Body Scanner Program)

Body Scanner Incident Reports


EPIC has obtained a court order requiring the Department of Homeland Security to undertake a public notice on and comment rulemaking. On July 2, 2010, EPIC petitioned the D.C. Circuit Court of Appeals to suspend the body scanner program, stressing its core assertion that "the TSA has acted outside of its regulatory authority and with profound disregard for the statutory and constitutional rights of air travelers." EPIC asserted that the federal agency's controversial program violated the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act, the Video Voyeurism Prevention Act, and the Fourth Amendment. On July 15, 2011, the D.C. Circuit Court of Appeals ruled that the agency had violated the Administrative Procedures Act by implementing body scanners as a primary screening method without first undertaking public notice and comment rulemaking. The Court ordered the agency to "promptly" undertake the proper rulemaking procedures and allow the public to comment on the body scanner program. To date, the agency has made no visible progress toward complying with the Court's order.

Top News

  • Post-Snowden, Social Media Users Concerned About Access to Personal Data: According to the Pew Research Report "Public Perceptions of Privacy and Security in the Post-Snowden Era," most users of social media are very concerned about businesses and government accessing their personal data. 80% of adults "agree" or "strongly agree" that Americans should be concerned about the government's monitoring of phone calls and internet communications. 64% believe there should be more regulation of advertisers. Almost all users rank their social security number as the most sensitive piece of personal data. EPIC has asked the House Committee on Homeland Security to suspend a DHS program that is monitoring social networks and media organizations. EPIC has recommended that the FTC to establish privacy protections for online advertising. EPIC has also urged the US Congress over many years to limit the use of the Social Security Number for commercial purposes. For more information, see EPIC: Public Opinion on Privacy, EPIC: Facebook Privacy, EPIC: Social Media Monitoring, and EPIC: Social Security Numbers. (Nov. 13, 2014)
  • Department of Homeland Security Releases 2014 Privacy Report: The Department of Homeland Security released the 2014 Privacy Office Annual Report to Congress. The report describes a joint review conducted with the European Commission regarding the transfer of EU Passenger Name Records to the US. The European Commission found the redress mechanisms were lacking for passengers denied boarding. The Commission also found that DHS would often review passenger records without a legal reason. The Annual Report describes the sixth Compliance Review of the department’s social media monitoring program. The review found that the DHS began collecting GPS and geo-location of Internet users without assessing or mitigating the privacy risks. In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. For more information, see EPIC: EU-US Airline Passenger Data Disclosure and EPIC: EPIC v. DHS - media monitoring. (Oct. 2, 2014)
  • Pew Survey: Users Online Self-Censor Discussion of Government Surveillance: According to the Pew Research Report "Social Media and the 'Spiral of Silence,'" most users of social media are afraid to talk about government surveillance on Facebook, Twitter, and other social platforms. Users were more willing to share their views on government surveillance if they thought others shared the same view. Those who thought they held minority views were more likely to self-censor—an effect known as the "spiral of silence." In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. A subsequent Congressional hearing led the DHS to cancel the program. For more information, see EPIC v. DHS: Media Monitoring and EPIC: Public Opinion on Privacy. (Sep. 9, 2014)
  • Security Experts: EPIC Correct About Body Scanners-Invasive and Ineffective: The first independent analysis of backscatter x-ray body scanners corroborate the claims EPIC and others have made for several years: The scanners are invasive and ineffective. In a detailed report published in 2005, EPIC warned that the x-ray body scanners amounted to a virtual strip search and were an ineffective means of airport security. Freedom of Information Act documents later obtained by EPIC revealed that TSA could disable the body scanner's privacy settings, the nude images could be stored on the machines, and the scanners ran on a standard operating system making them vulnerable to outside security threats. EPIC and a coalition of civil liberties organizations then petitioned DHS Secretary Napolitano to suspend the program. When the DHS failed to do so, EPIC sued the agency. The D.C. Circuit Court of Appeals ruled in EPIC v. DHS that the agency must begin a public rule making. The backscatter X-ray scanners were subsequently removed from US airports. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology. (Aug. 22, 2014)
  • Congress Investigates Airline Privacy Practices: Senator John Rockefeller (D-WV) is currently seeking information from ten U.S. airlines concerning how airlines safeguard consumer traveler data. Senator Rockefeller has requested information regarding: (1) the type of information airlines collect; (2) airlines' data retention periods; (3) airline privacy and security safeguards governing consumer information; (4) whether consumers may access and amend their information; (5) whether airlines sell or disclose consumer information and if so, to whom do they disclose the consumer data; and (6) how airlines inform consumers about airline privacy policies governing consumer information. EPIC routinely urges the Department of Homeland Security to provide privacy protections for air travelers and end the agency's secret "risk-based" passenger profiling. For more information, see EPIC: Air Travel Privacy, EPIC: Passenger Profiling, EPIC: Secure Flight, and EPIC: EPIC v. DHS (Suspension of Body Scanner Program). (Aug. 20, 2014)
  • EPIC Defends FOIA Victory in Federal Appeals Court: EPIC has filed a brief in response to an appeal by the Department of Justice in EPIC v. DHS, concerning the government policy to disrupt cellular networks. EPIC won a major FOIA victory when a federal district court ruled that the DHS could not withhold "SOP 303," a government procedure to shut down cellular phone service. EPIC sought the policy after authorities shut down cell phone service at a peaceful protest in San Francisco. The government argued it did not need to release the document to EPIC because it was a "law enforcement technique" and because it would endanger the physical safety of an individual. The federal court rejected those arguments and ordered that the document be disclosed to EPIC, pending a decision on the appeal. For more details, see EPIC v. DHS—SOP 303. (Jul. 8, 2014)
  • Senate to Hold Homeland Security Oversight Hearing: The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 10, 2014)
  • DHS Open Government Report Reveals Increased Backlog and Use of Law Enforcement Exemptions: The Department of Homeland Security has released the 2013 Freedom of Information Act Report detailing the agencies attempts to comply with the federal open government law. The FOIA requires each agency to provide the numbers of requests received and processed, the time taken to respond, the outcome of each request, and other statistics. In 2013, the DHS reported a significant increase in its FOIA backlog, which rose from 28,553 unanswered requests in 2012 to 53,598 unanswered requests in 2013. Of the nine exemptions that an agency can invoke to withhold documents, DHS relied most heavily on exemption 7(C) (law enforcement records that if released would constitute an invasion of personal privacy) and 7(E) (law enforcement records that if released would disclose law enforcement techniques or procedures, which is significant because the DHS is not a law enforcement agency. DHS reported granting about 7% of requests for expedited processing. EPIC has prevailed in several FOIA lawsuits against DHS, and has also worked to reform the agency's FOIA processing practices for other requesters. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal, EPIC v. DHS - Social Media Monitoring, and EPIC v. DHS - SOP 303. (Feb. 21, 2014)
  • DHS Appeals Ruling in EPIC's "Internet" Kill Switch Case: The Department of Homeland Security has appealed a ruling for EPIC in a Freedom of Information Case involving Standard Operating Procedure 303, a protocol which describes the government's plan for deactivating wireless communications networks. Seeking information about the First Amendment and public safety implications of the protocol, EPIC filed a FOIA lawsuit against the agency. A federal court ruled that the protocol could not be withheld under the FOIA because it was not an investigative technique and DHS had not established that releasing the document would cause harm to any individual. Therefore, the court concluded, the documents EPIC sought should be turned over. The Department of Justice has now appealed that decision to the D.C. Circuit Court of Appeals. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA. (Jan. 13, 2014)
  • EPIC Settles FOIA Case, Obtains Body Scanner Radiation Fact Sheets: EPIC has received the documents that were the subject of EPIC's Freedom of Information Act appeal to the D.C. Circuit in EPIC v. DHS (Body Scanner FOIA Appeal). The agency had previously withheld test results, fact sheets, and estimates regarding the radiation risks of body scanners used to screen passengers at airports. EPIC challenged the lower court's determination that the factual material was "deliberative" and therefore exempt from the FOIA. After filing an opening brief to the D.C. Circuit, EPIC participated in a new appellate mediation program. As a result of the mediation, EPIC obtained not only the records sought, but also attorneys' fees. The fact sheets show that the agency did not perform a "quantitative analysis" of risks and benefits before implementing the body scanner program. EPIC addressed that concern in the 2011 lawsuit EPIC v. DHS (Suspension of Body Scanner Program). That EPIC case also had a favorable outcome, and ultimately resulted in the removal of backscatter x-ray scanners from US airports. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal and EPIC v. DHS - Suspension of Body Scanner Program. (Jan. 10, 2014)


In 2005, the Transportation Security Administration ("TSA), a component of the US Department of Homeland Security ("DHS"), began testing passenger imaging technology - called “whole body imaging,” "body scanners," "full body scanners," and "advanced imaging technology" - to screen air travelers. Body scanners produce detailed, three-dimensional images of individuals. Security experts have described whole body scanners as the equivalent of "a physically invasive strip-search." The agency operates the body scanner devices at airports throughout the United States.

As part of a Freedom of Information Act lawsuit, EPIC obtained documents which establish that the TSA required the machines to be capable of storing, recording, and transferring detailed images of naked air travelers. EPIC also obtained hundreds of pages of traveler complaints, which described the invasive program and the lack of proper signage and information regarding the machines. The complaints establish that the body scanners are effectively mandatory, because the agency routinely denies air travelers alternative screening opportunities.

The images captured by body scanner devices can uniquely identify individual air travelers. The TSA uses body scanners to search air travelers as they pass through the TSA’s airport security checkpoints. The TSA recently established body scanners as primary screening.

EPIC's Lawsuit

On July 2, 2010, EPIC sued in the District of Columbia Circuit Court of Appeals to challenge the TSA's unilateral decision to make body scanners the primary screening technique in U.S. airports. Three frequent air travelers joined EPIC in the lawsuit: security expert Bruce Schneier, human rights activist Chip Pitts, and the Council on American-Islamic Relations Legal Counsel Nadhira Al-Khalili. The Petitioners brought claims under the Administrative Procedure Act, the Privacy Act, the Video Voyeurism Prevention Act, the Religious Freedom Restoration Act, and the Fourth Amendment. EPIC sought the suspension of the body scanner program, pending independent review and public notice and comment rulemaking.

Procedural History

EPIC petitioned the D.C. Circuit Court of Appeals for review of three DHS actions— one failure to act, one agency Order, and one agency Rule—of the TSA, a DHS component. The Petitioners filed a motion for emergency stay, urging the Court to shut down the program as soon as possible in order to prevent irreparable harm to American travelers. On July 15, 2010, the federal agency opposed the motion. On July 20, 2010, EPIC filed a reply to the opposition. On September 1, 2010, the Court ordered the motion be denied, and set out the briefing schedule.

On November 1, 2010, EPIC filed its opening brief, arguing that the DHS "has initiated the most sweeping, the most invasive, and the most unaccountable suspicionless search of American travelers in history." EPIC further argued that the TSA "must comply with relevant law, and it must not be permitted to engage in such a fundamental change in agency practice without providing the public the opportunity to express its views."

On November 5, 2010, the Department of Homeland Security moved to exclude religious objector Nadhira Al-Khalili from the lawsuit. Ms. Al-Khalili is Legal Counsel for the Council on American Islamic Relations, one of the organizations that supported EPIC's petition, which is the basis for the challenge to the body scanner program. Ms. Al-Khalili's claims are based on the Religious Freedom Restoration Act and Islamic modesty requirements. EPIC opposed the government's motion and stated that the agency is "simply afraid to have the Religious Freedom Restoration Act claims heard by this Court." EPIC further argued that "Respondents hope by seeking to exclude Ms. Al- Khalili . . . they will avoid judicial scrutiny of an agency practice that substantially burdens the free exercise of religion in violation of federal law."

On December 23, 2010, Respondent DHS filed its answer brief, again urging the Court to exclude Nadhira al-Khalili as a religious objector in the suit. Respondents also asserted that the body scanner program was not substantial enough of a change in agency policy to constitute a "rule" under the Administrative Procedures Act. EPIC has previously argued that the body scanner program is "the single most significant change in air traveler screening in the United States since the creation of the agency," adding that the agency has considered far less significant changes to be rules, including policies relating to butane lighters and transportation worker identity documents.

On January 6, 2011, EPIC filed a reply brief, arguing that "the TSA has acted outside of its regulatory authority and with profound disregard for the statutory and constitutional rights of air travelers, the agency’s rule should be set aside and further deployment of the body scanners should be suspended." On the same day, EPIC hosted a one-day public conference "The Stripping of Freedom: A Careful Scan of TSA Security Procedures" in Washington, DC. Oral Argument in the case is scheduled for March 10, 2011.

EPIC's Legal Arguments

In EPIC v. DHS, No. 10-1157, Petitioners argued that DHS violated the Administrative Procedure Act when it failed to act on EPIC's May 31, 2009 petition to the agency and when it refused to process of EPIC’s April 21, 2010 petition. The Administrative Procedure Act states that each agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule. Courts have found that petitioning parties are entitled to a response on the merits.

EPIC also argued that the DHS Privacy Office failed to comply with its statutory mandate to protect travelers’ privacy. The DHS Chief Privacy Office prepared an inadequate Privacy Impact Assessment of the TSA’s body scanner test program that failed to identify numerous privacy risks to air travelers. Also, the DHS Chief Privacy Office failed to prepare any Privacy Impact Assessment concerning the TSA’s current body scanner program. The TSA’s current body scanner program is materially different from the TSA’s body scanner test program. The program erodes, and does not sustain, privacy protections relating to the use, collection, and disclosure of air traveler’s personal information.

EPIC asserted that the body scanner program violates travelers' Fourth Amendment rights. Courts have required that airport security searches be minimally intrusive, well-tailored to protect personal privacy, and neither more extensive nor more intensive than necessary under the circumstances to rule out the presence of weapons or explosives. Searches are reasonable if they escalate in invasiveness only after a lower level of screening discloses a reason to conduct a more probing search. EPIC argues that the TSA’s body scanner program fails to meet these standards because the TSA subjects all air travelers to the most extensive, invasive search available at the outset. EPIC asserts that the TSA searches are also far more invasive than necessary to detect weapons. Alternative technologies, including passive millimeter wave scanners and automated threat detection, detect weapons with a less invasive search.

EPIC argued that the TSA’s body scanner program violates the Privacy Act because it creates a system of records containing air travelers’ personally identifiable information. The system of records is under the control of the TSA, and the TSA can retrieve information about air travelers by name or by some identifying number, symbol, or other identifying particular assigned to the individual. However, EPIC argued, the TSA failed to publish a “system of records notice” in the Federal Register, and otherwise failed to comply with its Privacy Act obligations.

EPIC asserted that the TSA’s body scanner program violates the Religious Freedom Restoration Act, which bars the government from placing a substantial burden on a person's exercise of religion even if the burden arises from a rule of general applicability unless the government demonstrates a compelling governmental interest, and uses the least restrictive means of furthering that interest. The TSA's use of body scanners violates the RFRA because the capture and transmission of naked images of individuals offends the sincerely held beliefs of Muslims and other religious groups. Muslims believe in maintaining modesty and covering their bodies. Body scanners enable the capture and viewing of naked human images that violates this belief and denies observant Muslims the opportunity to travel by plane in the United States as others are able to do.

Lastly, EPIC argued that the TSA's body scanners violate the Video Voyeurism Prevention Act of 2004, which specifically prohibits the intentional “capture [of] an image of a private area of an individual without their consent . . . under circumstances in which the individual has a reasonable expectation of privacy,” when such circumstances are known. As the documents that EPIC obtained through FOIA litigation demonstrate, the devices are specifically designed to capture such images. Furthermore, as evidenced by the ground swell of grassroots opposition, the public is clearly voicing a reasonable expectation of privacy.

On July 15, 2011, the D.C. Circuit court of appeals ruled that the TSA did, in fact, violate the Administrative Procedure Act when it failed to conduct a public notice and comment rulemaking. The Court ordered the agency to "promptly" undertake a public notice and comment rulemaking.

Because the agency failed to initiate the required notice and comment rulemaking, EPIC twice filed motions asking the Court to enforce it's own order - the first on October 28, 2011 and the second on December 23, 2011. The Court declined these motions. But after a year of agency inaction, on July 17, 2012, EPIC filed a Petition for Writ of Mandamus, asking the Court to enforce its own order and force the agency to initiate the notice and comment rulemaking process within sixty days.

In its Petition for Writ of Mandamus, EPIC cited D.C. Circuit caselaw that shows that a one year delay is unreasonable as a matter of law. EPIC also urged the Court to take into consideration the health risks presented by the machines, which weigh heavily in favor of a transparency rulemaking process which would allow for independent review and democratic process.

Litigation Documents

EPIC v. the Department of Homeland Security, Case No. 10-1157 (D.C. Cir. filed July 2, 2010).

News Stories

Body Scanner Resources