Materialities between security and privacy: A constructivist account of airport security scanners

Introduction

Aviation and airport security are to a significant extent shaped through and within devices. These devices may appear as the rational implementations of self-evident definitions of ‘security’. However, on closer examination, it becomes visible that there is no unequivocal line of causality from any self-evident or universal idea of security to the design of particular security devices. Rather, in the trajectory of the development of a security device and the operational practice surrounding it, generic definitions of security problems are ‘translated’ step by step into concrete policy, technological requirements and specifications, designs of security workflows, and indeed technological configurations. At each step of translation, many sociopolitical and technological factors influence the trajectory and co-produce specific security devices. It is because of these heterogeneous influences on the design process during each of these translations that this heterogeneous engineering process results not only in very specific technological and procedural arrangements – and consequently an equally specific ontology of privacy and security – but also in substantive forms of inequality.

In a general vein, the chief problem for airport security to solve consists of sorting out items that are and items that are not allowed to be brought on board airplanes. In response to hijackings in the early 1970s, X-ray screening of luggage was introduced at US airports as early as in 1973 (Magnet and Rodgers, 2012). Over the years, a practice has unfolded that Rachel Hall (2007) has termed the ‘aesthetics of transparency’: security is uncritically equated with ‘visibility’, which pertains indeed to the items in our bags and suitcases, and ultimately also to the human body itself. Threat likewise becomes equal to concealment. Therefore, ultimately, securitization implies that the concealed internal regions of the body must be rendered visible.

As a proxy for security, transparency works as a double-edged sword. Not only is the passenger placed in a regime of transparency, but the security process itself is also staged as something transparent: since travellers can see the process in operation, they can also see that it imposes the same burden onto each of them – or so the rhetoric runs. No other choice is left than to accept this burden, and if one has nothing to hide, there should be no objection to going through the screening (Hall, 2007, 2011). Thus, transparency and its arguably neutral implementation in technological devices produce the legitimacy of airport screening practices. It should be noted, though, that vast parts of security processes are not transparent to the public at all. And, as we continue to argue, devices in fact hide the heterogeneous causes that determine the final technical design. This is the sheer opposite of transparency.

The sorting of items is importantly performed on – and to some extent even inside – the bodies of passengers. A primary focus of security procedures is on the detection of potentially dangerous items hidden underneath passengers’ clothing. Within the range of solutions seen so far – from metal detection, to pat-downs, to ‘body scanners’ – this article focuses on what is currently seen as the next step in this type of aviation security: the active millimetre-wave scanner (AMS). Our analysis is directed at two particular makes of these scanners, which each represent human bodies as abstract mannequins but differ in terms of the precise ways in which they produce these mannequins, as well as in their use in practice. Our theoretical take will be complemented with empirical observations made in a Dutch international airport.

In this article, we demonstrate how heterogeneous determinants take part in the construction of these AMSs and their installation at international airports in the Netherlands. We dissect the claim that they are simply about ‘security’ or ‘privacy’. Following a sociotechnical approach, we analyse how particular translations of ‘the privacy and security problem’ in civil aviation find their way into these scanners. This analysis is guided by the question, which particular versions of ‘security’, ‘privacy’ and other values are enacted in the sociotechnical practices in which the devices are embedded? That privacy is on the agenda is not only a mere consequence of scanners operating on human bodies. It is also the practical consequence of controversy generated by an earlier version of the AMS. This earlier version generated what were referred to as ‘nude pictures’. Soon after the introduction of these scanners, public indignation appeared over their presumed display of such nude pictures to security staff. In response, the new generation of AMS had to be more protective of travellers’ privacy.

Privacy was said to be incorporated in the design features – a true example of ‘privacy by design’, one might say. But, as our analysis will make clear, it is not that obvious that any simple, generic idea of privacy is unproblematically implemented. We found several other values and goals also shaping the design. In addition to (particular versions of) ‘security’ and ‘privacy’, the scanners incorporate norms concerning acceptable health-risk levels and more mundane considerations such as efficiency (e.g. ‘passenger processing time’) and ‘customer satisfaction’. The AMS thus becomes part of a complex socio-material configuration in which multiple values are realized simultaneously, and in which actors that include not only security officers and passengers but also the very technology of the AMS have to fulfil specific tasks for security to work. ¹ Only in this final enactment can one meaningfully articulate what privacy and security are.

Not only does the practice of airport security scanners incorporate heterogeneous values and interests in the enactment of privacy and security, but the result of this implementation is itself also heterogeneous and ambiguous. In particular, we show that in keeping up the value of privacy, a disproportionate burden is placed on people whose bodies fail to comply with some idea of bodily normality. What de facto counts as ‘normal’ is inscribed in the scanning device and its surrounding practice. The analysis will show that such inequalities become materially inscribed, because the interests of people with ‘non-normal bodies’ are poorly represented in sites where material arrangements are made.

Articulating how values such as security and privacy become inscribed in security devices, as well as how they are themselves co-constructed with those devices, requires that we adopt a twofold focus. On the one hand, we direct our attention to the various ways in which problems of privacy and security are defined, and how these definitions are translated at different stages and different points in the process of technology development (see also Van der Ploeg, 2005). A problem definition does more than simply reveal an actor’s perspective on the problem. It also both shapes and reflects the range and type of possible solutions that are available to the actor. Although this use of problem definitions is related to the rather discursive concept of ‘framing’ (Goffman, 1974; Lakoff, 2004, 2005), we prefer ‘problem definition’, in the material-semiotic sense explained below, because it also directs attention towards non-discursive elements – in particular, situated socio-material or technical ones – within the analysis.

On the other hand, we look at the security devices themselves. In accordance with the conceptualization in the introduction to this special issue, we approach devices as particular units of sociotechnical organization – such as machines, procedures, spatial arrangements, etc. – that engender recognizable effects in the practice of which they form a part. We think of devices as ‘solving’ a particular problem. Thus, devices offer an operationalization of problem definitions at the proper level of analysis. Alternative notions such as ‘technology’ or ‘sociotechnical ensemble’, as used, for example, by Schouten (2014), would insufficiently focus our attention to relevant details of the practice.

To connect problem definitions and devices, we use the notion of translation. This is inspired by the tradition of actor-network theory (Akrich and Latour, 1992; Callon, 1986; Latour, 1987), where it refers to the work it takes to make a particular element – problem, artefact or human actor, etc. – fit a particular programme. In the case of problem definitions informing security devices, these translations merit particular critical attention. We demonstrate in the following that the dominant problem definitions reflect the absence of particular groups, and in the end receive ‘solutions’ by means of devices that fail to serve the interests of those unheard groups.

Our approach takes recent perspectives on the material-discursive side of security (e.g. Aradau, 2010; Schouten, 2014) a step further. Our focus on devices and problem definitions helps articulate how things are ‘made to matter’ or ‘made not to matter’. Technologies and their role of issue formation have been an important theme in the democratization of science and technology (Latour, 2004; Marres, 2007). The current approach shows that issues are sometimes displaced rather than formed. In the early or ‘upstream’ stages of development, the aforementioned ‘aesthetics of transparency’ and a general tendency to secrecy that is characteristic of securitization are dominant (Walters, 2014). As the places in which design and development of security technologies take place are relatively exempt from democratic politics, it is possible that some issues are not attended to. In consequence, they appear in a material and hence more pressing form ‘downstream’ as inscriptions of values into devices, where they are hard to renegotiate and democratize.

For critical security studies to explore and criticize the full provenance of conceptions of privacy and security and the inequalities they engender, attention must be directed at the politics that is conducted in these upstream material negotiations. Where Walters (2014) has shown that it requires technical work to make this politics visible again once it has settled into stable configurations, and where Bellanova and González Fuster (2013) contend that such destabilization is in principle possible, we show that it is actually already in the upstream problem definitions that both the necessity of this work and the limitations to its possibilities are constructed. While more or less generic definitions of privacy and security problems seem to inform the design of technologies, it is in specific translations of these problems into technical requirements, and further translations into working devices in practical configurations, that we are able to glean the eventual enactment of values such as privacy and security.

This article is based on multi-method research. Technical details of the devices, their practical operation and their development were studied through various sources, including academic, professional and broad-audience publications, information available from the websites of AMS vendors, and journalistic and weblog coverage. This research was conducted in parallel with interviews with individuals involved in the development and operation of AMSs (Table 1). The interviews were unstructured in the sense that interviewees were invited to talk freely in response to broad yet topical questions. The aim of the interviews was not to acquire empirical generalizability, but to corroborate and complement the other findings. As all interviewees were deeply involved in the development process, the combination of interviews and other sources may be expected to provide a proper view of what de facto did or did not matter in the development of AMSs. On this empirical base, we performed a material-semiotic analysis to show how both power relations and meaning become inscribed in devices.

OPEN IN VIEWER

Table I.

List of interviews.

1	Physics engineer	June 2012
2	Joint interview: R&D engineer and senior R&D engineer	August 2012
3	Senior governmental security policymaker	August 2012
4	Airport security manager	August 2012
5	Chairman of stoma patients association	October 2012

In the next section, we start from an initial set of definitions of the problem this scanning device is said to solve, and then trace how these definitions evolved and increasingly connected to a range of additional challenges and concerns. In the third section, we focus on the way in which the resulting problem configuration was subsequently translated into a range of technical options and choices. In the fourth section, we articulate how the implementation of these options and choices into actual socio-material arrangements further determines what values such as ‘privacy’ and ‘security’ came to mean in airport security practices. In the fifth section, it will be shown how these values circulate in the practice of operation and further organize relations between persons. Finally, in the concluding sixth section, we reflect on the consequences of this material-semiotic approach.

Challenges for the active millimetre-wave scanner

Airport security measures date back to the 1960s and 1970s, when metal detectors were progressively installed in response to hijackings where guns had been smuggled on board airplanes. More recent events giving rise to a renewed sense of urgency in improving security checks have been identified as the 9/11 attacks in 2001, the failed ‘shoe bombing’ attack in December 2001 and the assault by the ‘underwear bomber’ Umar Farouk Abdulmutallab in 2009. By means of supporting explanation for its statement on the use of security scanners, the European Commission (2011) explicitly recounts the aforementioned events. This historical background was offered as a reason for the need to monitor whether people hide potential weapons underneath their clothing. Because several of these incidents involved non-metallic explosives, it was felt that a more fine-grained detection mechanism was required. In this section, we retrace how this problem definition not only evolved into a compound of privacy and security, but also came to include efficiency, safety and customer-satisfaction issues. In the next section, we discuss how this problem and value configuration translated into a particular range of technical requirements the AMS was to meet.

We maintain a focus on the Netherlands, where airport security policy is largely guided by national law, while additionally being grounded in European law and regulations and other international agreements. This airport security is largely effectuated by private security companies and overseen by the national Military Police. Thus, the question of how to improve security is discussed in a wide range of forums: the national political arena, the European Parliament, national news media, industry and lobby groups, consumer organizations, etc. The International Air Transport Association (IATA) also participates in the process, with its roadmap towards the Checkpoint of the Future (IATA, 2012), of which advanced scanning technologies are an integral part. While the national government issues a licence for particular technologies, it is up to airport management to actually purchase the security devices and implement them in practice.

AMSs use electromagnetic waves in the millimetre spectrum (between 70 and 300 GHz) to detect forbidden items and substances hidden under people’s clothing (interview 1; interview 2). The scanner is said to be ‘active’ because it ‘illuminates’ the passenger with a very small amount of millimetre-wave radiation (Kemp, 2006; May, 2012). Different materials such as human flesh, garments or metals absorb and reflect these waves differently, and from the reflections inferences are made about the kinds of objects that are or are not present on the body. This is a complex process involving state-of-the-art signal-processing techniques. What distinguishes the AMS type of scanner from other scanning technologies, such as X-ray, is its unique use of electromagnetic waves in the millimetre-wavelength band. Materials interact differently with electromagnetic waves in different wavelength bands, and, as will be explained later, elegant use is made of this particular band by the AMS.

One important selling point of the latest generation of AMS lies not so much in the technology’s performance in relation to security goals, but rather in the absence of the production of any kind of ‘nude picture’, a visual representation of the passenger revealing anatomical detail. Instead, the scanners show an abstract, generic mannequin on which a particular body zone – for example, one leg – is highlighted in the event that something ‘suspicious’ is detected. Security officers are thus notified of the need for further inspection of that passenger. ² Vendors, airport operators and policymakers argue that this next generation of AMS offers three main benefits. First, privacy encroachments are significantly reduced, as the display of body detail is avoided. Second, the scanner takes over some of the assessment work that would otherwise be performed by human security agents, thus reducing the claim on expensive human resources. Finally, the whole process works on the basis of millimetre waves, which are argued to be harmless (Mehta and Smith-Bindman, 2011). Accordingly, objections concerning health and safety are pre-empted.

Enshrined in these three main benefits of the AMS are in fact complex discourses and negotiations that were key to the ‘evolution’ of body scanners into the current systems. To learn what ‘security’ has come to mean in this context, and what other values are being enacted in the process, we unpack these discourses – which we understand in a Foucauldian sense as a fabric of knowledge and power (Foucault, [1969] 1972) – and negotiations. In particular, we retrace a series of problem definitions. We investigate how these are translated in different sites of discussion, technical and organizational configurations, and practical workarounds. Thus, we will show that a lot more than merely the security of passengers is at stake, and hence that the framing of public debate about the acceptability of airport security practices in terms of an inevitable trade-off between security and privacy is a questionable simplification (Dragu, 2011; Solove, 2011; Verfaillie et al., 2013). Rather, processes of constructing security technologies are sites of politics. Once these politics are articulated and foregrounded, and their blind spots identified, these sites can be identified as the provenance of particular moral problems – problems that would otherwise appear as no more than ethical problems in the application of a security device.

At first sight, the problem that the AMS is to solve may look rather straightforward: the scanner must detect items that are potentially dangerous and are therefore not permitted to be carried on board airplanes. However, a solution to this same problem was in fact already installed before the present version of the AMS emerged. As one interviewee reports (interview 3), there already was a scanner that could check beneath clothes, also based on millimetre-wave technology. Moreover, even though this predecessor technology produced the controversial ‘nude pictures’, this problem had already been dealt with in some way: the officer inspecting the images was positioned in a secluded room with no visual contact with the site of the scanner and the passenger being scanned, neither directly nor through a camera or other monitoring system. Also, while body details could be discerned, the picture in itself was not detailed enough to render the person identifiable (see Figure 1). Finally, no means were installed for storing the picture. ³ So, it was thought, ‘the privacy problem’ had been solved. But, then again, if ‘the privacy problem’ had apparently been solved, why was the new scanner needed? What problem did it address?

OPEN IN VIEWER

Figure 1.

Pre-Automatic Target Detection (ATD) representation.

In addition to compliance with security policy set by the state and privacy regulations, airport management is bound to pursue various other aims. As one interviewee explains, it is important not to let airport security displace other important operational goals, such as a smooth processing experience for the traveller and a certain efficiency in the allocation of resources (interview 4). By phrasing this somewhat colloquially as ‘aligning the three Cs’ – compliance, customer satisfaction and costs – the interviewee disavows a stance of uncritically making security paramount. Here, the interviewer reports two particular issues that were found to be pressing. First, there was the fact that the operation of the existing scanner was rather labour-intensive, for a security officer was needed to permanently inspect the images made by the scanner. This put a significant claim on human resources. In addition, the officers conducting this visual inspection proved to be susceptible to observer fatigue, a phenomenon that was also well known in CCTV control rooms (interview 3; interview 4). The new scanner was expected to reduce the error rate, thus reducing operational costs and customer discomfort.

Moreover, it turned out that, even within the relatively short time during which the predecessor technology was used, a rather negative public perception of these security practices had firmly taken ground. Despite the privacy measures described, the idea that the practice involved officers looking at ‘nude pictures’ of people kept circulating among the broader public, as well as among Dutch politicians (interview 3). In particular, worries that pictures could be stored and abused were repeatedly voiced, generating additional unease and criticisms. For example, Dutch member of the European Parliament Sophie in ’t Veld publicly doubted Schiphol’s claim that no pictures were stored, stating: ‘I don’t have any evidence, but I am absolutely sure that such things are happening…. I have simply seen too many examples of administrative bodies getting hold of information, either by legal or illegal means’ (cited in De Winter, 2010). Journalistic coverage of exactly this matter, as recently as April 2014, suggests that hitherto no instances of storage of images have been reported (Heck, 2014). We consider it therefore safe to assume that our analysis still reflects empirical reality, even though our research was conducted slightly earlier.

Airport management had clearly mistaken ‘the privacy problem’ to be a single-dimensional problem that could be solved by technological improvement, and underestimated the public concern it would stir. The concerns voiced by Ms In ’t Veld not only reflect a general mistrust towards administrative institutions, but also convey a more fundamental critique of the pretended asexual and innocent nature of the inspection of bodies. The protest and the societal resonance it generates seem to reflect a broad recognition of similarity between virtual and real ‘strip searches’ (Magnet and Rodgers, 2012) and the fact that these are deeply loaded with sexual power (Davis, 2003; George, 1993). The privacy problem thus appears as a polymorphous, multiple problem. The previous version of the scanner appeared unable to mitigate such concerns, as it seemed to approach the privacy problem too much as a singular problem. The new scanner was to take away these concerns.

So, in view of the fact that the existing scanning practice already more or less successfully resolved the detection problem as such, at least in the eyes of airport management and those in charge of its security practices, and in a manner that arguably aimed at pre-empting privacy concerns, the new AMS appears to be introduced as the answer to these other problems: it was to take away particular operational difficulties and costs, and to improve on the obviously failed attempt to alleviate public privacy concerns. Moreover, the expected reduction of full-body searches would both increase ‘customer satisfaction’, as it reduces travellers’ feelings of privacy encroachment as well as their waiting times, and increase efficiency, because it is labour saving, and hence reduce operational costs (interview 3). And, not least, a shorter security cycle means that passengers have more time to spend in airport shopping zones, and smaller devices mean that more space is available for shops (in 2012, retail made up €87 million of a total turnover of €1,353 million; see Schiphol Group, 2013).

This is quite a chain of translations from the initial security problem. Beyond ‘security’ defined as the need to check for dangerous items beneath passengers’ clothing, we found the airport management’s needs to maximize profit, translated into cost-effectiveness, time-, space- and labour-saving security processes, and the safeguarding of ‘customer satisfaction’. In regard to customer satisfaction, the delicacy of inspecting passengers’ pictures had clearly been underestimated by airport management. The measures taken earlier to deal with what was taken to be ‘the privacy problem’ – namely, the elimination of possibilities for officers to connect sensitive visual representations generated by the system to individuals and a certified abstention from storing these sensitive images – were not enough to gain public trust. Again, these measures and their presumed efficacy seemed to rely upon ideas of both security and privacy that were too singular.

Thus, in practice, we now see airport management confronted with an ensemble of challenges. These challenges include not only the technological implementation of (particular forms of) privacy and security, but also the need to actively manage how public discourse unfolds and how privacy and security problems are framed there. As two interviewees report, it is recognized that bodily integrity can in fact be violated, or at least be felt to be violated, by something as seemingly non-invasive as a body scanner (interview 3; interview 4). As both maintain that this perception of bodily harassment importantly hinges on an arguably false perception of the device, all that remains is in fact a public relations or image problem. In this light, it is remarkable that both interviewees confirm the aforementioned preference for technical solutions to overcome this problem: further solutions are sought to make the scanner as non-invasive as possible, chiefly by improving the technological capabilities to distinguish ‘real threats’, such as weapons, from ‘non-threats’, such as particular medical conditions. With the proliferation of problem translations, the requirements that the machine is to meet rapidly multiply, so the one perfect solution becomes ever more elusive. As might be expected, a range of compromises, marketing strategies and negotiations with various stakeholders ensues. This also means that the opportunities increase for particular interests to gain influence on the process: each modification is just one of multiple possible modifications, and each selection is consequential. Thus, each selection is political. However, this is not to say that just anything goes, or that just anything is the consequence of hegemonic social structures. In the next section, it is shown how these value-laden and political choices influence the creation and selection of technical options and, perhaps even more importantly, how the creation and selection of technical options also influences how this particular form of politics plays out.

From problems and values to technical options and designs

The set of problems articulated in the previous section by themselves do not determine the type and shape of the scanners and the surrounding sociotechnical practice. To arrive at the particular machines, routines and procedures we see today, a further set of translations had to be made. In this section, we focus on translations relating to the specifics of the scanning and detection methodology involved in the AMS.

Since the body scanner operates directly on individuals’ bodies, particular kinds of issues arise. In addition to privacy, issues of health and safety immediately come to the fore. In this case, these issues earn particular urgency from the fact that going through the scanner is mandatory for the travelling public at large, and from the fact that the body is actively radiated with millimetre-wave radiation. It is commonly acknowledged that some electromagnetic waves are harmful for the human body, whereas others are not. Even in the former case, whether harm actually occurs depends on the exact way in which waves are used. Thus, another set of problem definitions to be solved by the scanner emerges: one couched in terms of health and safety.

Accordingly, considerable effort is made to explain the harmlessness of millimetre waves, and to convince the general audience that the use of AMS is justified and acceptable (interviews 1–4). The harmlessness of millimetre waves is explained in various ways. First, it is asserted by reference to the waves’ inability to ionize: they cannot change the state of atoms in the matter of which our bodies are composed. This means that they cannot engender any chemical transformations, for example in our DNA, which is the way in which X-rays are typically known to be harmful (European Commission, 2011; International Atomic Energy Agency (IAEA), 2013; World Health Organization (WHO), 2013). This argument is put forward by one airport deploying this type of scanner (Schiphol, 2013), by various interviewees (interviews 1–4) and by governmental bodies (Department of Infrastructure and Transport (DIT), 2011; Nationale Coordinator Terrorismebestrijding (NCTb), 2010). In contrast, X-rays are ionizing, and hence deemed to be more dangerous. This was an important argument for European regulators to prioritize millimetre-wave scanners over X-ray technologies (European Commission, 2011).

A second way of asserting the safety of millimetre waves is by pointing out the low intensity of radiation at which they are used. The intensity of the radiation emitted by the scanners, as multiple interviewees argue, is several orders of magnitude lower than the intensity of the radiation we experience continuously from other everyday sources such as mobile telephones and car radars (interview 1; interview 2). One policy document adds at this point that millimetre waves are, for this same reason, also unable to interfere with fragile medical devices such as pacemakers (DIT, 2011).

Finally, the innocence of millimetre waves is reinforced by emphasizing their inability to penetrate the skin and enter the body (interview 1; interview 2). On this point, millimetre waves differ again from X-rays. This feature serves both privacy and safety. First, it is implied that if something cannot enter the body, it cannot do any harm to that body (even though there is general silence on potential harm at the skin level). Second, the skin is staged as another privacy-relevant line, where the inside of the human body is considered even more personal and intimate.

Through reference to the innocence of millimetre waves, the body is made not to matter. Implicitly, this mobilizes important cultural perspectives on what can be done to the body. In a general sense, an important fault line of sexual harassment is placed at penetration of some sort (George, 1993). While the operation of body scanners does not involve tactile penetration of the body, the penetration boundary does clearly resonate in the discourse of body scanners: millimetre waves are argued to be fundamentally unable to pass through the skin, and X-ray backscatter scanners are argued not to have any effect inside the body. It is through appeal to this ‘staying outside the body’ that the particular technologies are presented as unproblematic (see also Bellanova and González Fuster, 2013).

While these boundaries seem self-evident, they are in fact culturally specific, as well as highly relevant from a political perspective (Van der Ploeg, 2002). These boundaries have consequences that matter. As Lisa Cartwright has shown for medical imaging devices, these boundaries are placed at a specific line, in such a way that imaging practices render the body – in particular the female body – in a manageable fashion (Cartwright, 1995). Extending the argument to the realm of airport security scanners, it becomes clear that the general public is forced into a position of being manageable through being naked – even if this is not for the eyes of human spectators but for machines. In this nakedness, people become vulnerable: rather than offering some sort of compensation for the power imbalance that naturally exists between, on the one hand, the security apparatus and officers and, on the other, the traveller, the nakedness seems to reinforce exactly this power imbalance.

Unpacking this discourse shows that the ‘non-problematicity’ of the scanner is chiefly a constructed and particular quality, not something natural or in any other way essentially connected to the scanner. The non-problematicity hinges on cultural notions of what is appropriate to do with a body, and these notions are not neutral between different groups.

Seen in this light, it is even more paradoxical that, whereas in EU discourse millimetre waves are preferred over X-rays because the former are argued to be safer than the latter, in the USA the use of X-rays is defended and claimed to be safe by appeal to very much the same sort of arguments. For instance, at the introduction of X-ray technologies in the USA, reference was made to their very low radiation intensity, which would render them harmless. It was emphasized that the total dose of X-ray radiation equals the exposure to cosmic radiation experienced during two minutes of long-haul air flight (Transportation Security Administration (TSA), 2011). Thus, the ability to ionize is constructed as irrelevant, and by no means essentially irrelevant, to the definition of the problem.

Also, just like millimetre waves in the EU, X-rays are presented in the USA as ‘not penetrating the skin’. This is remarkable, as X-rays are in most other situations used to do precisely that – for instance in the full-body scanners that are used to detect intestinal drug trafficking, or when the dentist makes a photo of our dental condition. The so-called backscatter X-ray scanners installed at US airports are said to make use only of X-rays that are reflected by the body, not of radiation that penetrates the body (TSA, 2009). The phrasing is delicate: it seems to suggest that the radiation does not penetrate the skin, but that is not literally what it says; it only says that no use is made of such penetration. Indeed, it is argued elsewhere that, even in this low dose, the radiation does penetrate the skin and to some degree even passes through the body (Kaufman, 2010), though no clear account is given of what effects or harms such low-dose radiation actually could bring about inside the body. Nevertheless, it is remarkable that the rhetoric of safety is very similar on both sides of the Atlantic, even though very different technologies are promoted by it.

This analysis could be extended towards an infinite number of contingencies that have an influence on the design programme. Technical options and choices are also constrained by other than just safety considerations. For example, for their installation in practice, scanners face a number of practicalities. These include that heat dissipation and power use must remain within certain boundaries to keep operation at civil airports feasible (interview 2). Also, the height and width of the walk-through portals must be small enough for them to be fitted into the available space. Similarly, the goals that give direction to the process are more than just the seemingly primary ones of privacy and security. As explained in the second section on the primary definition of problems, one of the central targets was the speeding up of the whole security process; and, as one company advertises, its particular version of the machine is indeed able to speed up the process, with the result that up to 300 passengers can be checked per hour. ⁴

The heterogeneous goals pursued spell the constraints with which designers in the end have to cope. These constraints mean that ‘translations’ require coordination between parties, between opposing economic interests, between technological affordances, etc. It was already argued that these translations are political because they entail a selection of particular scenarios over others. In this section, it has been added that these selections importantly define the technological configuration of a practice. In this case, this means that these translations de facto matter for how the security scanners operate; more specifically, for the way in which they distinguish between trusted and suspect items passengers wear on their body. This distinction will be the object of concern in the next section.

As will be further elaborated towards the end of this article, it is in this political moment in the construction of security scanners that important choices are made that in the end determine how security and other values become enacted. These choices are largely made in secluded spaces, while the technological options and choices on the one hand materially consolidate the choices made, yet on the other hand appear as neutral and apolitical. Importantly, it is not only devices that are constructed here, but also security and privacy themselves. Also, problems that are not addressed receive particular solutions, or ‘non-solutions’ if you like: material arrangements will be made such that the solution of explicated problems will be optimized, and this may de facto incur a move away from resolving the unaddressed problems. We started by declining any ex ante definition of security, and instead assumed that security itself is constructed in the course of the process. The focus on problem definitions now starts to pay off by revealing the contours of how this definition takes place, and how it partly takes place on the technological design table, away from democratic governance, and apparently without sufficient attention to the interests of subordinate groups. The next section will further identify such gradual definitions of both security and privacy.

Constructing security scanners, constructing anomalies

In the previous section, we discussed how a set of problem definitions, in which ‘security’ was not only ‘implemented’ but also in a way redefined and extended so as to include a range of other values, was translated into particular technical options and choices. We will now zoom in more closely on the way in which the scanners perform their task of keeping our flights safe by detecting dangerous items, and how they do this in a purportedly cost-effective, efficient, harmless and privacy-respecting manner. It is first when the device is actually ‘put to work’ that it starts to perform its definitions of privacy and security, and that these definitions become visible.

When the millimetre-wave machinery is set in motion to scan the person going through the security gate, it ‘illuminates’ the person with millimetre waves, the reflections of which, through a number of signal-processing techniques, generate information that needs to be processed in particular ways in order to become operationally relevant to security personnel.

One difference between X-rays and millimetre waves plays out here. The amount of detail that can be pictured depends directly on the wavelength: shorter waves are able to detect smaller objects and render smaller details, although below a certain limit the efficacy starts declining again as waves are no longer reflected but pass through the body (May, 2012). X-rays are shorter than millimetre waves by several orders of magnitude, and pictures created with them are often perceived as closely resembling photographs of naked bodies (see Figure 2). In contrast, millimetre waves produce at best blurry pictures (see Figure 1), and sometimes no visual images at all. While the reasons mentioned above for prioritizing millimetre waves prevail in European practice, this also entails that less-detailed images are produced. In an unreflexive perspective on security, this appears as a mere disadvantage. However, in terms of privacy this offers an arguable benefit: less information means that less harm can be done through that information (González Fuster, 2009). Indeed, this trump card is played by one AMS vendor, which argues that the information produced by its scanners is fundamentally harmless because it does not contain any sensitive information (interview 2).

OPEN IN VIEWER

Figure 2.

X-Ray backscatter image.

Even though all millimetre waves produce unclear images, a difference between the two brands of AMS that we investigated is significant. As interviewees explained, the ACorp variant of scanner emits millimetre waves towards the body, upon which some thousand sensors record the amplitude (‘strength’) and phase (‘relative position on the time scale’) of reflected waves (interview 2). Signal-processing techniques performed on these sensor data produce an automatic assessment of whether ‘something suspect’ is present without creating any photograph-like picture at all. In fact, it is theoretically impossible, according to the same interviewees, to create such a picture from the raw sensor data, as they contain insufficient information for such a task.

The other version of the AMS, developed by BCorp, is based on quite different technical principles. While the output, the abstract featureless mannequin, is functionally the same as the one produced with the ACorp scanner, the way in which the machine produces this image is radically different. Before showing the mannequin, the BCorp scanner does create a picture (a photograph-like image; see Figure 1). Despite the low optical quality of the picture, body properties are to some extent visible. Importantly, though, this picture is not displayed on the officer’s screen, nor stored in an accessible way. ⁵ Instead, the picture is processed internally by an ‘automatic threat detection’ algorithm, after which the mannequin representation of the subject’s suspect body is generated. ⁶ Thus, while the output of the two scanners meeting the security officer’s eye may seem equally robust in terms of withstanding privacy objections, the actual production of controversial images is completely avoided in only one of them. This absence of a picture is an important discursive asset in discussions about privacy; hiding a picture is trumped by not making a picture at all.

Even more significant, however, is the automated threat assessment executed in both machines, which performs the crucial classification of people as either trusted or untrusted. This classification is performed by algorithms that identify ‘anomalies’, as they are referred to (interview 2; DIT, 2011). ⁷ Literally, the word ‘anomaly’ denotes ‘something irregular’, or something that cannot be properly allocated to any of the classes of a classification system, and therefore is labelled ‘abnormal’. An anomaly is typically something we do not know what to do with. However, to regard something as an anomaly is, of course, a classification in itself, and consequential and performative at that. In the next section, we will discuss what consequences such anomalies have, and how they are unevenly distributed across the public.

These anomalies are identified in a non-trivial technological process. One key choice in the design of the AMS regards the particular spectrum of millimetre waves. Clothes are ‘transparent’ for waves of this length as they neither absorb nor reflect the waves, whereas the waves are reflected by the body (Sheen et al., 2012). Because of these characteristics, as two development engineers from ACorp explain (interview 2), their device is able to detect ‘anomalous materials’, by which they mean any material that is not classifiable as ‘body’ or ‘clothing’.

Thus, a system has de facto been implemented that cannot but consider anything other than clothing or bodily matter as anomalous, and hence threatening. Security and privacy requirements identified in the previous section are translated into particular operational performances. Moreover, through the performance of a particular representation of bodies, the systems also perform a classification of normal versus abnormal, and hence trusted versus distrusted travellers. While this performance itself is clearly visible, the technologies hide the negotiations they consolidate. The performance shows how specific ‘abnormalities’ of human bodies are enacted, while they conceal the provenance of these abnormalities in the non-discussion of specific problems – indeed, in very partial definitions of the security problem. Yet these anomalies, of which the definition was far from self-evident, have now attained a high degree of stability and apparent necessity.

Workarounds: Making the scanner perform privacy and security

So far, we have formulated the chain of translations that led from a particular definition of security threats in civil aviation to current body-scanning systems installed at airports. First, we described the problems that the scanner setup was intended to solve. Second, we articulated how these problem definitions were translated into technological options and choices. Third, we discussed how these technological choices led to very specific enactments of ‘privacy’ and ‘security’, through the system’s classification and anomaly-detection functions. Obviously, this is not where it all ends. In this final part of the analysis, we shift our focus to the scanner-in-action to describe a set of translations involved in using the AMS scanner at the airport.

This means looking at the actual arrangement at airports. We will not engage in a full, detailed description of the system in use here, but merely suggest what kind of effort beyond that of designers and those usually referred to as ‘users’ – that is, security officers operating the system – is required from unexpected parties to sustain the practice of body scanning. Beyond the sophisticated machine as such, we will now see a setup that requires yet another set of actors to cooperate for the system to ‘work’.

As the device regards everything other than clothing material or human flesh as anomalous, and presents this as such to security personnel, the latter are unable to distinguish between weapons and medical devices, Thus, for example, as bomb belts and stoma (colostomy) bags are carried on the same part of the body, the system produces very similar alerts on the mannequin image generated in both cases. As a consequence, the introduction of the scanners required significant changes in security checking routines, which in turn also led to a specific redistribution of responsibilities.

As described above, upon the arrival of stoma-carrying passengers, the scanner detects an ‘anomalous’ object, highlights the particular body area on the mannequin on the screen, and issues an alert. It has been reported that this did cause embarrassing situations for people with a stoma (interview 4; interview 5). With no ‘exception handling’ routines for this in place, security personnel were also uncertain how to proceed. Explanations were sometimes demanded on the spot, causing an immediate and often acutely felt privacy problem for those concerned. When people were subsequently invited to secluded rooms for closer inspection, that too caused embarrassment and discomfort. It is one thing for people to be compelled to reveal such a personal medical condition in such circumstances. It is another thing that the typical airport environment is particularly unfit for doing so. For example, basic hygiene facilities such as running water, needed for cleaning in the event that the stoma becomes dislocated, is lacking, which greatly diminishes the comfort. In fact, the whole airport security practice came down to performing the disability in an amplified way, rather than treating the disability as just another, legitimate reality (see e.g. McRuer, 2006).

Because of this undesirable situation, the Association of stoma patients requested a different arrangement. A compromise with security management was eventually negotiated that left the device, and even the spatial organization of secondary inspections, unchanged. Instead, the concession consisted of stoma patients announcing themselves as such to security personnel upon approaching the device. While this solved the problem of being classified as ‘distrusted’ because of the anomalous stoma detected, this solution hinges on patients performing their own ‘otherness’, by ‘confessing’ to sensitive, private aspects of their identity.

Thus, ironically, the design choices of avoiding display of body pictures and using millimetre wave rather than X-ray did not solve ‘the privacy problem’, but rather shifted it onto a particular group of travellers and transformed it into a medical privacy issue. If critical security studies want to investigate not only how security is implemented but also how the concept itself is constructed in the process of implementation, attention must be paid to such displacements, how they are designed into devices, and how they appear as merely collateral damage resulting from techno-scientific difficulties. The ‘externalization’ of privacy problems is not in any essential way connected to security, but at the core of how particular ideas of security are negotiated and implemented in material configurations, without the institutionalization of a voice for subordinate groups. Moreover, it is key to critical security studies to observe that such externalization may remain implicit, as it appears as mere impossibilities in technical design, not political choices. This, in turn, is the consequence of leaving particular problems unrepresented in the design process, with the result that post hoc solutions will be called for when the unfortunate operation becomes apparent.

This all sketches a bleak picture of travelling for people whose bodies happen to fail to meet some particular criteria of normality. This is not simply a matter of how devices solve some clearcut problem in an imperfect way. Rather, it is the consequence of devices being designed as solutions to problems of which the definitions incorporate some interests better than others, thereby reproducing existing power inequities. Even though unintentional, misclassification of bodies as anomalous is still indicative of a techno-scientific practice that reproduces rather than mitigates inequitable social systems (Magnet, 2011). Part of the reproduction of such social inequalities takes place in the material realm.

Conclusion

Devices such as the AMS present an ambiguous reality (Magnet and Rodgers, 2012). On the one hand, they are defended in a narrative of neutrality, transparency and efficiency: the devices are said to register only that which is relevant to security, while keeping invisible anything that is not; they execute the procedure quickly, and subject everybody to the same regime. On the other hand, the machine delivers exactly the opposite: it treats some categories of people differently, on the basis of characteristics that are irrelevant to ‘security’. Next to the medical conditions like the one we just described, similar effects may occur in relation to other characteristics and identity attributes equally irrelevant from a security point of view, such as transgender and certain religious identity attributes. And even in the hypothetical case that the device performs as intended, people who are aware of some arguable ‘abnormality’ of their own body, ranging from the colostomy discussed above to transgendership and even ‘being black’, will experience a certain fear that this ‘abnormality’ is brought into the centre of attention by this machine (Koskela, 2003; Wolff, 2012). In addition, as devices do not work on their own but in a context where human operators determine vast parts of operations, any ‘neutrality’ will fail to be delivered if the human operators do not relinquish their own ‘risk profiling’. As anecdotal evidence suggests (e.g. Peterson, 2011), women dressed according to Islamic principles are sometimes subjected to overly intrusive secondary scrutiny, even when walk-through and handheld metal detectors fail to find anything suspect (see also Deal, 2011).

The latest generation of active millimetre-wave scanners is promoted as state-of-the-art, privacy-preserving security technology. These scanners present alerts to security officers while keeping body details at a proper distance from the surveilling gaze. However, unpacking this idealized picture has revealed how this technological practice is tied up with a proliferated set of interests and complexities. The problem that the scanner solves in the end is not quite the problem of ‘keeping terrorists out of airplanes’, but has become defined as a cluster of smaller and bigger problems connected to the challenges of operating and managing the airport. And important problems are not solved. In the end, the advantages and disadvantages of the novel device are not evenly distributed, nor unequivocally connected to privacy, or even security.

As Aradau (2010) argues, materialities are not empty receptacles of discourse, nor do they possess pre-given essences that dictate their working and meaning. Technologies cannot be designed in just any way dreamt up, nor do they, from some pre-given essence, dictate how social relations are to be arranged around them. The present analysis has shown that if we are to understand how security devices co-evolve, and how they are made to work, we cannot consider them as straightforward implementations of ‘security’. ‘Security’ is neither the only value underlying their design, nor the only value that they in the end promote. Rather, causes as well as effects ramify far beyond mere security, and only an analysis of the trajectory of material construction of technologies can explain how specific inequalities get implemented, and become the de facto consequences, far downstream, of some original conception of security.

This entails that claims about ‘privacy by design’ (Cavoukian, 2009) made in relation to the latest type of scanners should not be accepted uncritically. Just as security is not just straightforwardly implemented, it cannot be expected that privacy is unproblematically pursued through technical design – even though the paradigm of ‘privacy by design’ precisely promises to resolve privacy problems in the technological sphere, provided that privacy demands are formulated sufficiently upstream (Gürses et al., 2011). Even if privacy is considered upstream and made part of the problem definition, it will still be subject to exactly the same heterogeneous set of influences. This additionally entails that privacy and security cannot be thought of as mutually exclusive – which is in fact how they are more often than not connected in discussions. Moreover, as privacy (in some form) itself specifies particular problems to be solved, this will in turn just as much neglect other problems, the non-solution of which will eventually surface in a consolidated way, seemingly as a mere technical imperfection. Ironically, the present analysis shows that attempts to solve particular privacy problems lead to an exacerbation of other privacy problems. We hope to have convincingly demonstrated that this is importantly attributed to particular problem definitions being dominant when material configurations are selected; that is, when specific devices are assembled. These problem definitions are negotiated in places where subordinate groups have no voice.

Looking at what particular definitions of the problem are implied in specific solutions, and how these are translated into concrete devices, highlights the wider range of values, interests and goals at stake. Moreover, by following the chain of translations that leads right into the particulars of devices and their operation, we were able to identify a number of contingencies that cause these devices to preserve some people’s ‘privacy’ at the cost of the privacy of others. The definition of the privacy problem has changed along the way, and the preferred realm of solving being ‘technology’ has de facto ‘exempted’ the solution of privacy problems from politics. Even though the generation of the controversial ‘nude picture’ is eliminated in particular versions of the AMS, the systems’ way of classifying passengers performs norms concerning what a human body should look like that render some people as ‘different’ in ways that are highly privacy sensitive.

By necessity, any security system that focuses on human bodies will have a set of built-in norms about what a human body looks like, and all of these systems can only cope with a certain range of human differences (Van der Ploeg, 2011). In some contexts this may not necessarily be problematic, but in a context like civil aviation, where global mobility is at stake, one knows in advance one will find the greatest range of differences, entailing high numbers of ‘anomalies’. Therefore, the consequences of any category of people being performed as ‘different’ will immediately affect many people entitled to have equal protection of their rights to privacy and dignity. To present this as an unfortunate consequence of the inevitable trade-off between security and privacy, as one so often finds, is neglecting the context-dependency of these values and the wide range of other values that go into the shaping of eventual security practices. Our analysis has shown how looking into the material specifics of problem translations and automated classification provides an effective antidote to such overly simplistic and value-charged justifications.