The Electronic Privacy Information Center has been suing the Department of Homeland Security because it refused to engage in the public rule-making process before it adopted RapeAScan machines as part of the primary screening at airports. DHS responded to EPIC’s suit the other day. While I think their response will be largely successful as written, they’re playing games with the timing of EPIC’s suit so as to avoid doing any discussion or even administrative privacy assessment of giving passengers a choice between being photographed nude or having their genitalia fondled.

The key to this is that EPIC first requested a request for review of whether DHS should have engaged in rule-making on May 28, 2010, before TSA changed pat-down procedures. It then submitted its brief on November 1, 2010, after the enhanced pat-downs were being rolled out. But the issue still focuses on the machines and not the machines in tandem with the invasive pat-downs. So a central part of DHS’ argument is that passengers are given an alternative to the RapeAScan machines: pat-downs. But its filing never deals with the possibility that pat-downs are more invasive than even the RapeAScan machines.

TSA communicates and provides a meaningful alternative to AIT screening. TSA posts signs at security checkpoints clearly stating that AIT screening is optional, and TSA includes the same information on its website. AR 071.003. Those travelers who opt out of AIT screening must undergo an equal level of screening, consisting of a physical pat-down to check for metallic and nonmetallic weapons or devices. Ibid.

A physical pat-down is currently the only effective alternative method for screening individuals for both metallic and nonmetallic objects that might be concealed under layers of clothing. The physical pat-down given to passengers who opt out of AIT screening is the same as the pat-down given to passengers who trigger an alarm on a walk-through metal detector or register an anomaly during AIT screening. Passengers may request that physical pat-downs be conducted by same gender officers. AR 132.001. Additionally, all passengers have the right to request a private screening. Ibid. More than 98% of passengers selected for AIT screening proceed with it rather than opting out. AR 071.003.

And by focusing on this alternative with no real discussion of what it currently entails, DHS dodges the question of whether the two screening techniques together–RapeAScans and enhanced pat-downs–violate passengers’ privacy. Note, for example, how the filing boasts of two Privacy Impact Assessments TSA’s privacy officer did (plus an update just as EPIC was last complaining about this technology).

Pursuant to 6 U.S.C. § 142, DHS conducted Privacy Impact Assessments (“PIAs”) dated January 2, 2008, and October 17, 2008, to ensure that the use of AIT does not erode privacy protections. AR 011.001-.009, 025.001-.010. The second PIA was updated on July 23, 2009 and lays out several privacy safeguards tied to TSA’s use of AIT. AR 043.001-010.

Now, as a threshold matter, there’s something odd about DHS citing 6 U.S.C. § 142 here. Its requirement for PIAs reads:

The Secretary shall appoint a senior official in the Department to assume primary responsibility for privacy policy, including – (1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information; (2) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974 [5 U.S.C. 552a]; (3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; (4) conducting a privacy impact assessment of proposed rules of the Department or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; and (5) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974 [5 U.S.C. 552a], internal controls, and other matters. [my emphasis]

See how it says the department has to do PIAs “of proposed rules”? That suggests the Privacy Officer treated the plan to use RapeAScans as a rule and did a PIA accordingly. But this entire filing–which explains why DHS refused to accede to EPIC’s request to conduct public rule-making on the use of RapeAScans–argues that the implementation of the machines did not constitute a rule. But they did a PIA as if it was a rule!

But there’s another thing this filing doesn’t say about PIAs: that Congress demanded TSA publish a PIA on the enhanced pat-downs.

In the absence of an Executive branch level Privacy and Civil Liberties Oversight Board that would evaluate decisions such as this, it was crucial that the Department of Homeland Security’s Privacy Officer and Office for Civil Rights and Civil Liberties thoroughly evaluate and publish written assessments on how this decision affects the privacy and civil rights of the traveling public. To date, the Department has not published either a Privacy Impact Assessment (PIA) nor a Civil Liberties Impact Assessment (CLIA) on the enhanced pat down procedures. Without a published PIA or CLIA, we cannot ascertain the extent to which TSA has considered how these procedures should be implemented with respect to certain populations such as children, people with disabilities, and the elderly. By not issuing these assessments, the traveling public has no assurance that these procedures have been thoroughly evaluated for constitutionality.

So while DHS boasts that it did PIAs on the RapeAScans before it rolled them out, it still does not appear to have done a PIA on the groping that serves as DHS’ much touted alternative to RapeAScans, much less a PIA on the two techniques offered together.

Now, DHS is using procedural complaints to object to EPIC’s inclusion of Nadhira Al-Khalili on the complaint, a lawyer with ties to the Muslim community. But their response to EPIC’s freedom of religion complaint seems to suggest they recognize they are vulnerable: suggesting that if a Muslim (or anyone else with documented reason to be opposed to having nude pictures taken and/or their genitalia groped by strangers) were to sue, the procedures would not hold up.

But for now, DHS is treating the RapeAScans separately from the groping so as to be able to argue that in conjunction with the “choice” of being groped, the RapeAScans present no big privacy problem.