Incident: Failure of Privacy Software Implementation in TSA Body Scanners

Published Date: 2013-01-19

Postmortem Analysis
Timeline 1. The software failure incident of the TSA body scanning machines happened in June 2013 as mentioned in Article [16184].
System The software failure incident mentioned in the article involved the failure of the privacy software to be installed on the backscatter machines manufactured by Rapiscan. Specifically, the Automated Target Recognition (ATR) software was not able to be deployed on the backscatter machines, leading to their removal from checkpoints by the TSA. 1. Privacy software, specifically Automated Target Recognition (ATR) software, failed to be installed on the backscatter machines manufactured by Rapiscan [16184].
Responsible Organization 1. Rapiscan, the manufacturer of the backscatter machines, was responsible for causing the software failure incident by not being able to meet the congressional-ordered deadline to install privacy software on the machines [16184].
Impacted Organization 1. Transportation Security Administration (TSA) [16184]
Software Causes 1. Rapiscan, the manufacturer of the backscatter machines, could not meet the congressional-ordered deadline to install privacy software on the machines [16184].
Non-software Causes 1. Inability of the manufacturer, Rapiscan, to meet a congressional-ordered deadline to install privacy software on the backscatter machines [16184].
Impacts 1. The software failure incident led to the removal of the backscatter body scanning machines from airport checkpoints by the Transportation Security Administration (TSA) by June [16184]. 2. The removal of the backscatter machines addressed privacy concerns raised by critics who referred to the machines as conducting "virtual strip searches" [16184]. 3. The manufacturer of the backscatter machines, Rapiscan, could not meet the congressional-ordered deadline to install privacy software on the machines, leading to the software failure incident [16184]. 4. The failure of Rapiscan to deploy non-imaging Automated Target Recognition (ATR) software resulted in the TSA ending its contract with the company [16184]. 5. The software failure incident ultimately led to a shift towards using machines with ATR software for faster throughput and enhanced security at airport checkpoints [16184].
Preventions 1. Implementing a more robust software development and testing process to ensure timely delivery of the privacy software for the body scanning machines [16184]. 2. Conducting thorough risk assessments and contingency planning to address potential delays in software development and deployment [16184]. 3. Collaborating closely with the software manufacturer to monitor progress and provide necessary support to meet the deadline for installing the privacy software [16184].
Fixes 1. Security companies developed privacy software, called Automated Target Recognition (ATR) software, which could potentially fix the software failure incident with the backscatter machines [16184].
References 1. Rapiscan - the manufacturer of the backscatter machines [16184]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the inability to deploy privacy software on the backscatter machines by Rapiscan has happened within the same organization before. The article mentions that Rapiscan, the manufacturer of the backscatter machines, could not meet a congressional-ordered deadline to install privacy software on the machines, leading to the decision by the TSA to remove these machines from checkpoints [16184]. (b) The software failure incident related to the inability to deploy non-imaging ATR software on the backscatter machines has not been reported to have happened at other organizations or with their products and services in the provided article.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where it mentions that the manufacturer of the backscatter machines, Rapiscan, could not meet a congressional-ordered deadline to install privacy software on the machines. This failure in meeting the deadline for developing and implementing the required privacy software can be attributed to a design phase issue [16184]. (b) The software failure incident related to the operation phase is evident in the article where it discusses how the TSA initially sought to address privacy concerns by implementing operational measures such as placing TSA officers viewing the scanner imagery in remote locations and offering passengers the right to an alternative screening through a pat down. However, these operational solutions failed to satisfy privacy groups and some members of Congress, indicating a failure in the operation phase of the system [16184].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the TSA body scanning machines was primarily within the system. The failure occurred because the manufacturer, Rapiscan, could not meet the congressional-ordered deadline to install privacy software on the machines, leading to the decision by the TSA to remove the machines from checkpoints [16184]. This failure was internal to the system as it was related to the inability of the manufacturer to develop and deploy the required software within the specified timeframe.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was primarily due to non-human actions. The failure occurred because the manufacturer of the body scanning machines, Rapiscan, could not meet the congressional-ordered deadline to install privacy software on the machines. This led to the decision by the Transportation Security Administration (TSA) to remove the machines from checkpoints by June [16184]. The inability of the manufacturer to deploy the required non-imaging Automated Target Recognition (ATR) software was a key factor in this software failure incident. (b) Human actions also played a role in this software failure incident. Initially, the TSA sought to address privacy concerns by implementing measures such as placing TSA officers viewing the scanner imagery in remote locations and offering passengers the right to an alternative screening through a pat down. However, these solutions failed to satisfy privacy groups and some members of Congress, who believed that both alternatives could be abused. Ultimately, the failure caused by technology was solved by the development of privacy software (ATR software) by security companies. The decision to end the contract with Rapiscan was also a result of human actions taken by the TSA [16184].
Dimension (Hardware/Software) hardware (a) The software failure incident in this case occurred due to contributing factors that originate in hardware. The Transportation Security Administration (TSA) decided to remove the backscatter machines, which were causing privacy concerns, because the manufacturer, Rapiscan, could not meet the deadline to install privacy software on the machines. This hardware-related issue led to the decision to remove the machines from checkpoints [16184].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident related to the removal of certain body scanning machines at airports was non-malicious. The failure was attributed to the manufacturer, Rapiscan, not being able to meet a congressional-ordered deadline to install privacy software on the machines. This failure was not due to any malicious intent but rather a failure to comply with regulatory requirements [16184].
Intent (Poor/Accidental Decisions) poor_decisions The intent of the software failure incident related to the removal of the body scanning machines by the TSA was primarily due to poor decisions made by the manufacturer, Rapiscan. The failure was a result of the manufacturer's inability to meet a congressional-ordered deadline to install privacy software on the machines, specifically the Automated Target Recognition (ATR) software. This failure led to the TSA deciding to remove the machines from checkpoints [16184].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the article as the manufacturer of the backscatter machines, Rapiscan, could not meet a congressional-ordered deadline to install privacy software on the machines. This lack of professional competence by the manufacturer led to the software failure incident [16184]. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration temporary The software failure incident related to the inability to meet the privacy software deadline for the backscatter machines by Rapiscan was temporary. The failure was due to the manufacturer's inability to deploy non-imaging Automated Target Recognition (ATR) software on the machines, leading to the decision by the TSA to remove these machines from checkpoints by June [16184]. This failure was specific to the circumstances surrounding the development and deployment of the required software for the machines.
Behaviour omission (a) crash: The software failure incident in the articles can be categorized as a crash. The backscatter machines manufactured by Rapiscan were unable to meet a congressional-ordered deadline to install privacy software, leading to the decision by the Transportation Security Administration (TSA) to remove these machines from checkpoints by June [16184]. This failure to meet the deadline resulted in the machines not being able to perform their intended function of displaying generic outlines of the human body while maintaining passenger privacy, ultimately leading to their removal.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence theoretical_consequence The consequence of the software failure incident described in the articles is as follows: (h) theoretical_consequence: The potential consequences discussed but did not occur due to the software failure include concerns about privacy and the possibility of people being viewed naked by TSA screeners. The software failure led to the removal of body scanning machines that produced graphic images of travelers' bodies, which critics referred to as "virtual strip searches." The failure to install privacy software on the machines by the manufacturer raised significant privacy concerns, which were addressed by removing the machines and implementing alternative solutions [16184].
Domain transportation (a) The failed system was intended to support the transportation industry. The Transportation Security Administration (TSA) announced the removal of body scanning machines from checkpoints due to the manufacturer's inability to meet a congressional-ordered deadline to install privacy software on the machines [Article 16184]. This incident directly impacts the transportation sector as these machines are crucial for security screening at airports.

Sources

Back to List