Last week, the D.C. Circuit Court of Appeals rejected a Fourth Amendment challenge to the Transportation Security Administration's strip-search machine policies, but it found that the TSA violated the Administrative Procedure Act in rolling them out. Too bad that the court arrived at the Fourth Amendment issues before they were ripe.



The bulk of the decision was devoted to the TSA's law violation in creating strip-search machine policies without doing a notice-and-comment rulemaking. That's the procedure federal agencies are required to carry out when Congress has delegated them legislative authority. Congress did delegate such authority when it told the Department of Homeland Security to develop technologies that detect nonmetallic, chemical, biological, and radiological weapons in 2004's Intelligence Reform and Terrorism Prevention Act.



"[T]he TSA has advanced no justification for having failed to conduct a notice-and-comment rulemaking," the court wrote, adding that it expects the agency "to act promptly on remand to cure the defect in its promulgation."



The TSA will likely spout "constantly changing threat environment" boilerplate to try and argue that it can avoid notice and comment under the APA's "good cause" exception. An agency can skip notice and comment "when the agency for good cause finds . . . that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest."



But the threat environment is not "constantly changing" at the level of abstraction relevant for the strip-search machine policy---some people are out there who might try to get dangerous articles onto planes---and these machines will be in place for decades, if not permanently, under the TSA policy. They will affect the privacy and security of billions of air passenger journeys. Even if there were need for haste in rolling out the machines, nothing makes it uniquely difficult, or anything other than appropriate, for the TSA to engage in a public process to substantiate its actions.



When the TSA does a rulemaking, it will have to lay out its strip-search machine policies and---crucially---justify them. Notice-and-comment rules are subject to court review, and reversal if they are "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law." That is a rather low standard, but it's a higher standard than the agency has ever met before---none at all.



The TSA will have to exhibit how its risk management supports the installation and use of strip-search machines. How did the TSA do its asset characterization (summarizing the things it is protecting)? What are the vulnerabilities it assessed? How did it model threats and hazards (actors or things animated to do harm)? What are the likelihoods and consequences of various attacks? Risk assessment questions like these are all essential inputs into decisions about what to prioritize and how to respond.



Congress dictated detection of various harmful agents, a form of interdiction. (The other responses to risk are acceptance, prevention, and mitigation.) Given the array of choices available to it, how did the TSA select strip-search machines?



Crucially, how well do strip-search machines reach the risks identified in their risk assessment? This is a cost-benefit question. How much do strip-search machines cost to purchase, maintain, and operate? The costs denominated in dollars include money spent on buying the machines, configuring airports, and paying TSA salaries to operate the machines and process passengers. Such costs also include opportunity costs imposed on travelers when the time they spend at airports lengthens to accommodate extended security screening and variable delays. Yet more costs are denominated in lost privacy and dignity to the traveler. These are substantial, though hard to quantify.



Security benefits are also hard to quantify, but the agency should do so if it is to justify its policies as something better than random or intuitive reaction. DHS and TSA officials endlessly talk about risk and risk management, but they cannot honestly say they are doing risk management if they are not thinking these issues all the way through. I've offered a methodology for valuing security benefits, and security experts (as well as students) have analyzed the costs and benefits of homeland security programs. The TSA can do it too.



Watch in the rulemaking for the TSA to obfuscate, particularly in the area of threat, using claims to secrecy. "We can't reveal what we know," goes the argument. "You'll have to accept our generalizations about the threat being 'substantial,' 'ever-changing,' and 'growing.'" It's an appeal to authority that works with much of the American public, but it is not one to which courts---a co-equal branch of the government---should so easily succumb.



If it sees it as necessary, the TSA should publish its methodology for assessing threats, then create a secret annex to the rulemaking record for court review containing the current state of threat under that methodology, and how the threat environment at the present time compares to threat over a relevant part of the recent past. A document that contains anecdotal evidence of threat is not a threat methodology. Only a way of thinking about threat that can be (and is) methodically applied over time is a methodology.



With this information in hand, a court would not only be ready to assess the TSA's rule under the Administrative Procedure Act's "arbitrary and capricious" standard. It would be ready to assess the reasonableness of the TSA's strip-search machines and procedures under the Fourth Amendment.



Without that information, the D.C. Circuit plugged the strip-search machines into the strangely incoherent "administrative search" exception to the Fourth Amendment. In two pages of analysis (out of the opinion's seventeen), the court found that strip-search machines are administrative "because the primary goal is not to determine whether any passenger has committed a crime but rather to protect the public from a terrorist attack."



Come again?



It seems the court could have taken judicial notice that terrorist attacks are carried out through one or more criminal behaviors. People who have weapons or other dangerous articles at airport checkpoints are subject to arrest and prosecution. Crime control and public protection are one in the same, even in counterterrorism.



The "administrative search" exception to the Fourth Amendment seems to rest on the willingness of a court to abstract away the fact that individuals are prevented from proceeding where they would go (seized) while their persons, papers, and effects are rummaged (searched) for the purpose of discovering violations of the criminal laws. Earlier in the opinion, in fact, the court mocked the idea that the TSA might not "engage in 'law enforcement, correctional, or intelligence activity.'" It surely does. This is not "administrative." It's criminal law enforcement.



Perhaps with a full record---a notice-and-comment rulemaking with a docket full of information and analysis---the D.C. Circuit and other courts will have the opportunity to revisit whether the TSA's strip-search machine policies are constitutionally reasonble, or whether they're unexamined reaction. Last week's "loss" on the Fourth Amendment issue sets the stage for sounder thinking on the strip-search machine policy.



All of this would be obviated, of course, if airline security were restored to private hands.