June 27, 2009

Clear’s Privacy Protection Clear As Mud

A company that collected detailed personal information including biometric data on over a quarter million individuals as part of a registered air traveler program has abruptly gone out of business after being unable to negotiate with its senior creditor to continue operations.

This has left many customers concerned about how the safety and privacy of their personal data will be handled.

Verified Identity Pass Inc. (VIP) announced on Sunday that it was ceasing its Clear service, which was designed to move air travelers through airport security checks more efficiently. The service had been available at 21 major airports, including New York's JFK and La Guardia, Boston's Logan and Atlanta's Hartsfield-Jackson airports.

The sudden shutdown of the Clear program has people asking about who keeps the personal information, how well it's protected from theft and whether it could be sold to the highest bidder.

If Verified files for bankruptcy protection or is taken over by another company, security experts say it is unlikely that the private data would be given to creditors or new owners, but they are beginning to trace the data trail along with some members of Congress.

The fear of unprotected personal information and the danger of identity theft encompass most areas of life in this day and age. Other than travel, it can be compromised from drawing cash out of an ATM, using a credit card at a store or restaurant, or submitting information online.

The parent company of retailers T.J. Maxx and Marshall's announced Tuesday that it will be paying a $9.75 million settlement with a number of states related to massive data theft that revealed tens of millions of payment card numbers.

Clear assured that they will stand by their commitment to protect their customers' information, including fingerprints, iris images, photos, names, addresses, and credit card numbers. Information is secured in accordance with the Transportation Security Administration's Security, Privacy and Compliance Standards.

They also said that all hard disks at the airport have been wiped clean of all data and software.

"The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis," they stated on their website.

Spokesman Greg Soule stated Friday that the agency did not retain any data for passengers after July 2008, when Clear began operating as a fully private company. Soule said that the TSA has until July 31 to delete all information it collected during the pilot program.

Soule emphasized that Clear was a private company responsible for destroying its own data.

Security experts are questioning the TSA's methods. Some say the Transportation Security Administration should manage passenger data better and that the data should not be stored for any great length of time.

"This question about whether or not (the TSA is holding on to information from Clear customers) is actually part of a bigger debate," said executive director of the Electronic Privacy Information Center Marc Rotenberg. "This is just one of the long-running battles; they simply keep too much data on too many people for too long,"

He said that if there were to be a security breech of any kind, all private information held by the TSA would leave certain people highly vulnerable.

"I think the customers of Clear should be concerned about this," Rotenberg said. "Fingerprints are one of the most effective ways to (steal someone's) identity."

Clear grew out of the government agency's Registered Traveler program that uses "biometric identifiers." Two similar companies - FLO and Vigilant have similar databases, but are much smaller.

Rotenberg said he is not at all confident that TSA will be deleting all data collected from Clear members, and the longer the data is held, the more open it is for leaks.

TSA's record supplies enough doubt about the security of personal information it holds. In 2007, it lost an external hard drive containing the personal and financial information of 100,000 current and former agency workers. In 2006, the TSA unintentionally exposed the personal information of thousands of Americans' on the Internet when they launched an unsecured Web site aimed at assisting travelers whose names were incorrectly on airline watch lists.

Clear has had problems of its own as well. Just last year, the TSA temporarily halted the program after a laptop containing pre-enrollment records of approximately 33,000 customers was lost at San Francisco International Airport.

On Thursday, the House Committee on Homeland Security sent a letter to TSA Assistant Secretary Gale Rossides noting their concern about the how the data of Clear's members would be handled.

"While we recognize that Clear is not a government program managed by TSA, we are concerned about the protocols Verified Identity Pass will implement in the next few days as Clear winds down," the letter read. "...It appears the TSA allowed the private sector to determine a method of storage and disposal of extremely sensitive personal information. It is our understanding that TSA's directives are silent on the disposal of data in the event of a company's merger, buy out, or bankruptcy."

The letter further expressed that the committee is "concerned about the safety and security of the information currently held by Clear."

Rotenberg said he doesn't think the TSA is adequately equipped for dealing with the removal of such a large amount of private information from Clear customers.

"It's not clear to me that they're really going to destroy it," he said. "The TSA policy does not appear to adequately consider the consumers of Registered Traveler programs if the company ceases operations. I don't think they anticipated this."

Clear intends to notify its members in a final email message when the information is officially deleted.


On the Net: