Wednesday, July 8, 2009

What is happening with Registered Traveler data? It's not "Clear"....

As I blogged a few weeks back, the "Clear" Registered Traveler program abruptly ended because the service provider ceased operations. The announcement at the time raised the questions of what happens to the vast trove of personal information and biometric data that the company collected in order to "clear" frequent fliers who ponied up the $199 annual fee. Those questions have still not been completely answered, and just before the holiday, the Chairman of the House Committee on Homeland Security sent a letter to the Transportation Security Administration asking the same questions........and giving TSA until July 8th to explain how the agency plans to ensure the security of the data.

Chairman Thompson wants TSA to explain what role it will take in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." The TSA has posted an FAQ on its website directing questions about Clear back to the vendor.

We have learned a bit more from Verified Identity Pass (VIP), the company that operated the Clear program. VIP has issued a statement regarding the handling of existing data on hardware -- airport kiosks and computers assigned to VIP employees. According to VIP, all such equipment was being cleared using a process known as "triple wiping," which is a reliable method for clearing hard disks of data. Once the information has been wiped, Clear says that it will send members one final email confirming that their information has been deleted from the kiosks and computers.

None of this addresses the issue of the central database. What we do not know -- and will not know until it happens -- is whether the data will be sold. VIP has not filed for protection under the Bankruptcy Code and is presumably trying to sell itself to another Registered Traveler service provider (there are 8 approved by TSA). In the FAQ, the company's response was that "(t)he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider." Short answer, if it can find a buyer that is a TSA-authorized RT provider, your data will most certainly be sold. Clear says nothing about informing members that their information will be transferred to another provider in a sale of what is left of the company, or obtaining consent to such a transfer.

All of this illustrates a ticking time bomb in difficult economic times --- what happens to the myriad of personal and financial data that a failing or failed company has collected during the time it was in business?? Databases and customer lists are assets that can be converted to cash to pay creditors. Hardware is often sold for scrap without "triple wiping" or is just transferred to a new buyer.

Good discussion of the Clear program issues at ComputerWorld.