TSA’s Muddy Response to the Clear Shutdown
Earlier today,a friend of mine sent out a Twitter post indicating that Verified Identity Pass, the operator of the soon-to-be defunct Clear “Registered Traveler” program, might be interested in selling the data it possesses about its customers. For those of you unfamiliar with the DHS-sponsored Registered Traveler program, the idea is that in exchange for being fairly seriously vetted, you can speed through the security lines at airports. In this case “serious vetting” doesn’t mean a Scientology-style videotape confession or forfeiting your firstborn child, but it does involve being checked on terror watch lists and sharing a lot of personally identifying information.
The concern that the original story posted on Wired raised, was whether this failed business might seek to profit by selling personal data. Here’s what I know:
- Clear collects enough personal information to make it a gold mine for identity thieves. Verified Identity Pass collects immense amounts of personally identifiable information so that it can determine applicant eligibility, as required by the TSA. The data collected includes scans of the applicant’s irises and fingerprints. Clear also collects the applicant’s social security number and credit card number, which is used for payment, and biographic information for vetting. It makes digital copies of identifying documents like passports or driver licenses. It is allowed by the TSA to retain all of these things in its data centers.
- Verified Identity Pass could sell its customer information to another Registered Travel operator. Verified Identity Pass states, in a letter to customers, that the personal information it has collected could potentially be sold to third-parties. In answer to the question, “will personally identifiable information be sold?” VIP answers, “The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”
- TSA deflected concerns about what might happen to Clear's customer information. In its own statement about Clear, TSA answers concerns about disposition of personal information this way: “Questions about how the data is managed should be directed to the vendor. Clear has assured TSA that it is appropriately safeguarding the data. RT service providers were required to use customer data for purposes of the RT program unless customers expressly opted-in to other uses.”
Based on the facts, I’ve concluded that:
- When faced with a cash crunch, companies toss privacy policies aside. No matter how ironclad the seeming promises of privacy, now that it’s in financial trouble Verified Identity Pass thinks it can make a buck on its customers’ personal information. It seems to be treating the highly sensitive information its customers have provided to them as assets to be bought and sold, not as other peoples’ secrets that they are obligated to protect. Clear’s written privacy policy is a model of clarity and economy. It is a shame their customer letter, written under pressure in the rush to shut down, cannot give a simple “yes” or “no” answer about whether they will actually try to sell the stuff. Their evasiveness is shameful.
- The Bush administration’s disregard for citizen privacy will take years to undo. The TSA’s feeble response to the issue of Clear’s customer data laughable. How can the TSA simply “direct questions to the vendor?” The TSA Undersecretary must be high — and not 35,000 feet high, either. Despite all of the fine words in the recent cybersecurity plan (which I blogged about recently) noting the importance of citizen privacy, these are not a substitute for action. Inaction, in this case, speaks louder than words.
- Some things shouldn’t be left to the private sector. When the Aviation and Transportation Security Act was passed, it established the TSA’s authority to take over passenger screening operations at airports. Why? Because the private sector was seen as doing a lousy job, and the function was thought to be so vital to the national interest that it should be run by the government. Why should the Registered Traveler program be any different? The Clear program hasn’t exactly kept its nose clean: nearly a year ago, staff lost an unencrypted laptop containing personal information on 33,000 passengers.
Here's what TSA should do: impound Clear’s customer data immediately, using the authority granted it under ATSA §114(f). It should also release a real response to Clear customers that states in clear language exactly how and when traveler personal information collected by Clear will be destroyed. Finally, it should seek funding for a federally-managed Registered Traveler program, rather than punting to the private sector, if such a program is still deemed desirable. If Congress has no appetite for a federally-run Registered Traveler program, it should be shut down completely.